PCI Compliance

PCI_ComplianceAvactis Shopping Cart has a full PCI DSS-compliant design. Compliance with PCI Data Security Standard is highly recommended for all on-line stores.

It is important to note that while Avactis is an integral part of the chain in obtaining PCI Compliance, it is necessary to implement Avactis in a PCI compliant hosting environment.

If Your current hosting service is not PCI-compliant, we recommend to change the hosting or choose our own Avactis Shopping Cart hosting.

 

 

There are 6 steps of PCI compliance security standards

PCI Data Security Standard Requirement Avactis Solution
Step - 1: Build and Maintain a Secure Network
  •  Install and maintain a firewall configuration to protect cardholder data
  •  Do not use vendor-supplied defaults for system passwords and other security parameters
Avactis hosting servers run time-proved software: CentOS, Plesk, Advanced Policy Firewall, Rootkit Hunter. Server status is being constantly monitored and all servers undergo regular security checks.
Step - 2: Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public network
Cardholder and card data stored in database is encrypted by RSA algorithm. Private key is located at store administrator�s local computer only.Cardholder and card data collected during checkout is encrypted by Blowfish algorithm. Secret key is passed using HTTPS encryption only.
Step - 3: Maintain a Vulnerability Management Program
  •  Use and regularly update anti-virus software
  •   Develop and maintain secure systems and applications
All the installed software on our hosting servers is timely updated. Security fixes are installed immediately.
Step - 4: Implement Strong Access Control Measures
  •  Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
In order to view credit card data, store administrator has to upload his private key from his local computer.After key upload the data is decrypted and displayed, while the key is instantly deleted. All these operations are performed over an HTTPS connection to make data interception impossible.
Step - 5: Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
All cardholder data decryption operations are logged. Store administrator can see a report of card data views at any time.
Step - 6: Maintain an Information Security Policy
  •  Maintain the policy that addresses information security
Inner information security policy for employees and contractors.

 

Avactis Compliance With PCI

Cardholder data protection in Avactis is provided for both offline and online payment methods.

If the order processing is carried out on-line, double protection is possible. In addition to the Blowfish or RSA encryption, data can also be encoded with the certificate-based encryption during transmission over networks, as Avactis supports SSL certificates of all types.

For more information on PCI compliance please visit the PCI Security Standards Council website.