Beta over protected?

[dutchy]

I said a while back when the plans for for 1.5 were released that I didn’t think it was a good idea. Yeah it's great ZC will be the first open source free cart system that will be PCI Certified. But that surely sets a precedent for all ZC versions, 1.5a … 1.5k … 1.6.3b ...1.9.9z. Or whatever the version numbers are that will come.

If the devs don't mind maintaining this additional millstone around their neck, then it's great for the ZC community, brand, product and a brilliant idea. But as Vger pointed out, it is only the big players that offer PCI certified versions. I would imagine that is a resource hungry process, possibly the reason behind the ZC financial restructuring?

Is this PCI Certified move an attempt to attract big multimillion pound/dollar/euro companies into the fold of ZC? I believe many have 1.3.9h PCI certified up to level 3? I personally would like to think that once my online stores moved into the requirements of PCI level 2 certification I would either be retired and out of the 'hands on' online side, or be able to employ an in house team, using either a bespoke system or Magento Enterprise as the core.

Almost all decent add-ons are now broken, which isn’t a problem if the add-on developers can rewrite them to suit 1.5. But more critically, are the bosses in charge of ZC going to implement a system that all add-ons for 1.5 must pass / not break PCI Certification. Otherwise, many peoples ZC site will not be PCI certified. And a standard 'out of the box' ZC install lacks too many features of other 'out of the box' installs from rivals, thus many add-ons are required to provide a modern dynamic online business.

While I think the 1.5 security focused rewrite is a good idea to force better security procedures, like Mr Kuroi's Admin Profiles system, I cannot help but wonder if better time, effort, money and energy would not be better placed on the development of 2.0? Unless, as I stated many many months ago, is this a means of giving a few years breathing space for the release of 2.0? As all add-ons etc will have to be rewritten from the ground up for 2.0

Sorry, I know many will disagree, but I can't help but feel that the focus to be PCI certified is pissing into the wind.

You may now open fire.

[kuroi]

I share yours and Vger's concerns about the additional overhead, as well as the sometimes counter-productive restrictions that it seems to place on the functionality required or forbidden; but I think you've got the motivations backwards.

This is bringing a level of security previously only available to the big boys down to stores of any size. It's not at all an attempt to attract big stores to Zen Cart. Personally I'd like to see more of that anyway, as the combination of rich functionality and a relatively efficient engine means that it's capable of supporting them.

I wouldn't overplay the "all decent mods are broken" concern either. They're only really affected if they add admin pages and even then it just means that pages now need to be registered by a small bit of SQL rather than a box file.

Ideally mods would also be upgraded to meet the new security standards, and I think that will happen over time as mod authors get used to them. But just adding the SQL will be enough to get most running as they did before.

[dutchy]

Actually, I never thought about it in that way. Giving the smaller stores the same security muscles as the big stores. Nice pointer.

And for the OP, I force password changes on admin's every 30 days and rename my admin every quarter or when an admin level member of staff leaves. There should be no need to write passwords down! A bit of mental effort from them to remember it is not that hard. In fact, it's just lazy of them to not try and remember a password.

[frank18]

ZC 1.5 Beta over protected?

I don't think so. In the "cyber world" you can never have enough protection. It really is a matter of being ahead of the game. What is safe today may not be that safe anymore tomorrow - thanks to some malicious individuals.

Bear in mind that you need the trust of your customers to shop with you. If you (or the software that you are running) are your customer's money at risk then that can easily be the end of your business and indeed the end of your reputation.

Building trust and confidence with customers is tough enough, getting either of them back is a mighty hard task.

ZC 1.5 Beta over protected? Definitely not!

[mshultise]

I wonder if ZC could be modified to not include CC modules and have a different version number, thus it would not be a PCI compliant version.

I well understand the needs of PCI for credit cards and other security items added to make the carts secure, but we all know that with a 90 day password requirement, SOMEBODY will be writing down the current password on their screens. (Somebody is not me, but I'm just saying).

I manage perhaps 10 carts at this time and will have to come up with some type of system. Often I have to access these systems remotely while traveling.

I still like the idea of the ID KEY I use for Paypal. The website tells me enter in the secret code which my phone app generates (similar to a security key token).

[DrByte]

I wonder if ZC could be modified to not include CC modules and have a different version number, thus it would not be a PCI compliant version.

That still doesn't negate the need for PCI compliance.

I still like the idea of the ID KEY I use for Paypal. The website tells me enter in the secret code which my phone app generates (similar to a security key token).

And you can do that with Zen Cart too. You'll have to write your own integration for it, but two-factor authentication mechanisms are supported. But that's going completely off topic. And you'd still need your password

[jund]

For the past 4 weeks I have been working - reworking a 1.3.8 site that was hacked. This morning I installed a test site using 1.50 beta. Congratulations to the ZENCART Team for really doing it right. The install was SMOOOOTH - thank you!
Why am I stating this on this forum. The protection afforded our customers (PCI compiance etc) is EXTREMELY important. Hackers really do not care - however, we acting as web developers want to always ensure our customers - and all ZENCART "customers" are afforded the best possible security. Perhaps I am preaching to the choir, but the choir knows the song!
Thank you ZENCART team. I still have only one question - do you ever sleep? (the hackers certainly do not).
Respectfully,
jund (John Underwood)

[Vger]

do you ever sleep? (the hackers certainly do not)

Hackers do sleep, but unfortunately they exist in every time zone around the world. So unless you can montor your site 24/7/365 then they have an edge on you.

Vger

[gob33]

I agree too. The new password protection gives too contraints for small shops. A possibility to deactivate simply by editing a define in source could be maked.

[paulm]

I must admit that was shocked at first too after I installed 1.5.0BETA. But after giving it some more thought I think there are more advantages than disadvantages, even for small shops.

The safer Zen Cart becomes, the less interesting it becomes for attackers which may result in relatively less attacks.

For the ones that don't need password renewal every 90 days there will be (probably easy) ways to increase the time period.

And I think the integration of admin profiles is really a great advantage! Even small shops (like I have) will probably want to give (temporary) admin access to some people at some point. And now they will have an easy way to limit this access

And, if the incompatibility of mods is mainly about the box files, this will be a very temporary problem. Actually I think there is no real incompatibility concerning the box files, because the current 1.5 version of Zen Cart already includes a tool to register admin pages and add links to these pages to the menu.