Author Topic: Is Virtuemart PCI Compliant ?  (Read 8313 times)

scanreg

  • Beginner
  • *
  • Posts: 18
Is Virtuemart PCI Compliant ?
« on: June 12, 2010, 15:14:29 pm »
Is Virtuemart PCI Compliant ?

What constitutes "PCI Compliance" regarding cart programming and features ?

Thanks :)

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10311
  • VirtueMart Version: 3+
Re: Is Virtuemart PCI Compliant ?
« Reply #1 on: June 12, 2010, 16:28:41 pm »
http://forum.virtuemart.net/index.php?topic=64469.0

PCI compliance is mainly a server setup issue
J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

I do NOT do development work for hire.

purelife

  • Beginner
  • *
  • Posts: 17
Re: Is Virtuemart PCI Compliant ?
« Reply #2 on: June 23, 2010, 09:24:15 am »
I just checked out a few carts that talk about PCI Compliance on their website description.  Does Virtuemart have any of these features?

CS-Cart
----------------
Cardholder data protection in CS-Cart is provided for both offline and online payment methods. In case of offline order processing cardholder data is encrypted with the Blowfish algorithm and stored to the CS-Cart database. After the order is processed, the credit card information can be deleted automatically.

If the order processing is carried out online, double protection is possible. In addition to the Blowfish encryption, data can also be encoded with the certificate-based encryption during transmission over networks, as CS-Cart supports SSL certificates of all types.



Avactis Cart
------------

Cardholder and card data stored in database is encrypted by RSA algorithm. Private key is located at store administrator’s local computer only.

Cardholder and card data collected during checkout is encrypted by Blowfish algorithm. Secret key is passed using HTTPS encryption only.

In order to view credit card data, store administrator has to upload his private key from his local computer.

After key upload the data is decrypted and displayed, while the key is instantly deleted. All these operations are performed over an HTTPS connection to make data interception impossible

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10311
  • VirtueMart Version: 3+
Re: Is Virtuemart PCI Compliant ?
« Reply #3 on: June 23, 2010, 15:26:37 pm »
yes and you should NOT store credit card data. You should do real time authorizations when possible.

J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

I do NOT do development work for hire.

purelife

  • Beginner
  • *
  • Posts: 17
Re: Is Virtuemart PCI Compliant ?
« Reply #4 on: June 23, 2010, 19:18:16 pm »
I just read through virtuemart manual.
In security settings:


Encryption Function
Recommended: AES_ENCRYPT

Choose the MySQL function, which is used to encode/encrypt important data in the database tables. AES Encrypt is far more secure, as it actually encrypts the data, not just encodes it. AES_ENCRYPT is available in MySQL >= 4.0.2.

Encryption Key
The secret key for encrypting payment account data like credit card numbers and storing them encrypted in the database.

Store Credit Card Information?
Allows to completely disable the storage of Credit Card data.


so basically say NO to store creidt card information and it will not be stored?

I'm looking to use PAYPAL PAYMENTS PRO so I assume the whole process is enrcrypted and once the payment is completed in real time the card information is deleted and not stored?  So this is pretty much pci compliant then.

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10311
  • VirtueMart Version: 3+
Re: Is Virtuemart PCI Compliant ?
« Reply #5 on: June 23, 2010, 20:19:21 pm »
yes
J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

I do NOT do development work for hire.

MikeUK

  • Global Moderator
  • Full Member
  • *
  • Posts: 1344
Re: Is Virtuemart PCI Compliant ?
« Reply #6 on: June 24, 2010, 10:15:47 am »
Just to add, the question of whether Virtuemart is PCI compliant or not is not really the point (especially as Virtuemart is open-source).

It is the responsibility of each store owner, if they store or transmit card data. So if you use the standard Paypal online processor, etc, you are not affected (because Paypal stores and transmits the data).

If you store or transmit credit card data, then you have to look at everything that affects your data security. If you are not sure, and in this position, get professional help. There are some big fines for non-compliance.

If you are unsure, so as mentioned before, use an online payment processor, then you'll be ok.
Get answers faster:

I can build your online shop, setup or customize Virtuemart or help your existing shop maximize its potential. Email / PM for info

King George

  • Beginner
  • *
  • Posts: 1
Re: Is Virtuemart PCI Compliant ?
« Reply #7 on: July 18, 2012, 17:37:04 pm »
Just to add, the question of whether Virtuemart is PCI compliant or not is not really the point (especially as Virtuemart is open-source).

This is rubbish... and to post such nonsense on such an important issue is irresponsible.

PCI compliance exists at TWO levels

1. The server
2. The software

The entire issue revolves around security vulnerability and even the most novice webmaster knows that BOTH the server software AND the platform software loaded on it present security vulnerabilities.

Platform software (including OpenSource) ought to meet PCI compliance if it offers any online eCommerce capacity. It DOES NOT MATTER if actual payment details are processed off-site at a compliant provider...

So... Virtumart is NOT (yet) PCI compliant, which is a major reason we have stopped using it.

PRO

  • Global Moderator
  • Super Hero
  • *
  • Posts: 10311
  • VirtueMart Version: 3+
Re: Is Virtuemart PCI Compliant ?
« Reply #8 on: July 18, 2012, 17:54:08 pm »
Just to add, the question of whether Virtuemart is PCI compliant or not is not really the point (especially as Virtuemart is open-source).

This is rubbish... and to post such nonsense on such an important issue is irresponsible.

PCI compliance exists at TWO levels

1. The server
2. The software

The entire issue revolves around security vulnerability and even the most novice webmaster knows that BOTH the server software AND the platform software loaded on it present security vulnerabilities.

Platform software (including OpenSource) ought to meet PCI compliance if it offers any online eCommerce capacity. It DOES NOT MATTER if actual payment details are processed off-site at a compliant provider...

So... Virtumart is NOT (yet) PCI compliant, which is a major reason we have stopped using it.

KingGeorge, My vmart sites 1.1, and 2.0 have passed PCI compliance for 3 years now.

ANYTIME there is an issue with a scan, its SERVER related, and fixed.

The only time I went 3 weeks without being PCI compliant is when I moved to a new VPS server, and I had to configure it correctly.



AND: Re opensource

What he means is , ANY module, add on or hack of the core, can create a vulnerability.


J3.9+ VM 3.4.2
Slowest Page Speed Score (88) (Category)
Fastest Page Speed Score (94-96) (productdetails)

I do NOT do development work for hire.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9770
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Is Virtuemart PCI Compliant ?
« Reply #9 on: July 18, 2012, 21:49:02 pm »
and to top that,

there exists 4 general levels of PCI compliance, as merchant you need not more than level 2 and only then, when you transmit and store the data.

 For this purpose you must use a plugin in VM2 anyway. It is intended that the core of VM2 IS NOT storing any data, which you can use for payments. When you want todo offline processing, buy this http://extensions.virtuemart.net/extensions-virtuemart-2/offline-credit-card-processing-detail   (BE AWARE IT IS FOR VM2)

The rest is in your hands or better said in the hands of the guy administrating your server (as banquet said)
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/