Is there any up to date info on this at all? The answers seem to be a little vague from the support team and it must be a common question. Our customer has asked if nop is PA-DSS compliant. They will be using PayPal and Sage for payment collection. If the payments are handled off-site then all we need to know is:
Does nop retain any of the information that is passed across?
Is it passed across to the gateway securely so that it conforms to these guidelines?
Any help on this would be appreciated.
PCI compliance
- 114
- 1074
- 2012/07/23
- United Kingdom
steviport wrote:
Hi
I am sure someone will correct me if I am wrong, as far as I am aware the data stored by Nop is what is asked for ie customer name, address, telephone number etc.
As for financial information it will be down to the payment plugin provider to answer.
Regarding the built in Pay Pal Standard, and the Nochex plugin that I offer, no financial data is collected or retained, and the name and address and order data passed to the payment processor is passed in the query string.
For the Pay Pal and Nochex plugins above all, financial data is handled by the payment processors website and as such it is for them to be PCI compliant.
I believe that Sage offer a similiar method of accepting payments to the Pay Pal standard.
Is there any up to date info on this at all? The answers seem to be a little vague from the support team and it must be a common question. Our customer has asked if nop is PA-DSS compliant. They will be using PayPal and Sage for payment collection. If the payments are handled off-site then all we need to know is:
Does nop retain any of the information that is passed across?
Is it passed across to the gateway securely so that it conforms to these guidelines?
Any help on this would be appreciated.
Does nop retain any of the information that is passed across?
Is it passed across to the gateway securely so that it conforms to these guidelines?
Any help on this would be appreciated.
Hi
I am sure someone will correct me if I am wrong, as far as I am aware the data stored by Nop is what is asked for ie customer name, address, telephone number etc.
As for financial information it will be down to the payment plugin provider to answer.
Regarding the built in Pay Pal Standard, and the Nochex plugin that I offer, no financial data is collected or retained, and the name and address and order data passed to the payment processor is passed in the query string.
For the Pay Pal and Nochex plugins above all, financial data is handled by the payment processors website and as such it is for them to be PCI compliant.
I believe that Sage offer a similiar method of accepting payments to the Pay Pal standard.
- 45
- 889
- 2011/08/16
- United Kingdom
daveb wrote:
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
I can't see any reason for anyone to store CC details on their server. It's just asking for trouble.
I don't think just storing credit card details on your server is an issue - it's also processing card details
i.e. taking card details from a web page, returning them to the server, processing payment, then discarding the card number still means you are handling card details and your server, the network it is on, and anyone accessing the server needs to be covered under your PCI compliance
Why, if you are not storing the data?
If, for example, a tech at your ISP can access your server, there is the possibility that they can harvest those card details.
If your whole setup is PCI compliant (and not just the application - that's just the starting point) then this should not be possible.
Where staff may be able to access sensitive data, the PCI questionnaire requires them to be credit checked, to make sure they are not skint and looking for a way out.
The rules are really quite detailed.
If you are not sure, go to https://www.pcisecuritystandards.org/merchants/self_assessment_form.php, click on the 'Select and download your SAQ' link then on the ext page download the first doc 'PCI DSS v2.0' (you'll need to register I think)
When you've read it, you'll perhaps understand why achieving compliance is so difficult.
With nopCommerce, just adding a new payment method would render the certification invalid and as so many people develop and extend it, lots of versions out there will not be compliant.
Commercial ecommerce platforms, which aren't editable in the same way, don't suffer this problem.
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
I can't see any reason for anyone to store CC details on their server. It's just asking for trouble.
I don't think just storing credit card details on your server is an issue - it's also processing card details
i.e. taking card details from a web page, returning them to the server, processing payment, then discarding the card number still means you are handling card details and your server, the network it is on, and anyone accessing the server needs to be covered under your PCI compliance
Why, if you are not storing the data?
If, for example, a tech at your ISP can access your server, there is the possibility that they can harvest those card details.
If your whole setup is PCI compliant (and not just the application - that's just the starting point) then this should not be possible.
Where staff may be able to access sensitive data, the PCI questionnaire requires them to be credit checked, to make sure they are not skint and looking for a way out.
The rules are really quite detailed.
If you are not sure, go to https://www.pcisecuritystandards.org/merchants/self_assessment_form.php, click on the 'Select and download your SAQ' link then on the ext page download the first doc 'PCI DSS v2.0' (you'll need to register I think)
When you've read it, you'll perhaps understand why achieving compliance is so difficult.
With nopCommerce, just adding a new payment method would render the certification invalid and as so many people develop and extend it, lots of versions out there will not be compliant.
Commercial ecommerce platforms, which aren't editable in the same way, don't suffer this problem.
- 2
- 10
- 2012/07/01
- Jordan
we run PCI security certification for nopCommerce 3.0, and we got the following issue:
SQL injection security problem
Blind SQL Injection Vulnerability in SQL Server
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.
Implement content parsing on data input fields including URL parameters.
Remove the following characters from any user or dynamic database input: (examples in VBScript)
' (escape the single quote) input = replace( input, "'", "''" )
" (double quote) input = replace( input, """", "" )
) (close parenthesis) input = replace( input, ")", "" )
( (open parenthesis) input = replace( input, "(", "" )
; (semi-colon) input = replace( input, ";", "" )
- (dash) input = replace( input, "-", "" )
| (pipe) input = replace( input, "|", "" )
Please advice.
Thanks
SQL injection security problem
Blind SQL Injection Vulnerability in SQL Server
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.
Implement content parsing on data input fields including URL parameters.
Remove the following characters from any user or dynamic database input: (examples in VBScript)
' (escape the single quote) input = replace( input, "'", "''" )
" (double quote) input = replace( input, """", "" )
) (close parenthesis) input = replace( input, ")", "" )
( (open parenthesis) input = replace( input, "(", "" )
; (semi-colon) input = replace( input, ";", "" )
- (dash) input = replace( input, "-", "" )
| (pipe) input = replace( input, "|", "" )
Please advice.
Thanks
- 93
- 745
- 2010/02/01
- United States
I am using PayPal Standard and Authorize.Net SIM which are both hosted payment solutions. I opened a merchant account with Fifth Third Processing Solutions (Vantiv).
When I received my welcome packet from the Fifth Third, it contained information on using PCI Assist. Fifth Third partnered with Trustwave to provide this service for free to Fifth Third's merchant account customers. It was a simple, online process to step thru a questionnaire to help me determine my compliance status.
Since I am using nothing but hosted payment solutions, it was easy to pass the inspection and I now have the "Trustwave" seal of compliance on my site. I also received a $10 monthly discount on my merchant fees for doing the certification!
I also received free enrollment in "Breach Assist" which provides $100,000 indemnification waiver in case of a breach.
BTW - the Authorize.net SIM plugin for NopCommerce V2.8 is now an available extension! And I'm working on updated versions. I'll post here when they're available.
When I received my welcome packet from the Fifth Third, it contained information on using PCI Assist. Fifth Third partnered with Trustwave to provide this service for free to Fifth Third's merchant account customers. It was a simple, online process to step thru a questionnaire to help me determine my compliance status.
Since I am using nothing but hosted payment solutions, it was easy to pass the inspection and I now have the "Trustwave" seal of compliance on my site. I also received a $10 monthly discount on my merchant fees for doing the certification!
I also received free enrollment in "Breach Assist" which provides $100,000 indemnification waiver in case of a breach.
BTW - the Authorize.net SIM plugin for NopCommerce V2.8 is now an available extension! And I'm working on updated versions. I'll post here when they're available.