Download available here:

PCI Compliance
v1.5.4 has undergone PA-DSS certification, and the paperwork is awaiting a final review by the PCI SSC, before being listed on their site by the end of January.

Older version summary of PA-DSS certification
v1.5.3 included stronger password handling with blowfish encryption, and many other improvements for security and performance and compatibility.
v1.5.2 was released as a beta only, and not submitted for formal re-certification.
v1.5.1 was an optional update, not submitted for formal re-certification.
v1.5.0 is PA-DSS certified, but that certification spec expired at the end of 2013.

Minimum Requirements
Zen CartŪ v1.5.4 requires a minimum of the following:
  • Zen CartŪ v1.5.4 is compatible with PHP 5.2.10 through PHP 5.6, and MySQL 5.1 thru 5.6
    (Note: security features are stronger when using PHP 5.3.7 or newer.)
    (Note: PHP 5.2.x and PHP 5.3.x are deprecated and no longer supported by ... You REALLY should be using PHP 5.5 if possible, for both security and speed benefits.)
  • MySQL 5.1 or higher
  • Apache 2.0 or higher.
  • Apache configured with AllowOverride set to either 'All' or at least both 'Limit' and 'Indexes' parameters, and preferably the 'Options' parameter as well.
  • PHP configured to support CURL with OpenSSL

While Zen CartŪ can run on Windows/IIS servers, Linux/Apache servers are recommended for best results, superior performance, and easier use by shopowners.

CHANGELOG - List of Changed Files
For a list of files that have been changed since v1.5.3, see the changed_files-v1-5-4.html document, located online or in the /docs/ folder of the downloaded zip.

What's New In v1.5.4:
Improvements include:
  • CHANGE-714 - Add progressive-enhancement to checkout flow for PCI compliance when card details collected onsite (added ajax infrastructure, and jQuery)
  • Fix #209 - POODLE protection - Remove SSLv3 mode, to allow autonegotiation

Bugfixes and feature updates include:
  • CHANGE-724 - Fix init_cache_key_check.php redirect loop which occurred when the user deletes the /cache/ folder
  • CHANGE-423 - PayPal Express Checkout - recover funding failure (10486) with "retry" if card is declined
  • CHANGE-725 - Authorizenet SIM module now hashes x_currency_code
  • CHANGE-730 - Linkpoint CURL SSL bug triggers PHP Warning: Illegal string offset
  • CHANGE-731 - Update SIM and AIM to add support for AUD,NZD currencies (now supports USD CAD GBP EUR AUD NZD)
  • CHANGE-732 - Update SIM and AIM to set defaults for merchant accounts capable of doing POS and Web transactions in one account
  • CHANGE-733 - Store-pickup module not activating properly for zone restrictions
  • CHANGE-311 - Data sanity check in admin/customers.php
  • CHANGE-709 - Refactor logging infrastructure
  • CHANGE-735 - Fix CSRF in admin profiles for action=delete
  • CHANGE-736 - Fix CSRF in layout_controllers for action=reset_defaults
  • CHANGE-737 - Replace hard-coded language text in /admin/orders.php
  • Fix #136 - Error in html syntax in admin_activity and CSS comment syntax in who's online
  • Fix #152 - Page not found when incorrect EZPage link remove status
  • Fix #188 - Remove code comment causing false-positive in security scan
  • Fix #210 - Fix code dealing with apostrophes in filenames
  • Fix #215 - Added additional common destinations to curltester script
  • Fix #221 - Fix Discount Coupon and Shipping Cost
  • Fix #246 - Fix errors about passwords during zc_install upgrade
  • ISSUE-82 - (continuation of) Fix odd PHP quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant
  • Optimizations and improvements to various database queries
  • Fix queries in class.phpbb.php
  • Fix fmod_round and shopping_cart using (int) on quantity
  • Backported a PHP 5.4 fix to attributes_controller
  • zc_install - Fix email validation in zc_install to allow for new domain name TLDs
  • Fix override of mexico addresses with paypal pro
  • Substitute gethostname for shell_exec since some hosts disable shell_exec

To upgrade from v1.5.3 to v1.5.4
Simple: if you are using v1.5.3 already and have not customized any of the files listed in the changed_files-v1-5-4.html document, then simply replace those files with the new versions contained herein.
If you HAVE customized or altered certain files, simply re-do your customizations in the new version of those particular files by making the same changes needed.
If you are using Addons/Plugins that have made alterations to those files, it is best to compare those changed files against the original v1.5.3 files, and see what changes were there ... and then re-build those changes in the v1.5.4 file.
Once you've updated the files, run zc_install to upgrade your database content.

To upgrade to v1.5.4 from older versions
If you are upgrading from a version OLDER than v1.5.3, then please do a standard complete site upgrade:
NOTE: A simplified way of looking at upgrading is explained here:


Many people have asked about the "missing ?> at the end of some PHP files".
This is INTENTIONAL, and explained here:
It is NOT an error in the files or the download.