PDA

View Full Version : PCI-DSS compliance



Kevin Garvey
01-25-2013, 02:19 PM
Hi everyone,

Our company is currently using a highly-customized version of osCmax v2.0 with an Authorize.net payment module -- we began accepting payments online last year. For the first time during the annual PCI-DSS SAQ, we had to have an ASV scan performed and failed due to our site being hosted on a shared platform.

The ASV scan was required because our payment page, while leveraging Authorize.net, is still resident on our site. Is anyone aware of any simple fixes for this? I'm trying to avoid having to move our site to a dedicated server because the cost shoots up dramatically. Similarly, I could switch to a hosted cart like Volusion or BigCommerce, but they don't offer the same degree of customization as osCmax (and we'd have to rebuild from scratch more or less).

The simplest solution I could come up with was to redirect the actual payment information page to a PCI compliant third-party (maybe even Authorize.net?) but I'm not sure if that's possible.

Does anyone have any suggestions on what might work?

Also, I'm not the web developer so I don't have the most familiarity with osCmax, but I entered all the information/content for the site so am fairly familiar with the Admin section. Not sure if that's relevant...

ridexbuilder
01-25-2013, 02:45 PM
You don't need to jump straight from shared to dedicated hosting - there's VPS as an intermediate. It's considerably cheaper and if a Cloud solution is chosen, often more resilient than a dedicated server.
Your osCmax is so out of date, that I'm surprised that they didn't flag up security issues during the scan - it must be very specific.