PCI Compliance Statement
PCI DSS Compliance Questions Answered
Common myths about PCI Compliance
Please see the following page for a better understanding of what PCI Compliance is NOT: https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
Answers to the most commonly-asked questions pertaining to Payment Card Industry Data Security Standard compliance
DISCLAIMER: The following answers pertain to a webstore built with default Zen Cart code without any customizations, using only built-in features/modules/capabilities, in the default configuration.
Any customizations you do to your store render these statements incomplete and require that you answer these questions yourself.
Question 6.2 Is the software and application development process based on an industry best practice and is information security included throughout the software development life cycle (SDLC) process? Yes
Question 6.5 Were the guidelines commonly accepted by the security community (such as Open Web Application Security Project group (www.owasp.org)) taken into account in the development of Web applications? Yes
Question 6.6 When authenticating over the Internet, is the application designed to prevent malicious users from trying to determine existing user accounts? Yes
Question 6.7 Is sensitive cardholder data stored in cookies secured or encrypted?
Cookies are not used to store Cardholder data.
Question 6.8 Are controls implemented on the server side to prevent SQL injection and other bypassing of client side-input controls? Yes
PABP Standards Compliance
A fresh install of Zen Cart contains several built-in payment modules which connect to an external gateway to do live credit card transaction processing. These built-in gateway modules are designed to be PABP compliant.
One source of information which summarizes PABP compliance can be found here: http://authorize.net/files/developerbestpractices.pdf.
Any alterations made to these modules by an individual storeowner, or any addon modules built by third-party developers, may or may not be PABP compliant. The onus is on the store merchant to ensure compliance for satisfying PABP requirements for their own merchant account TOS.