May 24th, 2010 by Scott
There’s a set of requirements called the Payment Card Industry Data Security Standard (or “PCI DSS”) and it was developed by the PCISSC – (the Payment Card Industry Security Standards Council)
These requirements are designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions.
The standard includes 12 requirements for maintaining a secure operation:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
For WordPress your E-commerce options are limited, and for a PCI Compliant shopping cart, they’re limited even further.
There is no way in a million years you should consider developing a new site using ANY shopping cart that is not willing to be compliant or in my (non legal) opinion, you’re setting yourself up for a lawsuit.
This list of WP shopping carts and their PCI compliance info will grow over time…
- Shopp – The are compliant, and they are willing to say so, which is why they are our current platform of choice.
- PHP Purchase – We’ve never used them but they say they’re compliant right on their home page.
- Cart 32 – We’ve never used them, but they do claim compliance.
- Vevo Cart – They DO claim to be compliant
These carts are either Non Compliant or simply not addressed on their sites:
- WP Ecommerce – Although we HAVE tested their compliance once before and found no issues, they now seem to fail test – They refuse to offer any statement about compliance here – Check although there are lots of interesting discussions though here
- WP Auctions – No mention of PCI Compliance – check.
- WP eStore – No mention of PCI but they use something called instant digital product delivery – check
- Shopper Press – Has more than 20+ payment gateways, but not PCI compliant? check
- Market Theme – No mention of PCI Compliance – check.
- Word Press Shopping Cart Plug-in – No mention of PCI compliance – check.
In the comments below, please leave any links to compliance info for anyone you come across, and I’ll update this list. Likewise, if you have information about anyone that’s NOT compliant, that would be helpful too.
WP Ecommerce
August 14th, 2010 at 3:16 pm
[...] 5 minutes of research and I found this… WordPress Cart PCI Compliance | Get WordPressed WP Ecommerce is not PCI compliant <— means you assume liability if a bug or hack gives away [...]
September 24th, 2010 at 8:44 am
Am I missing something here Scott? Out of the 12 requirements the only one I see that might actually apply to the cart would be “Requirement 4: Encrypt transmission of cardholder data across open, public networks.” All of the others either have to do with the hosting environment, or business practices. Even requirement 4 is only sort of about the cart since it’s possible to set up any page as https and other than that it’s about ssl.
Love to get your thoughts on this.
September 24th, 2010 at 8:56 am
Nope, in my judgement, you are correct – 9 out of 10 times it’s probably going to be the webhost that causes a compliance test failure.
However, its my opinion that the shopping cart software company, needs to have clearly stated compliance information – Is it compliant or not, and if not, why not? Otherwise, you might be barking at the moon trying to pass an unpassable test!
January 23rd, 2011 at 10:46 am
Any updates about which WP shopping carts are now PCI compliant? I’d like to set up an ecommerce site on WP soon and only want to consider carts that have PCI compliance in place.
(GREAT blog, Scott! Very glad to find it!)
February 11th, 2011 at 5:41 pm
An increasing number of merchants and business owners view PCI compliance fees as little more than a new revenue stream for merchant processors. PCI Free provides PCI complaint processing solutions without the PCI compliance fee.
March 29th, 2011 at 8:14 pm
After some further checking VEVO says they don’t have a WP plugin nor have an easy way of integrating right within WordPress.
May 11th, 2011 at 9:57 am
OK, even though this might be a fake blogspam comment, it’s relevant, and I feel this way myself!
I’ll check out your site…
May 11th, 2011 at 10:02 am
I’m embarrassed at the number of comments that I’d left pending/unanswered, this being one of them, I’m sorry. This list might be worth revisiting some of them to see if they’ve become compliant, but I was sort of hoping people would post here with their findings, or users of some of these products would comment.
June 8th, 2011 at 3:43 pm
What is a small shop to do? How do we really know if our shop is compliant? If we’re using a payment gateway like Paypal, have SSL, and a reliable host service like Hostgator, what else can we do to protect ourselves and the customers?
Also, I can’t post a comment on your site using Safari; it keeps telling me my math is wrong. I’m now posting on Firefox.
I’ve been considering Cart66 for my shop because of it’s integration ability with iDevaffiliate; in my research of carts, I found that PHPurchase is now Cart66 (just passing along as fyi): http://www.phpurchase.com/phpurchase-is-now-cart66
June 9th, 2011 at 9:55 am
@ally if you’re using PayPal Standard and you’re not taking any of credit card information on your site you’re compliant. If you’re using PayPal Pro or you’re taking any credit card information through your site you need to find a compliant host. Hostgator servers are not PCI DSS compliant. You can get a vps or dedicated server from them and configure it to be PCI DSS compliant, this takes a few days to work through. You’ll then need to have the server audited by a verified vendor. The other option is to find a PCI DSS compliant host. Canvas Dreams is one such host. We’ve also configured and had our server audited at Dew Point Productions, but we only host our own clients.
June 9th, 2011 at 10:39 am
Thanks David -
For most of our own sites we’ve just stopped processing the cards ourself and instead use the processors provided platform. That way it’s not “on us”
to be compliant as the website, or as the web host, because PDXTC is not PCI compliant anyway! It’s good to hear that Canvas Dreams is, and we’ve recommended them for a while now too…
June 9th, 2011 at 12:58 pm
Thanks Scott, David! To clarify, if I use Paypal Standard, it will not matter which host or cart I use in order to be PCI compliant?
I’m a little stuck and not really sure how to figure things out. I have a social network for animal rescue; my online reach is great, I get about 5 million post view/month with 44.3 million since I began in April 9 (according to Facebook insights). So, I really want to get this right before I begin promotions. I am developing a small product line for pet owners and I really want to structure the site so that animal rescue groups can sign on as an affiliate to give them an easy way to raise funds for the pets they save from kill shelters.
Here is a list of what I need:
• cart easy enough for a non-tech person to set up (I’ve built a couple of WordPress sites)
• cart compatible with iDevAffiliates
• cart that allows for easy shipping label printing (no cut/paste involved); I keep seeing complaints online about Paypal’s print option being too buggy to feel it’s safe for ease of shipping. I’ve seen other sites like Stamp.com and the USPS has a shipping assist also.
• cart with simple inventory low-count alerts (can give this one up if I have to cut something from this list)
• compatible with iThemes Builder (because I’ve used it and know how to add video, etc.) video is important for my product pages
I considered Gravity forms because it works with Paypal, but not sure it will work with iDevAffiliate. I will not have more than 5 products at launch. I’ve posted the shipping label question on WordPress Forums, but no reply yet. Just curious if either of you can point me to anything that will allow me to solve these issues and move on to site development. I’m trying to keep my overhead very low, so I can give a larger percentage to the animal rescue groups.
Any advice?
Thanks,
~alva
June 9th, 2011 at 1:54 pm
Yes, with Paypal standard, you send the user to the Paypal website, getting rid of your responsibility…
For all the features you mention, I THINK Shopp http://shopplugin.net/ will cover it, but I’m not positive about the ease of iDev integration
Our WP shopping cart of choice for the longest time WAS to use WP-Ecommerce, but have since tried to get rid of it everywhere.
Why are we dumping WP Ecommerce? These are all their unanswered issues and probably STILL unsanswered) for our processor – Authorize.net – hardly an obscure service…
http://getshopped.org/forums/tags.php?tag=authorizenet
June 9th, 2011 at 2:27 pm
Thanks Scott, I’m new to ecommerce, which I guess is pretty obvious. Can you tell me why folks use Authorize.net? Do they use it as a stand alone, or as an option with Paypal?
I’ve been researching Shopp and Cart66 primarily; I saw one site where many people posted they could not get Shopp to work, and others that said the CS was very poor, even if the CS upgrade was purchased. If I go with Shopp and ran into problems, do you work on projects like that, or only sites you build in their entirety?
June 9th, 2011 at 3:09 pm
No we don’t but most carts offer installation services and have their own network of programmers they recommend –
By the way, on this site and two others, we use this – http://wordpress.org/extend/plugins/eshop/ – pretty happy so far…
November 17th, 2011 at 8:16 am
It really is amazing how many people put up e-commerce sites and don’t think about security. One part of any online business’s customer service is making sure transactions are secure.