May 24th, 2010 by Scott
There’s a set of requirements called the Payment Card Industry Data Security Standard (or “PCI DSS”) and it was developed by the PCISSC – (the Payment Card Industry Security Standards Council)
These requirements are designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions.
The standard includes 12 requirements for maintaining a secure operation:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
For WordPress your E-commerce options are limited, and for a PCI Compliant shopping cart, they’re limited even further.
There is no way in a million years you should consider developing a new site using ANY shopping cart that is not willing to be compliant or in my (non legal) opinion, you’re setting yourself up for a lawsuit.
This list of WP shopping carts and their PCI compliance info will grow over time…
- Shopp – They are compliant, and they are willing to say so, partly why they are one of our current chosen platforms.
- Eshopp - We love this free plugin. By shifting all cardholder data entry onto Authorize.net, there are no compliance issues. Sweet!
- Cart 66 - They say they’re compliant right on their home page.
- PHP Purchase – They say they’re compliant right on their home page.
- Cart 32 – They do claim compliance.
- Vevo Cart – They DO claim to be compliant
- WooThemes - They offer various add-ons
These carts are either Non Compliant or simply not addressed on their sites:
- WP Ecommerce – Although we HAVE tested and passed compliance once and found no issues, they now seem to fail any test, so we’ve given up. They offer no statement about compliance, either that we could ever find, even using Google to search their site
- WP Auctions – No mention of PCI Compliance – check.
- WP eStore – No mention of PCI but they use something called instant digital product delivery – check
- Shopper Press – Has more than 20+ payment gateways, but not PCI compliant? check
- Market Theme – No mention of PCI Compliance – check.
- Word Press Shopping Cart Plug-in – No mention of PCI compliance – check.
In the comments below, please leave any links to compliance info for anyone you come across, and I’ll update this list. Likewise, if you have information about anyone that’s NOT compliant, that would be helpful too.
WP Ecommerce – What You Should Know
If you need to learn a lot about PCI compliance, this is pretty damn good…