Last updated: Sep 21, 2023
Give Feedback
ShopSite Shopping Cart Software
Merchants who accept credit card payments should be aware of the PCI (Payment Card Industry) Data Security Requirements from the major credit card companies. These requirements have been developed to ensure safe handling of sensitive payment information, such as storage and transfer of credit card information. This document contains instructions for configuring ShopSite to meet PCI requirements. Merchants may also need to implement other procedures for handling credit card information outside of the ShopSite Shopping Cart Software.
Your hosting provider should have already installed ShopSite for you. Instructions to securely install ShopSite can be found in the ShopSite Installation help.
You and your hosting provider should always use a secure connection (SSH, SFTP, FTP over SSH, etc.) and two-factor (password plus the code from an authenticator app) authentication when connecting to the server for administrative purposes. This includes when you connect to install or upgrade ShopSite, or when you connect to perform other administrative tasks on your server.
The server Operating System and other applications such as the Web server and E-mail server must be kept up to date with the most recent security patches. Your hosting provider is usually responsible for this, and should already be doing it. For more details regarding this subject, see the PCI Security Standards Council Web page. Additionally, PCI compliance requires that the OS and web-server support and implement an active access log. For information on enabling and configuring access logging in Apache Web Server on CentOS, see Apache's documentation. More information on access logging can be found in the respective OS-appropriate installation guide.
If you are storing credit card numbers or other sensitive personal information, you are requred to store the information on a remote database in an internal network zone (see PCI DSS requirement 1.3). ShopSite can be configured to use a remote PostgreSQL database to store sensitive order information, but you are responsible for setting up the database in compliance with PCI security guidelines.
When upgrading to a newer version of ShopSite, you should follow the same security practices as if you were installing a new store (described above). More information about upgrading can be found in the Upgrading ShopSite help.
There are several ways to accept credit cards with a ShopSite store. The first is with a payment method like PayPal or Amazon Pay. The second is with a payment gateway where the shopper enters their payment information either on the merchant's server or the gateway's. Finally, merchants can manually process credit card information. With this method, the shopper enters their payment information in the cart and the merchant later retrieves it and then processes it.
Payment methods typically have their own checkout button (e.g., PayPal Express or Amazon Pay) and when the shopper clicks that button, they are taken from the merchant's site and enter their payment information on the vendor's secure server (as is done by PayPal Express) or it appears that they are still on the merchant's site, but where they enter their payment information is actually on the vendor's server (as is done with Amazon Pay). It can be easier to be PCI compliant with one of these payment methods.
Payment gateways may or may not have the shopper enter their payment information on their server. Gateways like Authorize.Net SIM and WorldPay take the shopper to their site to enter the payment information. Even though gateways like Braintree v.zero and PayPal Commerce appear to leave the shopper on the merchant's site, the section where the shopper enters payment information is actually on the vendor's server. Other gateways (like Authorize.Net AIM or First Data Payeezy) have the shopper enter payment information securely on the merchant's server. In either case, the merchant's store can be PCI compliant, but if the merchant uses a gateway that has the shopper enter payment information on the merchant's server, it may require more work.
When using one of these payment processors, the payment information is immediately sent to the payment processor, and there is no further need to store the payment information in ShopSite. For maximum security, ShopSite recommends that if you are using one of these processors, select the option to not store credit card information. See the Credit Card Storage screen help to learn how to configure your store not to keep credit card information. If you feel it is necessary to temporarily store the credit card information, follow the guidelines for manual payment processing below.
Manual payment processing requires the merchant to collect payment information in the shopping cart, then manually bill the card using a separate payment processing method. When ShopSite is configured for manual payment processing, PCI requires that SSL be used for any screen where payment information is gathered or viewed. See the Hosting Service Configuration screen help for instructions to configure ShopSite to use SSL.
By default, ShopSite will store credit card information using symmetric encryption. For PCI compliance, you must store sensitive Credit Card information on a remote server in an internal network zone (see PCI DSS requirement 1.3,), and you should be using Public/Private encryption. Only one employee should have access to the Private Key and billing information. See the Remote Database Configuration help to learn how to configure your store to use a remote database. See the Credit Card Storage help to learn how to configure your store to use Public/Private encryption. Even with a remote order database and Public/Private Key encryption turned on, you should not store credit card information any longer than absolutely necessary to bill the order. Merchants should view or download any order on the same day it is created, then delete the order from ShopSite once the order has been billed.
PCI guidelines require merchants to log all access to payment information, and to retain those logs for 12 months. ShopSite's Access Log records every time someone views an order. The current month's log is viewable from the Back Office, and the previous 12 months are automatically stored. See the Access Log Help for more information.
ShopSite includes a feature to help you know how well your store complies with PCI security guidelines for credit card processing and storage. On the ShopSite Order Screen you will see a security level indicator near the top left corner of the screen. If your security level is Medium or Low, you are not meeting all the PCI requirements regarding your ShopSite store. Even if your security level in ShopSite is High, you may still need to do other things to comply with PCI requirements. See the PCI Security Standards Council Web page for the complete PCI DSS requirement specification.
In addition to the guidelines for storing credit card information, PCI requirements include numerous additional guidelines regarding safe practices. You must meet all the guidelines to be PCI compliant. Some of those relevant to managing ShopSite stores are listed below.
Access Payment Information Securely. Whenever you access payment information, do it from a computer that is behind a firewall and which has frequent spyware and anti-virus scans. You should never use a shared (public) computer to access payment information. Always access payment information using an encrypted connection (HTTPS), and never send payment information via E-mail.
Use Secure Connections. Unencrypted internet connections, such as Telnet and FTP, could be intercepted and read by malicious hackers. Any time you connect to your server for administrative purposes, you should use a secure internet connection, such as SSH instead of telnet, FTP over SSH or SFTP instead of FTP, and of course HTTPS instead of HTTP. Two-factor authentication (password plus the code from an authenticator app) is required for any administrative access. You also need to avoid using unencrypted wireless network connections, especially in public places.
Use Unique Passwords and User Accounts. The local computer from which you access payment information should require users to log in using a unique username and password. You should also have a different username and password for administrative access to the Web server than you use to access the ShopSite back office.
Disable unused accounts on your local computer and on your Web server. All user accounts, whatever they are used for, should either have strong passwords or have user access disabled.
Use Strong, Secure Passwords. The passwords you use, especially the ones for accessing payment information, should be difficult for malicious intruders to guess. See our Password Security Guidelines for details regarding good password practices.
Change your Passwords and Public/Private Key regularly. You should change your passwords and public/private key every 90 days (3 months) as a precautionary measure. You should also change them if you think they have been or may be compromised. Whenever you release an employee who had access to payment information, or if you see suspicious behavior on your server, you should change the access information.
Set up a File Integrity Monitoring (FIM) Tool. PCI requires that executable and other program files be checked at least every 36 hours for potential tampering. This can be done with 3rd-party monitoring software that is set up to run every 24 hours via a Linux Cron job. This is typically something that your host will need to help you set up. Some Open Source FIM tools include AIDE, Samhain, OSSEC Syscheck, and Tripwire Open Source.
ShopSite acknowledges that it is responsible for the security of cardholder data that the ShopSite software stores, processes or transmits on behalf of the merchant and therefore provides the configuration options, instructions, and software updates that enable the merchant to run ShopSite at the highest security level.
See the PCI Security Standards Council Web page for the complete PCI requirement specification.
|
ShopSite Help and Resource Center Last updated: Sep 21, 2023 Give Feedback |
ShopSite Shopping Cart Software |