PCI compliance

[Yellow Cherry]

I've looked through the forums but can't find anything for Virtuemart 2 on this subject.

My client runs Joomla 2.5.9 with Virtuemart 2.0.20b and Apache 2.4.4

They use PayPal Website Payments Pro to process payments.

To pass the data on to PayPal the MadeForJoomla (formerly Joomlcache) PayPal Website Payments Pro Module for Virtuemart 2.0 is used.

There is an SSL Certificate on the server.

No data is stored within Virtuemart or on the server, therefore our website host and MadeForJoomla believe we do not need to worry about PCI compliance. PayPal have said that if Virtuemart provide evidence the software is PCI compliant then that will suffice.

How do we get this? It would be really helpful if there was some info about this somewhere, there are a few threads about it but nothing concrete. I'd appreciate some help with this Virtuemart team

[AH]

If you do not capture card details on the site then you are PCI compliant, however if you have the customer input their card details in your site then you will need to have the site audited.

Madeforjoomla should already have had their solution certified as PCI compliant so you should not be having an issue.

[Yellow Cherry]

Thank you for your response however this doesn't quite resolve my problem.

I am told by MadeForJoomla and our website host that although the information is input on our site it is not stored so the site does not need to be audited - PayPal seem to be ok with this.

However, PayPal want to see a PCI certificate for the solution so I guess I will see if MadeForJoomla can provide that.

[jenkinhill]

Under PCI DSS 2.0 rules ( http://forum.virtuemart.net/index.php?topic=95732.0 ) a card vendor can insist on a scan & validation of a retailing website (and server) to certify that customer data is secure and that there is no risk to card data. We know there is probably no risk if all card processing takes place away from your site under SSL conditions, but they are entitled to ask for proof in the form of certification.

Many small busineses can self-certify (we do once a year for our business) but websites cannot usually be self-certified, so require an external organisation to run a scan if the card merchant processor insists. Have a look at https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

If you must scan maybe try the (initially) free system here  http://www.hackerguardian.com/hackerguardian/learn/pci_free_scan.html   The problem with automated scans is that they can pick up on things which we know do not represent security issues, but may appear to do so.

[Yellow Cherry]

Thanks jenkinhill. This seems bizarre though, why do we need to make the server PCI compliant when we don't process or store the data?

We have already started this process anyway though and a scan shows 5 vulnerabilities on the server, the first of which the web host says in incorrect anyway (apache version) so it may be a long battle of disputes.

We pass the self assessment part of it because the questions ask whether we store card data or pass it on, since we pass it on we pass - making me wonder what the point of the scan is.

It's a bit backwards, I'm very tempted to suggest that my client reverts to PayPal Website Payments Standard

[AH]

As you allow the capture of card data on the site then you will need an audit performed.

Jenkinhill is correct regarding self certification for websites, you will need some form of third party audit.  Even if the software is certified, your server environment could be inherently insecure.

If you decide that this is too onerous

On our vm1.x site we ended up using Paypal standard (legacy) HTML form but had a Paypal payments pro account (to allow phone based card payments). 

We wanted a better interface to the paypal card input than was provided with the payments standard and we were directed to us this URL:-

$url = "https://securepayments.paypal.com/acquiringweb";


A much slicker option if you have a pro account!

Unfortunately I am unsure how this would work with your current provider

Hope this helps

[Yellow Cherry]

That's very interesting thank you - I can't see that URL though, it just redirects me to the PayPal account overview...

[911websiterepair]

Hi    this is mike for madeforjoomla.com

I have been working on this with yellow cherry all morning

she showed me the failure report for the PCI scan and they are all server related, none to do with the module.

it is the server itself that is in failure. and i tend to believe this is the case as no one else has ever had an issue with the module

yellow cherry, i hope its ok i posted the scan results here for people to comment on, it may help resolve this
=========
The scan results showed these issues:

Unix/Linus RPC Service Accessibility
DB Accessibility
statd RPC Service protocol tcp
statd RPC Service protocol udp
Unsupported HTTP Server Detected

However the website host thinks these are inaccurate findings, we can try and dispute them but the host says it shouldn't be an issue.

If no data is stored, PCI compliance should not be necessary anyway though.

=================================

[Yellow Cherry]

Yes no problem geekhead but as mentioned, the web host disputes these findings so we will dispute them with TrustWave (the scanner recommended by PayPal)

The confusion has come because PayPal told us to we did not need the server to be compliant and that the software compliance was enough. I guess that support employee at PayPal is mis-informed.

I am still confused as to why the server needs to be compliant if no sensitive data is stored though.

I think PayPal need to make it clearer that an SSL and PCI compliance are necessary for both software and server if you have a Website Payments Pro account

[911websiterepair]

I am still confused as to why the server needs to be compliant if no sensitive data is stored though.

response: these show vulnerabilities for which the server could possibly be hacked

[911websiterepair]

i spoke to securitymetrics.com

there is no such thing as having a module certified for PCI,  paypal is wrong as this is the company that does the certifications in the USA

PCI scans servers only, not websites. All the PCI scan does is scan server ports to identify server vulnerabilities. which in this case, were identified. it does not look for stored information. You can store information as long as your server passes the PCI security scan.

[AH]

Yellow cherry.

Your information regarding storage of Card information is inaccurate. 

You are not allowed to store unencrypted information related to Credit cards - This includes PAN and CVC. However, as you stated you store nothing on the site then you are in the clear,

[911websiterepair]

by the way,  i have been following up,     if i did have to have this module PCI certified, (and i dont), it would cost between 12 and 20 THOUSAND dollars

[AH]

Yep PCI is for the Big Boys!  Designed to stop small business compromising huge card protfolios!!!

Costs the issuers $millions

Checkout the fraud loss figures for the credit card industry and you will see why PCI was introduced!

[PRO]

I sold merchant services for years before doing my own shop.

the server that transmits the data has to be scanned always to be deemed pci compliant. (IF your merchant account provider makes you get it scanned)

OP: Its 99% the server/host that needs to change things to get it to pass. Its usually just software upgrades.
&& sometimes it's "false" positives, but the host can give you the information to prove it.

There are small things like "login forms" etc. That have to be HTTPS (and thats your responsibility)

Just give the report to your webhost, and they (if they are a good host) will fix most of it for you.


for any urls that have to be forced HTTPS
Like user pages etc.
I use this code in the template

view/user/default.php
<?php
$uri = & JFactory::getURI();
   $currentcheck=JURI::current();
         $comparethis = str_replace( 'http:', 'https:', $currentcheck );
      if ($comparethis !== $currentcheck){
       $app = JFactory::getApplication();
$app->redirect($comparethis, null, null, true, true);
       }
       ?>


web payments pro does not make their stores get scanned that I know of.

BUT! if you just want a scan etc. There are many companies out there that will scan for you.


PCI is what it is, good & bad.
Security metrics tells me I need to remove the "password protection" on administrator directory, "so they can scan it". I am like "lol"
They actually tell you to "allow them through the firewall" lol

Servers need to be safe from vulnerabilities, but the scanning companies should also have a little more sense then they do.