PCI
Please note: the following article is only opinion, and should not be relied upon as “official”. Official PCI DSS information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
What is PCI?
The PCI Data Security Standards (PCI DSS, or sometimes just PCI) are a set of best practices designed to protect cardholder data and prevent fraud. Any retailer who accepts credit cards must uphold the PCI rules as part of their account agreement.
You can read the full PCI Agreements by providing your name and company name, or you can read a summary of PCI DSS on Wikipedia.
What is PCI DSS 4.0?
PCI DSS 4.0 is the latest version of the standard, which came into effect March 31, 2004.
Am I subject to PCI DSS rules?
If you process credit cards, you are subject to PCI rules.
How do I reduce my exposure to PCI DSS risk?
As a general rule, the less handling of credit cards your site does, the better. Payment by PayPal Express, for example, happens completely off your site. Modules like PayPal RESTful handle card data but use modern techniques to minimize the transmission of this data. Modules like Authorize.net AIM handle and transmit credit card data, and their use may necessitate a PCI compliance scan if your processor requests one.
What is a PCI Compliance Scan?
A PCI Compliance Scan is a probe of your website that looks for potential issues that could create security vulnerabilities. If your payment processor wants you to do a PCI Scan, they will tell you the specifics they want, and typically refer you to one or two specific services.
Be cautious about unsolicited email from PCI Scan providers telling you your site is not secure and that you need their services. Again, let the requirements of your payment processor guide you.
Even the selected service providers of payment processors are not perfect, and their scans may turn up a false positive - something that appears to be a problem but is not. You will need to work with your hoster and your developer to resolve such misunderstandings when they occur.
What are my responsibilities?
The PCI DSS standards are large, complex and subject to interpretation. Only a qualified assessor can tell you if you’re doing everything you need to do. But some basic requirements can be stated easily:
- Be sure your software is up to date. Upgrading is part of your responsibility so that you are running the latest versions of PHP and Zen Cart.
- Don’t disable any of the PCI related configuration items provided by Zen Cart. For example, don’t disable strong password requirements.
- Don’t store credit card numbers in your database. The old manual card modules should no longer be used, and any stored card numbers should be deleted.