AbleCommerce Shopping Cart Software

We started making the move to AC7 for PCI-Compliance and have found that there is tons more to it than having a certified cart. We are a small shop and I am the only developer on staff. We have integrated our central inventory system into AC5 and AC7 and made customizations to how data is shown in the UI. We are golden on most of the 200+ PCI-DSS SAQ-D requirements. However, after reading the section on customized code we brought in a PCI implementation consultant to help us understand the requirements.

Requirement 6.3.3: Separation of duties between development/test and production environments. There is a separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.

Requirement 6.3.7: Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle required by PCI DSS Requirement 6.3. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS requirement 6.6.

Requirement 6.3.7.a: Obtain and review policies to confirm all custom application code changes for internal applications must be reviewed (either using manual or automated processes), as follows:

• Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
• Appropriate corrections are implemented prior to release.
• Code review results are reviewed and approved by management prior to release.

Based on these rules, we have no way of being compliant without hiring another developer or outsourcing code review. How are others handling this?

Do you have a link to this information? It's been quite a while since I looked at it.

Since we are using a gateway and customized code, we fall under SAQ-D (link is to http://www.pcisecuritystandards.org)

PCI SAQ-D is usually required for Level 1 and Level 2 merchants with more than 1M Transactions per year. If you have no recurrent billing
there is no need to store credit card information in the AbleCommerce database (this can be enabled/disabled from the AbleCommerce admin interface).

If you are Level 3-4 merchant only PCI-SAQ C is required. The PCI requirements are usually enforced by merchant providers. Most merchant providers have
risk departments which monitors merchant's activity and enforces PCI-DSS and other security requirements.

More information about PCI-DSS levels is available at:

http://resources.drundo.com/post/PCI-DS ... ments.aspx

Hope the information above will help get your site PCI-DSS certification issue solved.

We offer custom pottery and do not charge until the product is shipped. Spoke with my boss about it and apparently the bank offers us a way to look up the credit card numbers. Will look at setting storage to 0 next week. Will be of great help!

So, after talking with 3 different people from Trustwave, they all said we are SAQ-D if we are using a payment gateway because a) the credit card data passes through our web server to their gateway, and b) we take phone and mail orders and enter them through our office PCs into the website. They stated that SAQ-C is for companies working with a 3rd party payment provider like Paypal where after you hit "Checkout" you are moved to the third party's website and the credit card data never touches your server.

How are small/medium sized businesses supposed to compete in this environment? You have to have a minimum of 2 programmers if you are doing any custom programming in order to validate and sign-off on code, have to have dual token authentication, need network administrators to fine tune and monitor all the different logs and network activity they want you to monitor, have to buy software or sign up for expensive services to aggregate and monitor log and file changes, ughhh...

Time to start looking at Authorize.net's Server Integration Method (SIM) and Direct Post Method (DPM): http://developer.authorize.net/api/howitworks/dpm

It seems that each PCI scanning vendor has its own opinion on PCI SAQ levels and compliance requirements. Check with another PCI certification vendor like Comodo.

A list of all PCI Approved Scanning Vendors is available at:

https://www.pcisecuritystandards.org/ap ... endors.php

Problem is that the bank chose TrustWave