+1-888-365-2779
Try Now
More in this section

Forums / Ecommerce / PCI compliant

PCI compliant

25 posts, 0 answered
  1. Richard
    Richard avatar
    164 posts
    Registered:
    21 Nov 2009
    05 Dec 2011
    Link to this post
    How does the eCommerce module sit with PCI compliance?
  2. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    08 Dec 2016
    08 Dec 2011
    Link to this post
    Hello,

    The ecommerce module is currently preparing for PCI certification which is very time consuming so I can`t give an exact date to get certified. We are working hard towards getting Sitefinity ecommerce PCI compliant. It is currently not PCI compliant, but when it is we will announce it in the release notes.
     
    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Marika Birkby
    Marika Birkby avatar
    6 posts
    Registered:
    25 Sep 2009
    16 Apr 2012
    Link to this post
    Is there an update on this topic?
  4. Marika Birkby
    Marika Birkby avatar
    6 posts
    Registered:
    25 Sep 2009
    16 Apr 2012
    Link to this post
    Sorry for the double post....
  5. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    17 Apr 2012
    Link to this post
    Hey John,

    It's still a work in progress...

    Jochem.
  6. Philip Saltskog
    Philip Saltskog avatar
    2 posts
    Registered:
    24 Mar 2004
    16 May 2012
    Link to this post
    Any news on PCI certification?
  7. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    16 May 2012
    Link to this post
    Hey Philip,

    Officially no news...

    My tea leafs say it won't happen till after the new release (also given the fact that Ivan Osmak during the London conference promised a bug-free Ecommerce).

    Jochem.
  8. Marika Birkby
    Marika Birkby avatar
    6 posts
    Registered:
    25 Sep 2009
    17 May 2012
    Link to this post
    Is being PCI-compliant considered included in that bug-free e-commerce promise? That seems like a critical hurdle that needs to be overcome in order to be a relevant solution. Our clients, merchants, and their customers are at too much risk using a non-certified tool.

    As a partner we're disappointed this isn't complete and is even available for production use in its current state.


  9. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    18 May 2012
    Link to this post
    Hey John,

    Honestly I don't know if PCI-Compliance is 'included' in the bug-free promise. I'm keeping a close watch on the ecommerce development and tried to jump on any issue since it was introduced in v4.2.1650 but still, I'm an outsider so I can't speak for Telerik.

    PCI compliance is about security and in the case of Sitefinity (being a payment application in terms of PCI) it falls under even stronger guidelines. I'm not aware of any security related issues, but I think Ivan's statement was in light of 'annoying' & 'breaking' issues that were non payment related.

    ---

    I believe what's holding up PCI compliance is two main issues: 'partially related maturity' and 'offsite payment providers'.

    'Partially related maturity'
    For instance in the last release (5.0.2800) they fixed a bug regarding European use of ',' as a decimal separator instead of the '.' (comma vs period) with regards to discounts in multi-lingual environments. Or in the release before that, a weight field was carrying a ',' as decimal separator in the db although it functioned properly inside Sitefinity. 

    Ecommerce hasn't been around for a year yet and there are still little edge cases that need to be smooth over and protected. So even though strictly these don't fall under 'PCI' they're still important issues they want to get out of the way first.

    'Offsite payment providers'
    Sitefinity chose to support offsite payment providers as well, where you browse to the payment processor's website to complete the transaction and then return to Sitefinity with an 'ok'.

    This has been on the road map for some Q's and it wouldn't have made sense to first get PCI certification and then on the next release go through the process again... (unfortunately 'offsite' has been postponed some Q's but you can see the business decision behind it).

    ---

    To sum it up:
    All I'm saying is educated guessing, I have no official inside information, but since nobody's making an official detailed explanation I'm sharing what I know and believe.

    The lack of compliance is due to business decisions and time consuming audits and even though Ivan didn't mean to include 'pci-compliance' when he made the promise, I'm confident we'll see 'pci-compliance' with or shortly after the next release.

    Jochem
  10. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    08 Dec 2016
    18 May 2012
    Link to this post
    Hello

    Sitefinity is currently going through PA-DSS compliance. PA-DSS stands for “Payment Application Data Security Standard”.   It is the merchant who has to be PCI-DSS certified, however a merchant cannot be PCI-DSS Certified if they are not using a PA-DSS compliant software.

    The PA-DSS assessment is conducted by a third party service provider and usually takes between 6 to 12 months to complete.   Sitefinity will pass any third party screen service which are services that scan for security vulnerabilities of a web site.  These scanning services are usually required by banks or merchant service providers every quarter.

    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  11. Lee
    Lee avatar
    1 posts
    Registered:
    22 Aug 2012
    22 Aug 2012
    Link to this post
    Hi, 

    Has there been any progress on the PA-DSS compliance?

    Thanks!
    Lee. 
  12. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    08 Dec 2016
    24 Aug 2012
    Link to this post
    Hello Lee,

    The ecommerce module is in the process of moving toward it, however as mentioned before the process is very long and the requirements in ters of security very strict and this process is not yet completed.

    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  13. Marika Birkby
    Marika Birkby avatar
    6 posts
    Registered:
    25 Sep 2009
    24 Aug 2012
    Link to this post
    This is frustrating as this module has been available for over a year. This process should not take this long. 

    To everyone else tracking this conversation - what are you using for e-commerce solutions? We're always looking for solid and robust solutions for our clients.

    Cheers!
  14. Scott
    Scott avatar
    1 posts
    Registered:
    20 Sep 2013
    20 Sep 2013
    Link to this post
    G'day guys,

    Request an update on PCI compliance. I'm keen to buy in and move off X-Cart - but don't wish to do so until you have PCI-DSS compliance and support for E-Way.

  15. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    08 Dec 2016
    20 Sep 2013
    Link to this post
    Hi,

    The ecommerce module is not PCI compliant and we can`t give a time frame for making the module compliant.
    In sitefinity 6.2 which will be the next release a new feature will be added for the ecommerce module to use offsite payments so nothing will be stored in sitefinity in terms of payments.

    Regards,
    Stanislav Velikov
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  16. Foodsleuth
    Foodsleuth avatar
    46 posts
    Registered:
    21 May 2008
    24 Sep 2013 in reply to Stanislav Velikov
    Link to this post
    Wow, this HUGE!  How is it that at least one large U.S. furniture sales firm uses a non-compliant ecomm package?  They are not using Paypal Express or any other offsite credit card processing.  Are they just large enough to pay the fines if Visa decides enforce compliance?
  17. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    08 Dec 2016
    27 Sep 2013
    Link to this post
    Hello,

    Sitefinity is on the road to compliance and starting sitefintiy 6.2 release in October the new feature will be "PCI-DSS Compliance: Integration with PayPal Payments Standard & WorldPay" for more information please refer to the roadmap for 6.2.

    Regards,
    Stanislav Velikov
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  18. James B.
    James B. avatar
    24 posts
    Registered:
    17 Jan 2011
    27 Sep 2013
    Link to this post
    Just came across this discussion. Starting on two sites using sf ecommerce with authorize.net as the processor. We are not storing credit card information in the database. I realize PCI compliance is a complicated issue, but I assume I can still use this product for these stores? Our hosting is dedicated and we've passed PCI checks on our environment. Is this a concern?
  19. Foodsleuth
    Foodsleuth avatar
    46 posts
    Registered:
    21 May 2008
    27 Sep 2013
    Link to this post
    It is very complex, and it is confusing.  As the PCI compliance rolled out the rules got stricter each year or so, probably to give companies more time to comply.  As of 2010 the rules clearly state "ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010"   A level 4 merchant is a small company with fewer than 20K transactions per year. The standards get tougher from there if you are a larger company.  So the important words here are "validated applications"  and this product is not currently validated.   This is in ADDITION to your client being compliant.  So they can have properly setup servers, and have their internal handling practices all together but they still would not be fully compliant.  This is my understanding.  Here is one source for a pretty good set of FAQ's : http://www.pcicomplianceguide.org/pcifaqs.php.
    I'm not 100% sure if using Paypal Standard gets you off the hook for having a non-compliant software package, it appears to be the case.  But you would not be able to use just Authorize.net and the SF checkout system.
  20. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    27 Sep 2013
    Link to this post
    It's not really that complex.
    There's one metric that's the decisive factor - are you handling credit-card information?

    That's why fully off-site payments have always been a big issue. Cause with 6.2 finally offering us full offsite payment we're finally able to comply.

    Each payment provider might have a different subset of regulations and paperwork for certain cards they're accepting, but instead of having to be fully pci-compliant yourself like any brick-and-mortar store has to be with all their software and hardware, an e-commerce website can get away by outsourcing all the sensitive stuff to an offsite payment provider.

    For sec e-commerce, in combination with an off-site payment provider who's PCI-DSS compliant you're only required to fill in SAQ A. It's a self assessment form, where you acknowledge all credit-card information is handled by a compliant 3rd party and you do not store this yourself.

    The standards say:
    PCI DSS applies to any entity that stores, processes or transmits cardholder data.
     
    If a merchant outsources all their payment operations, the applicable PCI DSS requirements for the protection of account data would apply to the environment(s) where the data is actually stored, processed and transmitted, such as third party service providers, payment gateways, etc.
     
    However, it is the responsibility of the merchant to ensure that the data they share with third parties is properly handled and protected – just because a merchant outsources all payment processing does not mean that the merchant won’t be held responsible by their acquirer or payment brand in the event of an account data compromise.
     
    Additionally, the merchant’s acquirer or payment brand may still require the merchant to validate their PCI DSS compliance status.
    For example, the merchant may be required to complete SAQ A in which the merchant attests that they have outsourced all payment processing services, do not store account data, and that they are compliant with PCI DSS Requirement 12.8.
    PCI DSS Requirement 12.8 states that merchants must have written agreements with their service providers that include the service provider’s acknowledgement of their responsibility for securing the data in their possession, and also requires that merchants monitor their service provider’s compliance at least annually.
     
    Merchants should check with their acquirer or payment brand to determine their compliance obligations when all payment processing is outsourced.

    Quoted from: https://www.pcisecuritystandards.org/faq/

    So by filling out a self-assessment questionnaire, using a qualified 3rd party payment provider some possible annual paper checks and signatures and we're good to go...

  21. Foodsleuth
    Foodsleuth avatar
    46 posts
    Registered:
    21 May 2008
    27 Sep 2013 in reply to Jochem Bökkers
    Link to this post
    I'll be curious to see how the interface looks, how much control we have of the look-and-feel of the pages.  These types of solutions are frequently very amaturish looking to the customer if not well-integrated.   It will certainly be fine for people who like to use Paypal (for us that is about 1/3 of our customers) given they are used to the "Paypal look". 
    At least there will be a solution for the short term because we're pretty much up a creek without it.  I still wonder what those big installations using the cart we have now are doing for compliance.
  22. Foodsleuth
    Foodsleuth avatar
    46 posts
    Registered:
    21 May 2008
    27 Sep 2013 in reply to Foodsleuth
    Link to this post
    Something else that is real unclear with the Paypal Standard solution,  is that there appears to be no "Virtual Terminal" access.  If you have customers that call in to place an order, you don't have anyway of putting an order through manually,  no way to rebill if a customer wants to add on to their order after their original order is placed.   It would really be helpful if there was a demo of 6.2 to take a look at, see what we are in for.
  23. Jochem Bökkers
    Jochem Bökkers avatar
    787 posts
    Registered:
    13 Aug 2007
    28 Sep 2013 in reply to Foodsleuth
    Link to this post
    Sitefinity 6.2 is currently in beta still. The current internal build includes the working Paypal Standard and WorldPay, but they might change before release. 

    Since it's 'off-site' payments, as soon as you're hitting the payment stage a client is shown the familiar and trusted Paypal interface until payment is completed and they'll be back on your site. Paypal offers some 'visual tweaking' through it's interface.

    There's an extensive pdf describing the entire paypal setup here, although not everything's applicable the first 40 pages should give you a firm grasp on its features and capabilities.

    ---
    The 'virtual terminal' you're referring to is a Paypal Pro feature and is meant as a tool to process and accept credit-cards over the phone/email. This essentially negates the ability to offload all credit-card handling  to a trusted 3rd party (because you're handling them as well) and thus falls under a different PCI-DSS Compliance level.

    If you compare the Paypal editions you'll see that the difference between 'standard' and 'pro' is 3 features:

    1. Customers pay without ever leaving your website.
    We want them to 'leave' our site so all cc handling is done off-site and allow for easier PCI compliance.

    2. Accept credit cards via phone, fax, and mail (Virtual Terminal)
    Described above, we don't want to touch cc information.

    3. Design and host your own checkout pages for full control.
    Again we don't want to host anything that has to do with cc information.

  24. James B.
    James B. avatar
    24 posts
    Registered:
    17 Jan 2011
    15 Oct 2013 in reply to Jochem Bökkers
    Link to this post
    Will sitefinity integrate an IPN with paypal standard? Otherwise I assume the order would remain in pending status and need to manually be processed? Any other insight into the process flow from paypal, cancel, success, showing order confirmation on return, etc.?
  25. Stanislav Velikov
    Stanislav Velikov avatar
    1113 posts
    Registered:
    08 Dec 2016
    18 Oct 2013
    Link to this post
    Hi,

    IPN and PDT have been added with sitefinity 6.2 for paypal, here is the documentation on this.

    Regards,
    Stanislav Velikov
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
25 posts, 0 answered