pci compliance, securtiy, hacking, ahh...

[mikej2009]

after installation of cart, if i use a merchant such as authorize.net, does pci compliance fall under me or how does that work, its a little confusing and intimidating.

would it be better just to use one of the "pay per month" shopping carts?

[PRO]

PCI compliance ALWAYS falls on you. No matter if you are using a paid cart or what.

Getting certified is a matter of the site being scanned.

They will make sure your software is up to date.
12-15-09
Apache (2.2.12)
PHP (5.2.10)

Anonomous FTP needs to be turned off.

They will See How Much Time you have left on your SSL certificate. If its about to expire, they will say you are non compliant.

They will also scan YOUR IP address of your internet connection.

NOW.. the tricky part is they are going to say show_image_in_imagetag produces "blind sql injection" vulberabilities. You have to argue this with them. Tell them to prove it, etc.

[sandhill]

Did you have to pay for a scan? I was at there site and I see they charge $699 to test a site.

PCI compliance ALWAYS falls on you. No matter if you are using a paid cart or what.

Getting certified is a matter of the site being scanned.

They will make sure your software is up to date.
12-15-09
Apache (2.2.12)
PHP (5.2.10)

Anonomous FTP needs to be turned off.

They will See How Much Time you have left on your SSL certificate. If its about to expire, they will say you are non compliant.

They will also scan YOUR IP address of your internet connection.

NOW.. the tricky part is they are going to say show_image_in_imagetag produces "blind sql injection" vulberabilities. You have to argue this with them. Tell them to prove it, etc.

[rowby]

Hi  I have used authorizenet and virtuemart and have not run into this particular issue.  Yes, there needs to be a secure certificate in place and you will need a  unique ip address, because that is required to get a typical secure certificate. 

At least in my experience no one from authorizenet has brought up anything about "how_image_in_imagetag produces "blind sql injection" vulberabilities. " 

...Rowby

[PRO]

About show_img_in_imagetag


They Take the URL of the thumb, and then add +5+abs(or something like it) to many of them.

What they want is it to return the same error no matter what.

[PRO]

It took 1 month going back and forth with security metrics, but I'm Finally PCI compliant.

[scanreg]

It took 1 month going back and forth with security metrics, but I'm Finally PCI compliant.

What did they require? What things had to be fixed?

Thanks

[scanreg]

Did they shut you down during that period or did they allow you to operate while fixing things ?

Thanks

[scanreg]

About show_img_in_imagetag


They Take the URL of the thumb, and then add +5+abs(or something like it) to many of them.

What they want is it to return the same error no matter what.

How was this addressed ?

Is this fixable ?

Gotta pass PCI

Thanks

[PRO]

I pass pci compliance without anything


The initial scan will come up with some errors, and you fix server side stuff. The rescan. etc.

Its mainly server side


php version, register globals etc.

[jsnmtth]

If your still emailing Storing or Emailing the "Security Code" (CVV) your not PCI-DSS compliant, no matter what your scan says.

[DRACULINOS]

Somebody to suggest companies for PCI DDS certificates ?

A cheap or a free one it will be better 

Thanks

[PRO]

in the USA merchant companies are partnering with compliance companies.

I use security metrics