PCI Compliance is a very hot topic floating around the Opencart forums so I wanted to write a little article to give you my own professional opinion on the matter. Here is one of the many articles you can find that gives you a little idea of the misconceptions of PCI COMP, what it is, and what it is not, who it’s for, and false perceptions about it.
What is PCI Compliance?
PCI DSS is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Basically, if your firm is in charge of storing sensitive data in a capacity then you will need to meet the compliance according to what you are doing. PCI COMPLIANCE is the store owner’s responsibility and had nothing to do with Opencart in general. However, Opencart has indeed worked hard over the years to optimize it’s code to fit the latest PCI Security Scanning programs to ensure safe passage onto the WWW, this passing these tests such as McAfee SECURE (one of the more popular ones out there and trusted among many shoppers)
Covering the basics
General rule of thumb: If you are gathering customer data that is considered “sensitive” such as emails, credit card information, names etc then you MUST offer some form of protection for your customers. Most ecommerce websites don’t store CC numbers on their servers but rely on 3rd party companies such as Pay Pal to do as such since they are already PCI compliant. We are talking more about web forms to take care of payments, or registration forms where a customer enters their email. To protect against Phishing, Evevedropping, and hackers that would just love to get their dirty little paws on your information it is important that you provide what is called an SSL (SECURED SOCKET LAYER). This basically encrypts the web page(s) that need protection from the bad guys. It also offers a measure of peace of mind to your customers so that they can have a better shopping experience. Imagine if you were storing CC numbers on your server and a hacker got access to all of them. This is a liability nightmare that you DON’T want to deal with so again I want to remind you that it’s better to not even go there. Let the Big Dog’s take care of CC storage. Most of the big dogs such as Pay Pal, when using something like DIRECT PAYMENT (which allows the customer to pay with a credit card directly on your website) require you to have an SSL. You can purchase an SSL from www.arvixe.com and can even have it installed for you.
Out of the box OpenCart is one of the most secure ecommerce platforms around. With a few tweaks you can bring that security to the next level and help keep prying eyes away from private sections of OpenCart. While the following changes are not the full scope of PCI compliance for merchants many (such as changing system defaults) are considered best practices. They are noted with (PCI) in the article. As always, to ensure compliance please consult appropriate PCI compliance rules or professionals.
1) Enable SSL for Admin (PCI)
2) Rename the admin directory
3) Password protect the admin directory with .htaccess
4) Rename the ‘admin’ user (PCI)
5) Restrict user permissions (PCI)
6) Strong passwords (PCI)
7) Change your encryption key (PCI)
8) Disable ‘Display Errors’ (PCI)
9) Remove ‘Powered By OpenCart’
1) Enable SSL for Admin (PCI)
By default data sent to and from Admin is not encrypted. Enabling SSL/HTTPS will ensure data such as Admin user passwords and customer order data can’t be intercepted during transmission. To do this you must have an SSL certificate installed on your server. Many web hosts will have a shared certificate available on their server (if implemented this may cause warnings to pop up) or you can purchase one separately for your organization (highly recommended).
2) As Stated above, enable SSL for front side customer shopping pages that require it such as register, checkout, login, account etc….