Shop-Script 5 & PCI DSSNovember 5, 2013
PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for organizations handling cardholder information for popular credit and other payment cards. All companies which store, transmit, or process cardholder information must be certified to do so in accordance with the requirements of PCI DSS. See more details on the official PCI DSS website and in Wikipedia.
Do I have to pay for the expensive PCI DSS certification if I'm using Shop-Script 5?
No, you don't! Shop-Script 5 does not store, transmit, or process cardholder information and, thus, is not subject to certification required by PCI DSS. All payment plugins for accepting bank cards in Shop-Script 5 are functioning in such a way that cardholder information is never submitted via your online storefront, but rather on a special secure page of the appropriate payment system or gateway. Therefore, PCI DSS certification must by handled only by that payment system and not by your online store. In Webasyst Store there are no payment plugins, which may require certification for compliance with PCI DSS. Should such a plugin be published there in the future, its description will explicitly state the necessity of such certification.
The certification is required only in the case when you want your customers to be able to submit their cardholder information directly on your website. The certification procedure is rather lengthy and expensive, and is performed by specially authorized QSAs (Qualified Security Assessor).
McAfee SECURE. About information security in Shop-Script 5 and Webasyst Cloud
Even though PCI DSS certification requirements are, formally, not applicable to Shop-Script 5 and our other products, that does not diminish the importance of continuous security testing of the Webasyst framework and individual applications. During the development, we pay a great deal of attention to ensuring a high security level for our products.
We have been cooperating with McAfee, the certified ASV auditor (Approved Scanning Vendor), for a long time and we perform daily testing of the Webasyst Cloud and all products working on it: Shop-Script 5 as well as Blog, Photos, Site apps, etc. An automated routine every day performs pen-testing of our products and server resources by checking them for availablility of security breaches or vulnerabilities, such as SQL injections, XSS, etc.
The scanning report witnesses full compliance of the Webasyst Cloud service, and all software products it offers, with the requirements of PCI DSS: view McAfee Compliance Report in PDF.