Hi,

PCI compliance seems to be mostly about protecting your network from outsiders and your own employees, so 99.9% of the effort to be put into complying would appear to be to do with how you manage your business.

Finding out what actual technical requirements are necessary for compliance doesn't seem to be a very easy thing to do. I personally don't know exactly what is required and can't find any easy to read information anywhere which enlightens me.

However, I would guess that, from a technical point of view, card information must be kept secure at all times.

Protx Direct doesn't result in any card information being stored with the vendor, except on a temporary, transitional basis. The only time details are stored is when the customer moves from the payment page to the confirmation page (and possibly back again). The details are then stored the session. If the customer leaves the checkout process, the details are removed from the session (when/if they come back to the checkout or go to the shopping cart page).

While the details are stored in the session they are encrypted using a password entered in the module's configuration. This encryption cannot be broken without that password.

For those on a shared server, as long as no-one can access your database to get this password, all data is 100% secure. For those with their own server, as long as no-one can access your server to get access to the database - and therefore the encryption password - all data is 100% secure.

When the card details are sent to Protx it is over a secure connection and the card details are not stored by the module.

I don't know if that's cleared anything up for you but it's the best way I think the module can work in terms of security while still offering the customer a pleasant checkout experience. The only other alternative would be to hack the payment pages to temporarily record card details within any forms and to accept that the card details will have to be re-entered from scratch any time a user uses a HTML link.

The card details are stored (encrypted) in the session temporarily for the sole purpose of letting customers move about the checkout (to make shipping changes, shopping basket changes etc.) without having to re-enter their payment details every time they do so (as all other Zen Cart modules that take card payments seem to require).

All the best...

Conor
Ceon