PCI Security Practices

Merchants who accept credit card payments should be aware of the PCI (Payment Card Industry) Data Security Requirements from the major credit card companies. These requirements have been developed to ensure safe handling of sensitive payment information, such as storage and transfer of credit card information. This document contains instructions for configuring ShopSite to meet PCI requirements. Merchants may also need to implement other procedures for handling credit card information outside of the ShopSite Shopping Cart Software.

Installation

Your hosting provider should have already installed ShopSite for you. Instructions to securely install ShopSite can be found in the ShopSite Installation help.

You and your hosting provider should always use a secure connection (SSH, SFTP, FTP over SSH, etc.) and two-factor (password plus the code from an authenticator app) authentication when connecting to the server for administrative purposes. This includes when you connect to install or upgrade ShopSite, or when you connect to perform other administrative tasks on your server.

The server Operating System and other applications such as the Web server and E-mail server must be kept up to date with the most recent security patches. Your hosting provider is usually responsible for this, and should already be doing it. For more details regarding this subject, see the PCI Security Standards Council Web page. Additionally, PCI compliance requires that the OS and web-server support and implement an active access log. For information on enabling and configuring access logging in Apache Web Server on CentOS, see Apache's documentation. More information on access logging can be found in the respective OS-appropriate installation guide.

If you are storing credit card numbers or other sensitive personal information, you are requred to store the information on a remote database in an internal network zone (see PCI DSS requirement 1.3). ShopSite can be configured to use a remote PostgreSQL database to store sensitive order information, but you are responsible for setting up the database in compliance with PCI security guidelines.

Upgrading

When upgrading to a newer version of ShopSite, you should follow the same security practices as if you were installing a new store (described above). More information about upgrading can be found in the Upgrading ShopSite help.

Accepting Credit Cards

There are several ways to accept credit cards with a ShopSite store. The first is with a payment method like PayPal or Amazon Pay. The second is with a payment gateway where the shopper enters their payment information either on the merchant's server or the gateway's. Finally, merchants can manually process credit card information. With this method, the shopper enters their payment information in the cart and the merchant later retrieves it and then processes it.

Security Logs

PCI guidelines require merchants to log all access to payment information, and to retain those logs for 12 months. ShopSite's Access Log records every time someone views an order. The current month's log is viewable from the Back Office, and the previous 12 months are automatically stored. See the Access Log Help for more information.

Determining Compliance

ShopSite includes a feature to help you know how well your store complies with PCI security guidelines for credit card processing and storage. On the ShopSite Order Screen you will see a security level indicator near the top left corner of the screen. If your security level is Medium or Low, you are not meeting all the PCI requirements regarding your ShopSite store. Even if your security level in ShopSite is High, you may still need to do other things to comply with PCI requirements. See the PCI Security Standards Council Web page for the complete PCI DSS requirement specification.

Additional Requirements

In addition to the guidelines for storing credit card information, PCI requirements include numerous additional guidelines regarding safe practices. You must meet all the guidelines to be PCI compliant. Some of those relevant to managing ShopSite stores are listed below.

Written Agreement
(as per PCI DSS standard section 12.8.2)

ShopSite acknowledges that it is responsible for the security of cardholder data that the ShopSite software stores, processes or transmits on behalf of the merchant and therefore provides the configuration options, instructions, and software updates that enable the merchant to run ShopSite at the highest security level.

See the PCI Security Standards Council Web page for the complete PCI requirement specification.


ShopSite Help and Resource Center
Last updated: Sep 21, 2023
Give Feedback


ShopSite Shopping Cart Software