Any advice for first-time certification?

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
bsweeney
Ensign (ENS)
Ensign (ENS)
Posts: 19
Joined: Tue Mar 09, 2010 11:50 am

Any advice for first-time certification?

Post by bsweeney » Tue Mar 09, 2010 12:09 pm

I'm fairly new to AbleCommerce. We've been testing for the last year, waiting for the release of 7.0.4 and support for Paymentech (thank you for that). We're about to go through the certification process with Paymentech and I wanted to know if anyone had any advice/guidance on the process. I have read through the PCI implementation guide and other documents. I believe we're all set as far as our AC configuration.

One thing my sysadmin hasn't really been able to find is hardening guidelines for Windows Server 2003. I know it's more secure by default than earlier version, but I'm sure there are extra configuration settings that can make the OS even more secure. Does anyone know where we can find information related to this topic?

And if anyone has any other information they think might be useful I'd be glad to hear it.

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Any advice for first-time certification?

Post by Shopping Cart Admin » Thu Mar 11, 2010 3:17 pm

Hello,

The PCI scan's will reveal if there are any issues in the Windows configuration...eg. anon ftp, open ports, etc. Beyond that make sure the password policies are within the pci guidelines and all patches are applied. I cannot off hand remember the name of the tool, but Microsoft has a tool for 'securing' IIS it must be used carefully as it will by default make your server so secure...nothing will run.

Here's the generic 'top level' faq at MS:

http://technet.microsoft.com/en-us/libr ... S.10).aspx
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

bsweeney
Ensign (ENS)
Ensign (ENS)
Posts: 19
Joined: Tue Mar 09, 2010 11:50 am

Re: Any advice for first-time certification?

Post by bsweeney » Tue Mar 23, 2010 10:46 am

I'm going through the certification process and the first bit of feedback I've gotten is this:
The AVSphoneNum should not contain hyphens ' ‑ ' or parenthesis '( and )'.
Can AC be set up to strip characters from the phone number that aren't accepted by the gateway? Ideally this would happen when AC is preparing the data packet for the gateway. If it needs to happen during user input that would be fine, though it would be nice then to have the front-end code format the phone number with a standard format.

Is this something I'm going to have to hack together myself or is an update from AC a possibility (and should I post a support ticket)?

bsweeney
Ensign (ENS)
Ensign (ENS)
Posts: 19
Joined: Tue Mar 09, 2010 11:50 am

AVS compatibility problems

Post by bsweeney » Thu Mar 25, 2010 12:26 pm

One other issue I've run into is regarding address verification. Most of the time I am not seeing anything in the payment summary AVS response except for "Unavailable." The times where something is shown it doesn't match the result indicated in the virtual terminal.

Right now I'm planning to move ahead with implementation under the assumption that Paymentech will reject any transactions where there is a problem with AVS and that we can look up rejects in the virtual terminal.

This is more of an FYI for anyone else setting up AC with Paymentech. I'll post a bug to see about getting this addressed.

User avatar
Kalamazoo
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Wed Apr 01, 2009 6:10 pm

Re: Any advice for first-time certification?

Post by Kalamazoo » Fri Jul 16, 2010 11:19 pm

I thought you should know that we ran http://www.mcafeesecure.com/us/ PCI Compliance Scan last weekend and the application and server came up 99.99% for a client. All we had to fix was the SSLv2.0. Second scan we were 100%.

Have a great day!

Phil Chrisman

bsweeney
Ensign (ENS)
Ensign (ENS)
Posts: 19
Joined: Tue Mar 09, 2010 11:50 am

Re: Any advice for first-time certification?

Post by bsweeney » Mon Jul 19, 2010 8:33 am

Thanks for the link. I'll keep that information in my back pocket for future reference. Turns out things were pretty easy for us since we're using PCI-certified software (AC) and not storing CC information ourselves. The specter of the certification process turned out to be worse than the actuality.

Post Reply