• PCI Compliance Statement and PABP Standards

    PCI DSS Compliance Questions Answered

    Common myths about PCI Compliance

    Please see the following page for a better understanding of what PCI Compliance is NOT:  https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf

    Answers to the most commonly-asked questions pertaining to Payment Card Industry Data Security Standard compliance

    DISCLAIMER: The following answers pertain to a webstore built with default Zen Cart code without any customizations, using only built-in features/modules/capabilities, in the default configuration.
    Any customizations you do to your store render these statements incomplete and require that you answer these questions yourself.


    • Question 6.2 Is the software and application development process based on an industry best practice and is information security included throughout the software development life cycle (SDLC) process?
      Yes

    • Question 6.5 Were the guidelines commonly accepted by the security community (such as Open Web Application Security Project group (www.owasp.org)) taken into account in the development of Web applications?
      Yes

    • Question 6.6 When authenticating over the Internet, is the application designed to prevent malicious users from trying to determine existing user accounts?
      Yes

    • Question 6.7 Is sensitive cardholder data stored in cookies secured or encrypted?
      Cookies are not used to store Cardholder data.

    • Question 6.8 Are controls implemented on the server side to prevent SQL injection and other bypassing of client side-input controls?
      Yes

    PABP Standards Compliance

    A fresh install of Zen Cart contains several built-in payment modules which connect to an external gateway to do live credit card transaction processing. These built-in gateway modules are designed to be PABP compliant.

    One source of information which summarizes PABP compliance can be found here: http://authorize.net/files/developerbestpractices.pdf

    However, any alterations made to these modules by an individual storeowner, or any addon modules built by third-party developers, may or may not be PABP compliant. The onus is on the store merchant to ensure compliance for satisfying PABP requirements for their own merchant account TOS.
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR