|
Configure Security
In 2006 American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed the Payment Card Industry (PCI) Security Standards Council. The main purpose of the council is to produce and maintain a set of rules and requirements that when followed will help prevent fraud, hacking, and other threats to private cardholder data.
AbleCommerce 7.0 is designed for merchants and integrators who wish to implement their online store in accordance with the guidelines set by the Payment Card Industry (PCI). All merchants who handle credit card payments over the internet are required to perform at least some level of validation. A qualified security assessor is the only one who can validate your full PCI compliance.
Payment Application Best Practices (PABP) was created by Visa as an aid to software providers to help build secure payment applications. PABP validation proves that an application can be implemented in a way that is compliant with the PCI DSS. AbleCommerce has been designed to meet all of the requirements of PABP.
For more information, please go to PCI Certification and Implementation Questions in the community forums. There, you will find a current link to the Secure Implementation Guide for PABP/PCI DSS, and a place to discuss any questions you might have about securing your online store.
|
This section covers the following topics:
-
General - Turn on secure SSL pages and configure credit card settings.
-
Licensing - Update an AbleCommerce license key.
-
Database - Change the database connection string.
-
IP Firewall - Block IP addresses from your store.
-
Password Policy - Configure password rules, and account security.
-
Encryption Key - Secure your data by changing the encryption key often.
-
Audit Log - View potentially sensitive security events.
Find the Configure Security menu
-
Mouse-over the Configure menu item and then drop down to Security.
-
This will expand the sub-menu as shown below.
Additional Security Measures
What you won't see in AbleCommerce are many transparent security features.
Email Security
Email is not a secure method of communication and should never be used for transmitting sensitive information. AbleCommerce does not include credit card account details or passwords in any of the default email notifications. By design, email will be used as a verification process only. User's will be required to receive an email and respond via a unique link in order to reset a password or be verified.
Encrypted Config Files
The database.config and encryption.config files are used to store sensitive information concerning your AbleCommerce installation. These files are encrypted so that your connection string and encryption key remain protected.
Debug Logging
Payment gateway integrations provided by AbleCommerce all support optional debug logging. The debug log files generated by our integrations never include sensitive card data. Sensitive data such as credit card numbers and CVV2 are redacted. Third party developers who create new payment integrations are strongly advised to follow the same procedure. Debug logs must not contain sensitive data in order to achieve PCI DSS compliance.
Legacy Credit Card Data
While magnetic stripe data, card validation values or codes, and PINs or PIN block data are not (and never have been) stored within the database/software, AbleCommerce has tools available to securely delete sensitive data should the need arise. To securely delete the data, we will overwrite it with dummy text and then remove it from the database. This will ensure the data does not reside anywhere on disk or in memory when it is removed.
|