We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

PCI Compliance | Forum

Topic location: Forum home » Support » General Questions
tammy harris
tammy harris Mar 8 '14
every website including oxwall site that accepts any form of payment be it through paypall or credit card has to be PCI compliant

which means has to have ssl fully set up and running with https not http

theirs a few things in some plugins and in the oxwall script that break the site lock so https does not work

and need to be fixed 
some interesting bits from this page

http://www.mijireh.com/...bout-pci-compliance/


Do I Need To Worry About PCI Compliance?

Anyone who has a business that receives payments from customers who use their credit cards to pay needs to be PCI compliant – even if you only receive one credit card payment per year. The volume of transactions does not make a difference. Even if your website uses a 3rd party service like PayPal, Google Checkout, or Mijireh you still need to be PCI compliant because your business (not necessarily your website) receives payments via credit card.

What if I am not PCI compliant?

If you do not meet the PCI standards for compliance and the security of your site gets compromised, you will be facing penalties and fines ranging from $5,000 to $500,000. The fines, however, are just the beginning of the overall damage caused by noncompliance.

If your website or company are not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. You will also be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years. The TMF, is essentially a BLACKLIST from which it is almost impossible to be removed.

Explanation of Section 1.3: The cardholder data environment includes all components of your website including the database. For most websites, including WordPress websites, this involves your web server and your database server. This requirement means that your database server must be on it’s own, physical server – not on the same box as your web server – and that you must connect to it over a Virtual Private Network. Using PHPMyAdmin, for example, is not a PCI Compliant way to manage a database.





 

#1
tammy harris
tammy harris Mar 8 '14
and


Section 2.3: Is all non-console administrative access encrypted as follows:
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.


Explanation of Section 2.3: If your web site allows you to FTP in (even if you don’t personally choose some other means other than FTP) to make updates to your website, then your server is not PCI compliant. FTP is a form non-encrypted access to your server. A PCI compliant server must disable FTP entirely.


Explanation of Section 6.1: If you host your website on a shared server, you will have no control over which security patches get installed and when those patches are installed. Unless you have the ability to install your own security patches or have a written agreement with your web hosting provider that this requirement will be met, your server is not PCI compliant.


Explanation of Section 8.3: An example of two factor authentication is logging in with a username and password then, before gaining access to the system, you also get a phone call to verify your identity. If you can log into your system with just a username and password, your server is not PCI compliant.


Explanation of Section 11.2: You need to subscribe to a security and vulnerability scanning service and have those scans run at least once every 3 months.




#2
tammy harris
tammy harris Mar 8 '14
i dont know but i am going to set up as much as i can just to cover my ass
#3
Shaun
Shaun Mar 8 '14
I do not know for deffinate but as i understood it as long as your site was not the actuall payment gateway you were pci complient.

for example if you use paypal they act as the payment gateway and such have the responsability to be secure. I could however be very wrong and will watch this thread with intrest.
#4
tammy harris
tammy harris Mar 8 '14
stuff from paypall
https://www.paypal.com/uk/webapps/mpp/pci

it says if you use express checkout you dont need to be compliant 

but go express checkout and there not much is way of telling if that the normal way that paypall is used like here at oxwall or is something else 
#5
tammy harris
tammy harris Mar 9 '14
cool jake but is express chechout the normal paypall that just about every site uses

paypall has some that your site needs to be pic compliant and some that does not need it 
#6
ross Team
ross Mar 10 '14
Jake +1 most of the payments done on oxwall use just API for connecting to those payments services and you're redirected to their side, which use https. If you do that on your side, for example credit card processing, then you need to configure https. 
#7
tammy harris
tammy harris Mar 10 '14
ross read this 
stuff from paypall
https://www.paypal.com/uk/webapps/mpp/pci

now it says if you use express checkout you dont need to comply but the other payment types at paypall you need to comply 

my question is what the normal paypall that just about everyone uses including oxwall is it express checkout?????

if you go to the express checkout page from that link theses no way of tell whats what 
#8
Daniel Paul
Daniel Paul Jun 3 '23
It is recommended to work with a reputable http://eltizamsolutions.qa/ provider that specializes in PCI compliance. 
#9
Olivia Anderson
Olivia Anderson Sep 14 '23
You're absolutely right! PCI compliance is crucial for any business that processes credit card payments, regardless of transaction volume. Noncompliance can lead to substantial penalties and security risks. You can find more detailed guidance on how do i become PCI compliant on the official PCI Security Standards Council's website.
#10
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software