Given the nature of the internet and that hacking and security breaches are an every day part of life there are certain things that you need to ensure you do when managing your X-Cart site when it comes to credit cards.

Whether utilising manual credit card processing, or an automated payment gateway option, you need to ensure that you make your cart as secure as possible when handling sensitive data like customer credit card information.

Manual processing for Credit Cards

We strongly recommend against utilising the manual credit card processing payment method given this insists that customer credit card information is retained in its full, unencrypted format, within your X-Cart admin until you process their credit card. Further to this, it is not PCI DSS compliant which has been a mandatory obligation since September 2006 of all shopping cart owners whom process credit cards (click here to read more about PCI DSS compliance >>). Even if you remove the credit card information immediately after processing, you still run the risk of exposing that credit card information to a hacker in the time between the order initially being placed, and the time you actual open the order to retrieve the credit card information.

If you must utilise manual credit card processing ensure to remove the credit card details from the order immediately after processing the order. If you have not done this for quite some time, or ever, then you can remove all credit cards details from all ‘processed’ and ‘completed’ order in a bulk process by doing the following:

In your X-Cart admin, go to the ‘Administration’ section >> Summary >> Tools

Then tick the boxes relevant to how you want the credit card information deleted and/or preserved – see screenshot below.

Furthermore, to guard against unauthorised use of credit cards, ensure to have the CVV2 section activated so that when processing a credit card through your site a customer must physically have their credit card in hand and flip it over to put in the 3-digit number.

Pre-configured Payment Gateways within X-Cart*

To comply in full with PCI DSS compliance standards you need to utilise an externally-hosted payments page when processing credit cards automatically through your bank or financial institution you are using. Some of the pre-defined payment gateway options in X-Cart already allow this but many don’t. Ones that don’t do leave you open to exploitation of sensitive data when credit card information is collected within your cart because there is no way for X-Cart admin to encrypt the credit card information once its been entered customer front-end during the order process. As such we highly recommend instead to transfer your customers externally to the banks secure environment to enter credit card information, and then to return them to the cart to complete the order.

When utilising a payment gateway whereby you don’t yourself need access to the customer credit card information, you still need to ensure that you have made necessary changes to your config.php file in order to remove the cart’s collection of the credit card information for those orders.

Open up the config.php file, found in the root level of wherever your X-Cart is housed eg root directory, or /shop directory etc.

Scroll down until you find the section that refers to credit card storage.

Ensure your config.php has the following settings:

$store_cc = false;    and

$store_cvv2 = false;

See screenshot below.

The banking system itself will store the credit card information in an encrypted state sufficient to both process the customers order and also to clearly identify the order. You do not need to hold any such information in your cart.

All cart owners need to have security policies and procedures in place to ensure the safest shopping environment for their customers. The above recommendations allow you to give that assurance to customers, and also provide you with peace of mind that should your site be hacked that you have done everything possible to avoid sensitive customer data being exploited.

To further secure customer credit card information, you can adopt facilities such as Mastercard Securecode and Verified by Visa – click here to read more about these facilities >>