Via your hosting console you can add an additional layer of security to your X-Cart admin. This extra security will cause a pop-up window to come up when you go to the admin section. In that pop-up you will need to enter a username and password before you even get to the admin area where you would normally enter your X-Cart admin username and password.

Here is how you enable this extra layer of security:

Note: If you have enabled Frontpage Extensions on your hosting, password protected directories as outlined below will not work. If you wish to use this feature instead of Frontpage, please disable the Frontpage extensions. If wanting to keep Frontpage Extensions active, you can use Frontpage directly to create password protected directories just like you normally can here.

• Log on to your web hosting console at http://cpanel.yourdomain.com.au/ (‘yourdomain.com.au’ is replaced by your actual domain name)
• Once logged in, under the ‘Security’ section of cPanel, click on the ‘Password Protect Directories’ icon

• A pop-up window will be displayed – simply click on the ‘Go’ button

• The next screen will show a list of X-Cart directories. Simply click on the ‘admin’ folder

• On the next screen first enable the /admin directory as secured by ticking ‘Password protect this directory’, given the protected directory a name, and clicking on ‘Save’

• When the page refreshes, go down to the second half of the page and ‘Create User’. Use the password generator to assist you to create a high-strength password. We recommend 100/100. Once you have created the password, and all fields are green ticked, click on ‘Add/modify authorized user’.

Note: ideally memorise your password, or keep it in a very secure place for future reference as you will need this and the username now each time you go to log into your X-Cart admin.

The final test is testing that you have implemented the additional security on your X-Cart site correctly.

• First I would recommend that you go to your X-Cart customer front-end and check that it is still accessible (just in case you have accidentally secured the entire site instead of just the /admin folder).

• Next go to the URL you always go to to access your X-Cart admin. If you have created the secured directory successfully you will now get a pop-up window requesting you enter a username and password. Enter the username and password you just created and click on ‘Ok’. You will then see your default X-Cart admin where you can now continue to log in as usual.

Payment Card Industry (PCI) Data Security Standard (DSS), otherwise known as PCI DSS compliance, demands all shopping cart owners whom accept credit card payments to adopt strict security policies and procedures, including these 12 steps:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

PCI DSS compliance applies to ALL businesses/merchants, irrespective of business size, or number of transactions, that accept, transmit or stores any credit card information/data. PCI DSS is for the protection of any customer who pays online, over the phone or via completion of a faxed form, the merchant directly using a credit or debit card. Noncompliance may now result in fines penalties to the merchant.

For more information, please visit: https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

If you would like to become more educated on PCI DSS compliance and its relevant to the eCommerce industry, click here to view a list of Recommending Reading

Given the nature of the internet and that hacking and security breaches are an every day part of life there are certain things that you need to ensure you do when managing your X-Cart site when it comes to credit cards.

Whether utilising manual credit card processing, or an automated payment gateway option, you need to ensure that you make your cart as secure as possible when handling sensitive data like customer credit card information.

Manual processing for Credit Cards

We strongly recommend against utilising the manual credit card processing payment method given this insists that customer credit card information is retained in its full, unencrypted format, within your X-Cart admin until you process their credit card. Further to this, it is not PCI DSS compliant which has been a mandatory obligation since September 2006 of all shopping cart owners whom process credit cards (click here to read more about PCI DSS compliance >>). Even if you remove the credit card information immediately after processing, you still run the risk of exposing that credit card information to a hacker in the time between the order initially being placed, and the time you actual open the order to retrieve the credit card information.

If you must utilise manual credit card processing ensure to remove the credit card details from the order immediately after processing the order. If you have not done this for quite some time, or ever, then you can remove all credit cards details from all ‘processed’ and ‘completed’ order in a bulk process by doing the following:

In your X-Cart admin, go to the ‘Administration’ section >> Summary >> Tools

Then tick the boxes relevant to how you want the credit card information deleted and/or preserved – see screenshot below.

Furthermore, to guard against unauthorised use of credit cards, ensure to have the CVV2 section activated so that when processing a credit card through your site a customer must physically have their credit card in hand and flip it over to put in the 3-digit number.

Pre-configured Payment Gateways within X-Cart*

To comply in full with PCI DSS compliance standards you need to utilise an externally-hosted payments page when processing credit cards automatically through your bank or financial institution you are using. Some of the pre-defined payment gateway options in X-Cart already allow this but many don’t. Ones that don’t do leave you open to exploitation of sensitive data when credit card information is collected within your cart because there is no way for X-Cart admin to encrypt the credit card information once its been entered customer front-end during the order process. As such we highly recommend instead to transfer your customers externally to the banks secure environment to enter credit card information, and then to return them to the cart to complete the order.

When utilising a payment gateway whereby you don’t yourself need access to the customer credit card information, you still need to ensure that you have made necessary changes to your config.php file in order to remove the cart’s collection of the credit card information for those orders.

Open up the config.php file, found in the root level of wherever your X-Cart is housed eg root directory, or /shop directory etc.

Scroll down until you find the section that refers to credit card storage.

Ensure your config.php has the following settings:

$store_cc = false;    and

$store_cvv2 = false;

See screenshot below.

The banking system itself will store the credit card information in an encrypted state sufficient to both process the customers order and also to clearly identify the order. You do not need to hold any such information in your cart.

All cart owners need to have security policies and procedures in place to ensure the safest shopping environment for their customers. The above recommendations allow you to give that assurance to customers, and also provide you with peace of mind that should your site be hacked that you have done everything possible to avoid sensitive customer data being exploited.

To further secure customer credit card information, you can adopt facilities such as Mastercard Securecode and Verified by Visa – click here to read more about these facilities >>

Only in instances where you actually forward customers to the banking environment to make their order payment by credit card can the additional protection of Mastercard Securecode and Verified by Visa be utilised.

How does it work?

Upon the customers submission of the credit card details to finalise order placement, they are taken to another screen that requires a username/password combination to be entered.

The Payer Authentication scheme allows your customers to use a personal password with their Visa and MasterCard credit cards (similar to the PIN used with their ATM cards), giving them added assurance that only they can use their credit cards to make purchases over the Internet, with participating merchants.

Not all payment processors can support Mastercard Securecode and/or Verified by Visa. We recommend that you contact your bank or third party payment processor to confirm that its available.

You can find out full details and how to integrate this additional level of security for your customers by visiting the following sites:

• Verified by Visa
• Mastercard Securecode

We are proud to be associated with Securepay, whom are payment gateway leaders in Australia. Their gateway facility, DirectOne, has the ability to utilise the Mastercard Securecode and Verified by Visa facilities. For more information, please visit: http://www.justxcart.com.au/direct-one-features.html

Heard of PCI compliance but not sure what it is, how it affects your business and the ramifications if you are not compliant? PCI compliance is a cart owners responsibility. Ignorance is no excuse so get educated and learn how to prevent exploitation of your customer credit card information.

• Payment Card Industry Security Standards Overview
  Set by the Payment Card Industry Security Standards Council, PCI security standards are technical and operational requirements to protect cardholder payment data.

• Ten Common Myths of PCI DSS
  The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder payment data that is stored, processed or transmitted by merchants and processors. What is fact and what is fiction? This factsheet with deflate the myths and give you the correct information to assist running your online business securely.

• Getting Started with PCI Data Security Standard
  PCI security for merchants and payment card processors is the vital byproduct of applying information security best practices
• PCI Data Storage Do’s and Don’ts
  Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to “protect stored cardholder data.” For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data.
• Overview of the PCI SSC Skimming Prevention: Best Practices for Merchants
  Skimming is the unauthorized capture and transfer of payment data to another source. Its purpose is to commit fraud, the threat is serious, and it can hit any merchant’s environment. PCI Security Standards currently contain a number of requirements and recommendations to guard against skimming. This “At-a-Glance” provides a snapshot of skimming and introduces areas requiring countermeasures to ensure an appropriate level of security for cardholder data.
• The Prioritized Approach to Pursue PCI DSS Compliance

We would remind all clients that they need to ensure the security of their website at all times by regularly changing all logins relevant to their site, including:

• cPanel passwords (for both web and email hosting consoles)
• X-Cart admin password/s

The best passwords are a combinations of numbers and letters (lower and uppercase), at least 8 characters in length.

Change cPanel passwords *

Web Hosting Console

1.  Go to: http://cpanel.yourdomainname.com.au/ (use your domain name)
2.  In pop-up window type in the current username/password

3.  Once logged in, under ‘Preferences’ click on the ‘Change Password’ icon

4.  Then type in existing password, and then use the cPanel generator to create a new one

5. Click on ‘Change your password now!’ button and you are done

Email Hosting Console

1.  Go to: https://www.jxc1.com.au:2083/

2.  In pop-up window type in the current username/password

3.  Once logged in, under ‘Preferences’ click on the ‘Change Password’ icon

4.  Then type in existing password, and then use the cPanel generator to create a new one

5. Click on ‘Change your password now!’ button and you are done

* We strongly recommend that you create a password strength of at least 90/100. Just click on the ‘regenerate’ button until you display one strong enough.

Change X-Cart Admin password **

1. Log into your X-Cart admin

2. Under ‘Management’ click on ‘Users’

3. Search for your username

4. Open up your profile, scroll down near page bottom and change password

** We strongly advise that your X-Cart password is a combination of numbers and letters (no spaces or symbols), as least 8 characters long. Also, should you need to give access to your X-Cart admin to an external party, we recommend you create a separate Administration login for them, which can then be deleted once their access if no longer required. Simply go to Management >> Users >> Create administrator profile.

FTP

We also suggest that if you need to provide FTP to an external party that you create a separate FTP login for them via your cPanel Web Hosting console. Once logged into your cPanel, In the ‘Files’ section, click on the ‘FTP Accounts’ icon. Once access by the external party is no longer required, come back into this section and delete the logins for them.

When accessing your site via FTP, SFTP connections rather than FTP should be used, using port 22351 to connect to the server. Most FTP programs support this protocol and being a secure connection will ensure added security.

If you have any questions regarding the above, or need a hand to reset your password, please don’t hesitate to contact us as support@justxcart.com.au.

Dear Just X-Cart client,

It has come to our attention that some clients have considerably large databases which could be affecting not only their own sites performance, but result in monopolisation of server resources.

Your X-Cart database size can vary greatly depending on what data is stored within it.

As an example, the default X-Cart software when installed initially has 100 products and the database is under 6Mb. Unlike a live/active cart however, a fresh installation of the software naturally does not have any statistical data and other data that will normally be housed in the database.

If you feel your database may perhaps be a little on the large size, or if you simply want to ensure that it is fully optimised for best performance, we wanted to remind you about the tools available within your X-Cart admin to assist with database and site optimisation.

Just follow these simple steps:

(1) Log into your X-Cart admin
(2) Go to: Administration >> Summary >> Tools

On this page you will see a variety of tasks that can be performed on your database/cart. Simply click on the “more…” links to view the details about each option.

Even just removing statistics can take a huge load off your database. Essentially all databases require maintenance, especially when they store stats and session data etc, which your X-Cart store does.

X-Cart has specifically in-built optimisation tools for cart owners to use on a regular basis to keep their site optimised – so don’t forget to make good use of them .

There are 2 simple steps to remove the mail off the server, using MacMail.

Go to Mail >> Preferences

1. Click on the Advanced Tab and make sure the ‘remove copy from server’ tick box is ticked.

2. From the drop down menu, you have options as to how often you want this to happen. Select the option that is right for you. On our example, we have selected ‘right away’.

To read how to delete mail using Outlook and Outlook Express,

i) Deleting Mail From The Email Server: Using A Webmail Client
ii) Deleting Mail From The Email Server: Using Your Local Email Client

Just X-Cart Australia offer 3 different webmail email clients for managing your mail. Below are the instructions for each one with regards to successfully permanently deleting email off the server. If you are exclusively relying on webmail for your email in order to avoid exceeding your mailbox quota and thus having your email bounce, we strongly recommend you correctly configuring webmail with regards to deletion of email.

If you are relying on a combination of webmail and local email client, or exclusively on an email client like Outlook or MacMail, please also read the article Deleting Mail from the Email Server: Using Your Local Email Client >>

Log into your webmail account

From left-hand navigation click on Options >> Mail >> Deleting and Moving Messages

On the next screen you need to do 3 things:

Tick the box that says “When deleting messages, move them to your Trash folder instead of marking them as deleted?”
From the drop-menu header ‘Trash folder:’ select the option ‘Trash’
Tick the “Display the ‘Empty Trash’ link in the menubar?”

Then click on ‘Save Options’

Your webmail is now set up that when you delete items from your Inbox by ticking the box next to an email you want to delete, that email will now go into the ‘Trash’ can.

From here you can either go into ‘Trash’ if you have accidentally put an item in there you actually want, and thus you can ‘move’ that email back into Inbox or the desired folder within Webmail

or

if you are confident that everything in the ‘Trash’ can be deleted then you can click on the ‘Empty Trash’ icon at the top of the page.

It may seem like double-handling, that when you delete an item it doesn’t get completely deleted off the server, but it gives users a chance to realise they have deleted an email by accident before it disappears for good. A bit like windows recycle bin.

Unlike other webmail Horde, you don’t have to set up anything from the onset as this mail client is already configured to move deleted items to ‘Trash’ with then the option of full deletion thereafter.

Open SquirrelMail

When you have an email to delete simply tick the box next to that email, and click on the ‘Delete’ button. By default the ‘deleted’ email is always forwarded to the ‘Trash’ can.

In order to remove the email completely from the server, you simply click on the word (Purge) to the right of the ‘Trash’ link.

Roundcube is set up to immediately forward ‘deleted emails’ to the Trash however initially the webmail client is set up to force you to manually go into Trash, highlight the actual email in the Trash can, and then click on the ‘Delete’ icon.

If you would like to automatically have your ‘Trash’ deleted fully from the server upon logout, simply go to Personal Setting >> Preferences
and scroll down and tick the box that says “Clear Trash on logout”.

* Warning: in setting up the Round Cube preferences like this you will not be able to retrieve any mail accidentally put in the ‘Trash’ can once you logout so be sure that no wanted email is ‘deleted’.

You can avoid storing mail permanently on the server, thus resulting eventually in exceeding your mailbox quota for your email account, by setting up your local email client correctly.

If using webmail we recommend you read “Deleting Mail from the Email Server: Using a Webmail client”

Outlook / Outlook Express

(1) Go into the Email Accounts section, select the email address, and then go through to the ‘Advanced’ screen

(2) Under the ‘Delivery’ section, by default, it will be set not to save any email on the server. Alternately you can set things up to save emails on the server based on certain conditions such as a specific time period in ‘days’ that mail will be kept on the server, or instead based on when you delete the email from your ‘Deleted Items’ folder.