NopCommerce PCI

Question

Running NopCommerce 3.40

I think i read somewhere that NopCommerce's Shopping cart is PCI compliant. It also looks like NopCommerce's shopping cart stores Credit card data.

1.) So what does this PCI process do?

2.) Is it just a fashion of encryption of data as it passes to the database?

3.) Is it my fault if the hosted database say from GoDaddy gets hacked for a bunch of credit cards?

I don't know why NopCommerce is storing Credit Cards. I think I have to figure out how to disable that part. I mean if I don't then I need to purchase a PCI Certificate?

EDIT : I did some more reading. It looks like if I use Stripe or another third party gateway no Credit card information gets stored. I think only Manual Payments credit card information gets stored. Is this right?

Answer 1

1) PCI-DSS stands for Payment Card Industry Data Security Standard. The standard guides you so you know what are you doing with the cards data and that it is secure enough, given your transaction volume, data collected and stored, etc.

2) It is not. Basically, it says that if the card data (CC number, CVV code) ever pass near your system (in a logical sense), then you are in the PCI scope, and have to comply or the acquirers (banks) won't talk to you.

3) I think you'd be liable, look into GoDaddy disclaimers.

I doubt there's anything like 'PCI compliant shopping cart'. This is how you process the payment, as in, can your javascript access the CC number input box, can your router see the unencrypted CC number, etc.

In your case, I assume a small e-commerce, I'd look to outsource the payment page. Be it Stripe, PayPal, Skrill, Neteller, whatever makes you never see the data except for the income amount.