Code Customization PCI-Compliance

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 495
Joined: Tue Jan 03, 2006 2:45 pm

Code Customization PCI-Compliance

Post by sweeperq » Tue Aug 16, 2011 8:55 am

We started making the move to AC7 for PCI-Compliance and have found that there is tons more to it than having a certified cart. We are a small shop and I am the only developer on staff. We have integrated our central inventory system into AC5 and AC7 and made customizations to how data is shown in the UI. We are golden on most of the 200+ PCI-DSS SAQ-D requirements. However, after reading the section on customized code we brought in a PCI implementation consultant to help us understand the requirements.

Requirement 6.3.3: Separation of duties between development/test and production environments. There is a separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.

Requirement 6.3.7: Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle required by PCI DSS Requirement 6.3. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS requirement 6.6.

Requirement 6.3.7.a: Obtain and review policies to confirm all custom application code changes for internal applications must be reviewed (either using manual or automated processes), as follows:
  • Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
  • Appropriate corrections are implemented prior to release.
  • Code review results are reviewed and approved by management prior to release.
Based on these rules, we have no way of being compliant without hiring another developer or outsourcing code review. How are others handling this?

User avatar
jmestep
AbleCommerce Angel
Posts: 8163
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: Code Customization PCI-Compliance

Post by jmestep » Tue Aug 16, 2011 1:20 pm

Do you have a link to this information? It's been quite a while since I looked at it.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 495
Joined: Tue Jan 03, 2006 2:45 pm

Re: Code Customization PCI-Compliance

Post by sweeperq » Tue Aug 16, 2011 4:17 pm

Since we are using a gateway and customized code, we fall under SAQ-D (link is to http://www.pcisecuritystandards.org)

User avatar
dgoranov
Lieutenant (LT)
Lieutenant (LT)
Posts: 55
Joined: Sun Jan 16, 2011 3:58 pm
Location: Boston, MA
Contact:

Re: Code Customization PCI-Compliance

Post by dgoranov » Wed Aug 17, 2011 10:07 am

PCI SAQ-D is usually required for Level 1 and Level 2 merchants with more than 1M Transactions per year. If you have no recurrent billing
there is no need to store credit card information in the AbleCommerce database (this can be enabled/disabled from the AbleCommerce admin interface).

If you are Level 3-4 merchant only PCI-SAQ C is required. The PCI requirements are usually enforced by merchant providers. Most merchant providers have
risk departments which monitors merchant's activity and enforces PCI-DSS and other security requirements.

More information about PCI-DSS levels is available at:

http://resources.drundo.com/post/PCI-DS ... ments.aspx

Hope the information above will help get your site PCI-DSS certification issue solved.
Dimi Goranov
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140

sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 495
Joined: Tue Jan 03, 2006 2:45 pm

Re: Code Customization PCI-Compliance

Post by sweeperq » Wed Aug 17, 2011 3:27 pm

We offer custom pottery and do not charge until the product is shipped. Spoke with my boss about it and apparently the bank offers us a way to look up the credit card numbers. Will look at setting storage to 0 next week. Will be of great help!

sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 495
Joined: Tue Jan 03, 2006 2:45 pm

Re: Code Customization PCI-Compliance

Post by sweeperq » Tue Aug 23, 2011 3:47 pm

So, after talking with 3 different people from Trustwave, they all said we are SAQ-D if we are using a payment gateway because a) the credit card data passes through our web server to their gateway, and b) we take phone and mail orders and enter them through our office PCs into the website. They stated that SAQ-C is for companies working with a 3rd party payment provider like Paypal where after you hit "Checkout" you are moved to the third party's website and the credit card data never touches your server.

How are small/medium sized businesses supposed to compete in this environment? You have to have a minimum of 2 programmers if you are doing any custom programming in order to validate and sign-off on code, have to have dual token authentication, need network administrators to fine tune and monitor all the different logs and network activity they want you to monitor, have to buy software or sign up for expensive services to aggregate and monitor log and file changes, ughhh...

Time to start looking at Authorize.net's Server Integration Method (SIM) and Direct Post Method (DPM): http://developer.authorize.net/api/howitworks/dpm

User avatar
dgoranov
Lieutenant (LT)
Lieutenant (LT)
Posts: 55
Joined: Sun Jan 16, 2011 3:58 pm
Location: Boston, MA
Contact:

Re: Code Customization PCI-Compliance

Post by dgoranov » Wed Aug 24, 2011 1:56 pm

It seems that each PCI scanning vendor has its own opinion on PCI SAQ levels and compliance requirements. Check with another PCI certification vendor like Comodo.

A list of all PCI Approved Scanning Vendors is available at:

https://www.pcisecuritystandards.org/ap ... endors.php
Dimi Goranov
Drundo Software Inc.
AbleCommerce Hosting and Management
Email: dgoranov@drundo.com
Ph: 888.464.2140

sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 495
Joined: Tue Jan 03, 2006 2:45 pm

Re: Code Customization PCI-Compliance

Post by sweeperq » Wed Aug 24, 2011 3:56 pm

Problem is that the bank chose TrustWave :(

Post Reply