implementation guide - zen-cart.com · ©zen cart® development team implementation guide – rev...

©ZenCart®DevelopmentTeam ImplementationGuide–rev1.9.8.6 Page1

ZenCart®Documentation

ImplementationGuide

forZenCart®Version1.5.6Document ImplementationGuideAuthor ZenCart®TeamDocumentRevision DocumentRev1.9.8.6DocumentRevisionDate 15November2018

1. Introduction .................................................................................................................................. 5 2. Installation Requirements .............................................................................................................. 5

2.1 Before Starting, Ask Yourself These Questions: ..................................................................... 5 2.1.1 Do You Have A Domain? ............................................................................................... 5 2.1.2 Am I Using A Wireless Network? .................................................................................. 5 2.1.3 Are You Using a Personal Firewall on Your Computers? ................................................ 5 2.1.4 Do You Have A Good Text Editor Program? .................................................................. 5 2.1.5 Do You Have Access To Your Webhosting Control Panel to Create a MySQL Database and User? ...................................................................................................................................... 6 2.1.6 Do You Have Reliable FTP/SFTP Software?.................................................................. 6

2.2 Domain Name Requirements ................................................................................................. 7 2.3 Server Hardware Requirements ............................................................................................. 7 2.4 .................................................................................................................................................... 7 2.5 Server Software Requirements .............................................................................................. 7 2.6 Other Installation Requirements ............................................................................................ 9

3. Obtaining the Current Zen Cart®Release ................................................................................... 10 3.1 Verifying integrity using Hash Keys .................................................................................... 10 3.2 Patches ................................................................................................................................ 10 3.3 Updates/Upgrades ............................................................................................................... 10 3.4 Notification of New Releases/Updates ................................................................................. 10

4. Unpacking and Uploading the Application Software Files ........................................................... 11 4.1 Tools Required .................................................................................................................... 11 4.2 Unzipping/Unpacking.......................................................................................................... 11 4.3 Where Do I Upload To? ....................................................................................................... 11 4.4 Advanced Method ............................................................................................................... 12

5. Pre-Installation Actions ............................................................................................................... 12 5.1 New Installations ................................................................................................................. 12

5.1.1 File/Folder Permissions ............................................................................................... 12 5.2 Upgrades ............................................................................................................................. 13

6. Running the Web-Based Installer ................................................................................................ 15 6.1 New Installs ........................................................................................................................ 15

6.1.1 Introduction ................................................................................................................. 15 6.1.2 Step 1 Welcome and System Inspection ....................................................................... 16 6.1.3 Step 2 System Setup .................................................................................................... 19 6.1.4 Step 3 Database Setup.................................................................................................. 21 6.1.5 Step 4 Admin Setup ..................................................................................................... 22

6.1.6 Step 5 Setup Finished .................................................................................................. 24 6.2 Using zc_install to do The Database Upgrade Step of a Site Upgrade .................................. 24

6.2.1 Introduction ................................................................................................................. 24 6.2.2 Upgrading configure.php files, if necessary ................................................................. 25 6.2.3 Step 1 Welcome Screen and System Inspection ............................................................ 25 6.2.4 ............................................................................................................................................ 26 6.2.5 Step 2 Version-Upgrade Checkboxes ........................................................................... 26 ................................................................................................................................................... 27 6.2.6 Step 3 Database-Upgrade Step Finished ....................................................................... 28

7. Post-Installation Actions ............................................................................................................. 29 7.1 Changing The Admin Directory Name for Security (By-Obscurity) ..................................... 29 7.2 Enabling SSL for HTTPS in your Admin ............................................................................. 29 7.3 Setting Directory and File Permissions ................................................................................ 29 7.4 Removing the Installation Directory .................................................................................... 30 7.5 Blocked Administration Access ........................................................................................... 30 7.6 Removing Unnecessary Directories ..................................................................................... 31

8. Accessing the Administration Panel and Configuring Administrative Users and Passwords ......... 32 8.1 Introduction ......................................................................................................................... 32 8.2 Administrator Access to Credit Card Numbers .................................................................... 32 8.3 Administrative User Access and PA-DSS requirements ....................................................... 32 8.4 Users ................................................................................................................................... 33 8.5 Profiles ................................................................................................................................ 34 8.6 Admin Activity Logs ........................................................................................................... 35

8.6.1 Daily Log Review – Important Things To Monitor....................................................... 36 8.6.2 Review or Export Logs ................................................................................................ 37 8.6.3 ............................................................................................................................................ 38 8.6.4 Purge Log History action ............................................................................................. 38 8.6.5 PA-DSS Logging – Technical Details ........................................................................... 39 8.6.6 Centralized Logging .................................................................................................... 39

9. Code Customization, Addons, and Plugins .................................................................................. 41 10. Engaging 3rd-Party Consultants or Programmers .................................................................... 42

10.1 Webstore “Admin”/Backend access ..................................................................................... 42 10.2 FTP Access.......................................................................................................................... 42 10.3 Webhosting Account's Control Panel access ........................................................................ 43 10.4 Secure use of customer database and website files ............................................................... 43 10.5 Two-Factor Authentication .................................................................................................. 43

11. Removing Old Non-PCI-Compliant Data ................................................................................ 45 11.1 Removing Old Credit Card Data From Database Records .................................................... 45 11.2 Suggested Procedure For Secure Erasure of Old CHD data.................................................. 45

12. Network Diagram .................................................................................................................... 47 13. Dataflow Diagram ................................................................................................................... 48 14. Notes about PA-DSS Compliance ............................................................................................ 49

14.1 Cardholder Data .................................................................................................................. 49 14.2 Cryptographic Keys and Key Management .......................................................................... 49 14.3 Protocols, Services, Dependent Software and Hardware ...................................................... 50 14.4 Settings sensitive to PCI compliance ................................................................................... 50

15. Additional Requirements for PA-DSS Compliance .................................................................. 52 15.1 Consequences of altering the system to store cardholder data .............................................. 52 15.2 Default Accounts ................................................................................................................. 53 15.3 Strong Authentication Controls ............................................................................................ 54 15.4 Secure Access ...................................................................................................................... 54

16. Appendices ............................................................................................................................. 55 16.1 MySQL Root Password Reset .............................................................................................. 55 16.2 Password Security in Zen Cart® .......................................................................................... 55 16.3 Wireless (WiFi) Networks ................................................................................................... 55

17. Implementation Guide Changelog ........................................................................................... 57

1. Introduction ThisImplementationGuideismeanttohelpyounotonlywithimportantsubjectsrelatedtoinstallingorupgradingtheZenCart®applicationbutalsotounderstandtheissuesrelatedtosecurelyimplementingZenCart®inamannerthatisPA-DSScompliant.

PA-DSSItisarequirementofthePA-DSSthatyoufollowtheinstructionsinthisImplementationGuidewheninstallingorupgradingyourZenCart®application.Notealso,thatthisguideiswrittenforthev1.5.6releaseofZenCart®unlessotherwisenoted.

2. Installation Requirements

2.1 Before Starting, Ask Yourself These Questions:

2.1.1 Do You Have A Domain? IfNo,stopandrefertosection2.2forinformationaboutregisteringadomainforyourwebsite.Youneedadomainnametohostyourwebstoreonawebserver.

2.1.2 Am I Using A Wireless Network? Ifyouareusingawirelessnetworktoaccessyouronlinestore,itMUSTbeconfiguredsecurely.Thatmeanssecuringyourwifinetworkwithastrongcomplexpassword,andNOTusingtheoneprovidedbydefaultwhenresettingitorunboxingit.SeetheAppendixofthismanualforadditionalrequirementsforproperlysecuringyourwirelessnetwork.

2.1.3 Are You Using a Personal Firewall on Your Computers? Forsecurity,youshouldalwaysuseapersonalfirewallwhenaccessinganyonlinesystems,especiallyyourownonlinestore'sadministrationarea.

2.1.4 Do You Have A Good Text Editor Program? Ifno,stop…youwillneedagoodTextEditingapplicationsuchasVisualStudioCode,SublimeText,Notepad++,UltraEdit,BBedit,Kedit,ormaybeamoreadvancedtoollikePhpStorm.ThistexteditorapplicationwillbeusedformodifyingthefilesifyoucustomizetheZenCart®software.NOTE:DoNOTusecPanelforeditingfiles,norMicrosoftWordorothersoftwaredesignedforfancywriting…youwantanicecleantexteditorwhichdoesn'taddextra“junk”intothefiles.

2.1.5 Do You Have Access To Your Webhosting Control Panel to Create a MySQL Database and User?

BEFOREYOUPROCEEDTOINSTALLATION,makesureyouhaveaccesstoaMySQLdatabase,andusername/passwordtothatdatabase.Youmayneedtocreatethedatabaseusingyourwebhostingaccount'scontrolpanel.Contactyourwebhostingcompanyforassistance.ZenCart®cannotcreatethedatabaseforyou.Youmustuseastrongsecurepassword.(YouneedtograntthefollowingpermissionstoyourMySQLdatabaseuser:SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER,INDEX,DROP.IfyoumustchoosefrommoregenericoptionssuchaswithanhSpherehost,thiswouldbeequivalentto“dba”accessoratleast“read/write”.)InafullyPCI-Complianthostingsetup,thedatabaseserverwouldbebehindaDMZ,onaseparateserverotherthanthemainwebserver.InthiscasetheDMZfirewallwillneedtohaveport3306openforcommunicationbetweenthetwoservers'IPaddresses.Itmayalsobenecessarytograntadditionalprivilegestothedatabaseusernameyoucreatedinthisstep.Yourserveradministrator(hostingcompany)canassistyouwiththeseconfigurationdetails.Youwillalsoneedtoknowtheappropriate“host”addressforthedatabaseserver.Ifitis“localhost”thenthatmeansthedatabaseisonthesameserverasthewebserverengine,whichisusuallynotaPCI-Compliantconfiguration.Yourhostingcompany/serveradministratorcanprovideyouwiththecorrect“hostname”orIPaddressforthedatabaseserver.Youwillusethisinformationduringinitialsetupviathezc_installscriptexplainedinthefollowingsections.

2.1.6 Do You Have Reliable FTP/SFTP Software? IfNo,stop.YouneedtoobtainareliableFTPsoftwarepackagesuchasFileZilla,WinSCP,orTransmit.Thisapplicationisusedtotransferfilesbetweenyourcomputerandyourwebserver.(“FTP”isaverycommonwebsiteacronymfor“FileTransferProtocol”)(“webserver”referstothecomputerontheinternetwhereyouhaveyoursite/domainhosted)YoushoulduseanFTPprogramcapableofconnectinginsecureSFTPmode(orFTP-with-Implicit-TLS)whenworkingwithyourwebsite.TutorialsonhowtouseFTP/SFTPareavailableonlinefromthevendorofyourFTPsoftware,orgenericallyfromanynumberofonlinereferencewebsites.Wheneveranyonementions“FTP”,youshoulduseSFTPorFTP-with-Implicit-TLSinstead.Thisincludesanysubcontractorsyouhiretoworkonyourwebsiteforyou.WhySFTPvsFTP?PlainFTPmodetransfersfilesinplain-textovertheinternet,whereasSFTP(“SecureFTP”)usesasecureencryptedconnectionfordoingthetransfer.Thisisimportantsincethefilesyouaretransferringto/fromyourservermayincludesensitiveinformation.UsinganSFTPconnectionwillcauseyourdatatobeencryptedasitistransferred,thusprotectingitfrompryingeyes.ManyFTPprogramscapableofSFTPareavailableforfreeorforamodestfeefromvariousonlinevendors.OneverypopularsuchapplicationisFileZilla,whichworksonbothWindows®andMac

OSX®.Somepeoplepreferthemoreadvancedlook/feelofpaidapplications.Thechoiceisyours.NOTE:Ifyourhostingcompanyprovidesafile-uploadserviceorFTPappthatrunsinsideyourbrowser,westronglyrecommendthatyouDONOTusethatforuploadinglargeamountsoffilestoyourserver.Theymayworkforindividualfiles,butareseldomreliablewhenuploadinglargenumbersoffilessuchasafreshinstallofZenCart,sincetheywilloftentimeoutwithoutshowinganyerror,andleaveyouwithadamagedsetoffileswhichoperateunpredictably.Incompleteuploadsarethemostcommoncauseofproblemsonnewsites.

2.2 Domain Name Requirements Youwillneedaregistereddomainname,connectedtoyourwebhostingaccountatyourwebhostingcompany.Ifyouneedtoregisteradomainname,werecommendusinghttps://hover.comTemporaryuseofmerelyanIPaddressmayworkduringinitialinstallation,buttoactuallyrunyourshopwillrequireuseofadomainname.Ifyourdomainisbrand-newandispendinginitialsetupbyyourhostingcompany,atemporarydomainnamemaybesuppliedtoyousoyoucangetstartedwithoutwaiting.Changingthedomain-nameinZenCart®afterinitialsetupwillrequiremanualeditingofyourconfigure.phpfiles.Anarticleonmakingsuchchangescanbefoundathttps://tutorials.zen-cart.com

2.3 Server Hardware Requirements ZenCart®itselfdoesnot“require”anyparticularhardware,aslongasthehardwareyouuseforyourhostingservicesupportsthesoftwarerequirementsthatfollow.However,youshouldbeawarethatsomehardwareconfigurationssuchasinadequateserverRAM,slowserverharddrives,excessivelyrestrictivefirewalls,etc,canadverselyaffecttheoperationoftheZenCart®application.

2.5 Server Software Requirements Technicallyspeaking,ZenCart®v1.5.6willworkwiththefollowingminimumrequirements: PHPversion>=5.4upto7.3 MySQLversion>5.1upto5.7.xorMariaDB10.1to10.3 Apacheversion>2.2or2.4However,forPA-DSScompliance,youmustusethelateststableversionsofPHP,MySQLandApache.Asofthedateofthiswriting,therecommendedversionsforPA-DSScomplianceare:

PHPversion>=7.2.12or7.3(ref:http://php.net)MySQLversion>=5.7.24or5.6.42(ref:https://dev.mysql.com/downloads/mysql)Apacheversion>=2.4.37(ref:https://httpd.apache.org)

Note:WhilewerecommendtheuseofApacheasyourwebserversoftware,ZenCart®willalsoworkwithMicrosoftIISandotherWebServers(e.g.nginx),howeversomesecurityfeatureswillceasetowork.Additionalinformationonthisisprovidedinthenextsectionregarding.htaccess.TheZenCart®PA-DSScertificationisperformedonLinux+Apache,sousingitonIISornginxinvalidatesthecertificationforyoursite,andwillrequireyoutoself-certifyusingyourownQualifiedSecurityAssessor.

PHPExtensionsYouwillalsoneedtoensurethatyourPHPversionhasthefollowingmodulesinstalled:

• cURL–Requiredforsomeshippingandpaymentmethods.(eg:sudoapt-getinstallphp-curl)

• OpenSSLsupport–UsuallythisiscompiledintoPHPandcURLuponinstallofPHPSSLCertificateforHTTPSUnlessyouwillhavenocustomersaccessingyoursiteviatheinternet,youwillwantanSSLcertificateaddedtoyourhostingaccount.A“shared”certificatemaywork,butdedicatedispreferredasitisamoreseamlessexperienceforyourcustomersandismucheasiertoconfigure.AnSSLCertificateisusedtoencryptsensitivedatawhentransmittingfromthecustomer'sbrowsertoyoursiteSecureTLS(particularlysupportforTLS1.2or1.3)TLSisusedtoencrypttransmissionsfromyoursitetopaymentgatewaysorothersystemslikeshipping-quoteservices,3rd-partyorderfulfilmentservices,etc.It'simportantthatyourwebserverbeproperlyconfiguredforTLStobeusedwithCURL,andnotsupportold/insecureversionsofSSL/TLS.SFTPorFTP-with-Implicit-SSL/TLSYouwillalsoneedtoensurethatyourhostingserviceallowsyoutouseSFTPorFTP-with-implicit-TLSfortransferringfilesto/fromyourhostingserver.Seesection2.1.6aboveformoredetail.

MySQLZenCartv1.5.6alreadyaccommodatesthis,butitismentionedhereforcompatibilityreasons:AsofMySQL5.6theNO_ZERO_DATEandNO_ZERO_IN_DATEmodesaredeprecated,andasofMySQL5.7theyareincludedinSTRICT_ALL_TABLESandSTRICT_TRANS_TABLESmodes.Ifyourdatabasecontainsfieldswith0000-00-00inthedataortheschema,youmayneedtoensurethatyourMySQLserverisconfiguredwitheitherSTRICT_ALL_TABLESorSTRICT_TRANS_TABLESmode…ormakeappropriatechangestoyourPHPfilesandthedataalreadyinyourdatabasetables,andyourdatabaseschema.SomestrictGROUPBYrulesmayalsoneedaddressing.

2.6 Other Installation Requirements

PA-DSS.htaccessrequirementsZenCart®usesApache.htaccessfilestobetterprotectsomedirectoriesforsecuritypurposes.YoushouldensurethatyourApachesettingsallowfortheuseof.htaccessfilesonyourWebserver(mostdo).IfyouareunsurepleasecheckwithyourHostingprovider.Specifically,ApachemustbeconfiguredwithAllowOverridesettoeither'All'oratleastboth'Limit'and'Indexes'parameters,andpreferablythe'Options'parameteraswell.eg:<directory/name-of-your-document-root-folder-here>AllowOverrideAll#Options-Indexes#uncommentthistopreventalldirectory-listings</directory>IISornginxIfyouarenotusingApacheasthewebserver(e.g.youareusingIISornginx)thenyoushouldtakestepstoprotectthedirectoriesinasimilarmannertothe.htaccessfilesZenCart®suggests.Inspecteach.htaccessfileinthedistributionfilesandbuildcorrespondingrulesappropriateforyourwebserverengine.SSLCertificatesforHTTPSYourwebservermustbeabletoservepagesusingSSLencryptionandyoushouldhaveanSSLcertificatecorrectlyinstalledforyourdomain.IfyoudonothaveSSLorareunsure,thenonceagainyoumustconferwithyourHostingprovider.TLS-YourwebservermustbeconfiguredtouseonlysecureversionsofTLS.SecureFTPYourhostingservicemustalsooffertheabilitytouseSFTPorFTP-with-implicit-TLSfortransferringfilesto/fromtheserver.

3. Obtaining the Current Zen Cart®Release ThecurrentreleaseisobtainableviaSourceForge:https://sourceforge.net/projects/zencart/filesorAmazonAWSviahttps://www.zen-cart.com/latest_https.Thereleaseisprovidedasa.zipfile.ForPCICompliance,youshouldverifytobesureyourbrowserisactuallydownloadingviaHTTPS.

3.1 Verifying integrity using Hash Keys Hashkeysareawayofcheckingthevalidityofazipfile.WeprovidebothMD5andSHA1hashesforthecurrentrelease.ThevalidationhashescanbeseenbelowthedownloadlinkonthehomepageoftheZenCart®supportwebsiteathttps://www.zen-cart.com.ThehashesarealsoshownonSourceForge.ThereisalsoinformationonhowtouseandcheckthehashkeysinthefollowingFAQarticle:http://www.zen-cart.com/content.php?305-how-to-validate-the-integrity-of-a-downloaded-file

3.2 Patches Thenormaldistributionofupdatesistoreleaseanewversionwithfixesincluded.Intherareoccasionthataseparate.zipfileisreleasedasapatch,thesamehash-verificationdescribedaboveshouldbeperformedonthezipfilebeforeunzippingtoinstallitonyourwebsite.Again,thesezipswillbereleasedonSourceForge.

3.3 Updates/Upgrades Updatesmustbeperformedmanually.Thereisnobuilt-inautomatedfacilityforupgradingthesoftware.(Thesoftwarecanautomaticallybringyourdatabasecontentup-to-datewhenupgrading,butthisONLYhandlesthedatabasedata,andnotthePHPfileswhichruntheactualsoftwarelogic.)PCI-DSSandPA-DSSrequiresthatwespecificallyinformyouthat“thepaymentapplicationdoesnotreceiveautomaticupdates”andfurtherrequiresthatwhenyouoryouragentinstallsupdatesthattheydosoinasecurePCI-DSSandPA-DSScompliantmanner,andthataccessforsaidpurposeislimitedtothedurationoftimerequiredtoperformsaidtasksandaccessisremovedthereafter.Seesection10ofthisguideformoreguidance.

3.4 Notification of New Releases/Updates Therearenumerouswaystobecomeawareofanewrelease.Butallupdatesareobtainedmanuallybythemerchantthemselves,andtransmittedtotheserverthemselves.Installationisnotautomated.

• NotificationinyourAdminconsole.Thereisabuttonintheupperrightcornerofyouradminconsolewhichcanbeusedtocheckfornewversions.Insomecasesthisbuttonmayautomaticallydisplayamessagethatanewversionisavailable.ThisisdonebyqueryingtheZenCart®versioningservertodeterminewhatthelatestversionnumberis.ItdoesnottransmitanyspecificinformationtotheZenCartversioningserver.Itsimplycomparesyourversionwiththelatestversionavailable,andinformsyouifthereisadifference.

• NotificationpostsontheZenCart®supportsite.YoucansubscribeyourselftothesenoticesbyregisteringontheZenCart®supportsiteandclickingtheSubscribeoption(link)intheNewsAndAnnouncementssection.

• AlertsonSourceForge.netortheZenCart®wikisite,andthe@ZenCarttwitterfeed.

4. Unpacking and Uploading the Application Software Files

4.1 Tools Required Beforeyoucanunpackanduploadthefilestoyourserver,youwillneedtwoimportanttools:

• An“unzip”utility,suchas7-zip,WinZip,unRar,BetterZip,etc.Manyunziputilitiesareavailableforfree,forvariouscomputeroperatingsystems.Chooseonethatsuitsyourcomputerbest.IMPORTANT:Whenyouunzip,youneedtoensurethatyourunzipprogramretainstheembeddedfile-structure.Usuallythatsettingisproperly“on”bydefault,butifitpromptsyousaying“xxxxxxfilealreadyexists–overwrite?”orsimilar,thenit'smostlikelyonlyextractingthe“files”andnotalsothe“folders.Inthatcaseyou'llneedtomakeappropriateadjustmentstoyourunzipapplicationsettingsbeforeyoucanproperlyunziptheZenCart®files.

• AnFTPapplicationcapableofSFTP.Seesection2formoreinformationonFTPandSFTP.YoumustusestrongsecurepasswordsforyourFTP/SFTPaccesstoyourwebserver.

4.2 Unzipping/Unpacking TheZenCart®releaseispackagedasazipfile.Youwillneedtounzipthisfileusinganappropriatetool/applicationonyourlocalcomputer,beforeuploadingittoyourwebserver.NOTE:Whenyouunzipthefileitwillcreateafolder,whichwillbenamedsomethinglike

zen-cart-v1.x.x-xxxxxx...NOTE:Youshouldnotuploadthis“zen-cart-v1.x.x.-xxxxx...”directorytoyourwebserver,butratherthecontentsofthatdirectory.

4.3 Where Do I Upload To? Thedirectoryonyourwebserverthatyouneedtouploadtoisusuallyspecifictothehostingplatformyouareusing,andyouwillneedtocheckthosedetailswithyourhost.Usuallythiswillbethe“public_html”or“www”or“httpdocs”or“http”folder,dependingonhowyourhostingcompanyhasconfiguredtheirserver.Basically,inyourFTPapplication,lookfora“public_html”or“www”or“htdocs”or“httpdocs”or“wwwroot”folder.Thesearethecommonfoldernamesforwhatisreferredtoasthe“webroot”,whichiswhereallwebsitecontentisservedfrom.YourZenCartfiles(oranyfilestorunyourwebsite,forthatmatter)needtobeunderthatfolder.Ifthey'renot,thenyou'regoingtoencounter“notfound”errors…becausethecontentisnotfound!

4.4 Advanced Method Youcanoptionallysavesometimebyuploadingthezipfiledirectlytoyourserver(usingFTPetc.),andunpackingitinsituifyourhostingcompanyprovidesyouameansofunzippingfilesontheserverside.Talktoyourhostingcompanyaboutthis.

5. Pre-Installation Actions

5.1 New Installations BeforerunningtheZenCart®installeryouwillneedtoaddressthefollowing.

1) MySQLDatabaseEnsurethatyouhavecreatedanemptyMySQLdatabase(andcorrespondingusernameandstrongsecurepassword)forusewithZenCart®.Howyoudothisdependsonyourhostingconfiguration.UsualmethodsincludeusingcPanelorphpMyAdmin.Ifyouareunsure,pleasecheckwithyourhostingcompany.StrongsecurepasswordsarerequiredforPCI/PA-DSScompliance.ForPCIcompliance,youmustNOTusethe“root”accountforyourdatabasecredentials.Also,seesection2fornotesaboutMySQLconfigurationdetailsneededforproperlyconfiguringitinasecureDMZscenario,asrequiredforPCIcompliance.

2) configure.phpfilesTwofilesneedtobecreatedontheserver.Thesearetheconfigure.phpfilesthatwillcontainimportantinformationtoidentifythesettingsofyourparticularserverandthelocationofthefilesthatyoujustloaded.Aftertheyhavebeencreated,youwillthenneedtochangethepermissionsonthesefiles.

Foranewinstall,thesimplestwaytodothisistorenamethesetwofiles:- /includes/dist-configure.phpto/includes/configure.php-/admin/includes/dist-configure.phpto/admin/includes/configure.php

3) Setfileandfolderpermissionsasexplainedinthenextsection.

5.1.1 File/Folder Permissions ChangingpermissionsonthesefilescanoftenbedoneusingyourFTPapplication(unlessyouarehostedonaWindowsserver).Or,youcanuseaFileManagerconsoleprovidedbyyourhostingcompany'scontrolpanel.Ifyouneedhelpunderstandingtheconceptsoffilepermissionsandsomegeneralguidanceonmakingthesechanges,consultthistutorialarticle:http://www.zen-cart.com/content.php?51-how-do-I-set-permissionsInthefollowinginstructions,the“INSTALL_DIRECTORY”isthe“webroot”folderintowhichyouuploadedyourZenCartfilesasexplainedintheprevioussection.

4) EnsurethattheINSTALL_DIRECTORY/includes/configure.phpandINSTALL_DIRECTORY/admin/includes/configure.phparewriteable.Thesefileneedstobewriteableduringtheinstallationonly,sothattheinstallermaysavesomeimportant

settingstothem.Oncetheinstallationiscompleteyouwillneedtomakethefilesreadonlyagain.

5) EnsurethatthedirectoryINSTALL_DIRECTORY/cacheiswriteable.Thisdirectoryneedstobewriteable,astheZenCart®applicationmayneedtostoresomeimportantfileshere(ie:SessionandCachedata).

6) EnsurethatthedirectoryINSTALL_DIRECTORY/logsiswriteable.Thisdirectoryneedstobewriteable,astheZenCart®applicationmayneedtostoresomeimportantfileshere(ie:namelyPHPerrorlogsanddebugoutput).

7) EnsurethatthedirectoryINSTALL_DIRECTORY/imagesiswriteable.Theimagesdirectoryneedstobewriteabletoallowfortheuploadingofproductandotherimagesthatyouwilluseinyourstore.Youradminbackendwillbeusedforuploadingproduct/categoryimageshere.

8) EnsurethatthedirectoryINSTALL_DIRECTORY/pubiswriteable.Thepubdirectoryneedstobewriteabletoallowforthedownloadingofanyvirtualproductsthatyousell,eg.Mediafiles(mp3/wmv/pdf).Ifyoudonotintendtoeversellthesetypesofproductsthenthisdirectorydoesnotneedtobewriteable.

9) EnsurethatthedirectoryINSTALL_DIRECTORY/admin/images/graphsiswriteable.Thisdirectoryneedstobewriteabletoallowforthecreationofgraphimagesthatrepresentthestatisticsforanybannersyoumayserve.Ignorethisifyou'renotusingtheBannerManager.

Note:Afterinstallationiscomplete,youwillneedtochangesomepermissionsagain.Moreinformationisgivenlaterinthisdocument(SeethesectiononPost-InstallationActions.)

5.2 Upgrades Upgradingyoursitebetweenv1.xversionsisonlyascomplexastheamountofcustomizationyou'vemadetoyoursite.You'llneedtoconsiderupgradestoanyplugins/addonsyou'veinstalled,aswellaschangesyou'vemadetoanycorefiles,andanychangesmadebyoverridingfileswithcustomversionsofthosefiles.AproperFULLUPGRADEbetweenv1.xversionsisessentiallyarebuildofyourcurrentsite,butusingthenewversion.Whilethatmaysounddaunting,itdoesn'tneedtobe.ThereareautomatedtoolssuchasWinMergeorBeyondComparewhichcanhelpyouquicklyidentifyallthechangesyoumadetoyouroldsite,sothatyoucaneasilyre-makethosechangestoyournewsite.Alwaysreadthe“WhatsNew”and“ChangedFiles”logslocatedinthe/docs/folderofthenewversion'srelease-zipfile,becausespecificupgradeinstructions,ifany,foreachversionwillbelistedthere.

Warning:Youshouldneverdirectlyupgradealivesite.Alwaystestitseparatelyfirst!

Yourupgradeshouldbestagedusingaseparatefolder+databaseonyourserver,andthenmigratedtothelivesiteonlyafteryou'vetestedtoconfirmthatnoproblemshavebeenintroducedinyourimplementationoftheupgrade.

Asimplifiedguideforupgradingisfoundathttp://www.zen-cart.com/entry.php?3-How-do-I-rebuild-my-site-on-the-new-versionPleaseseehttp://www.zen-cart.com/upgradesforguidanceregardingupgradingyoursite.

6. Running the Web-Based Installer

6.1 New Installs

6.1.1 Introduction ToruntheZenCart®installationwizard,youwillneedtouseyourbrowsertoaccessthewebserverwhereyouinstalledZenCart®.Theinstallationwizardisaccessedfromthefolder/zc_install.Soifyouhavesetyourwebserveruptobeaccessedashttp://www.MY_DOMAIN.com/Thenyouwouldneedtosetyourbrowserurltohttp://www.MY_DOMAIN.com/zc_install/Note.IfyouattempttoloadtheURLwhereyourstorewillultimatelyreside,beforerunningtheInstallationwizard,youmaygetablankpage,orascreenthatlookslikethescreenshotbelow.

6.1.2 Step 1 Welcome and System Inspection TheSystemInspectionpagechecksthatvariousrequiredwebservercomponentsexist,andpermissionsaresetcorrectlyfortheZenCart®applicationtofunctioncorrectly.Youshouldreviewallitemsonthispageandtakeanynecessaryactionstocorrectproblemshighlightedhere,beforecontinuing.Thisscreenshotshowsthewarningaboutmissingconfigure.phpfiles(whichyoucreatemanually):

Onceyou'vecreatedthosemissingfilesandmadethemwritable,clickRefreshandtheinspectionwillrunagain,showingyouanynecessaryupdatedsuggestions.

Whenitispossibletoproceed,the“CleanInstall”buttonwillappear,asshownhere:

Theimageabovehasanindicatoraboutsomepre-existingconfigure.phpfiles.Ifthisisyourfirstinstall,youwon'tseethefirstgreenboxabove.IfyoualreadyhaveaZenCartstoresetupinthisdatabase,youmayalsoseean“Upgrade”buttonhere.Ifyouclick“CleanInstall”here,youwilleraseanyZenCartdataalreadyinthatdatabase.Forinstructionsondoingupgrades,seethechapteronupgrading,laterinthisguide.

6.1.3 Step 2 System Setup

6.1.3.1 Agree to license terms Clickthe“Agreetolicenseterms”textontheleftcolumntoviewtheGPL2licenseterms.Thencheckthecheckboxtoindicateyouragreementtothelicense.

6.1.3.2 Admin Server Domain EntertheURLtoyourstorehere.Itshouldhavebeenauto-detectedforyou.ButifyoursitehasSSLcapability,youshouldputtheSSLURLhere.Additionally,ifyourSSLisactually“sharedSSL”whichusesaURLdifferentfromyourstore'sactualdomainname,enterthatshared-SSLURLhere.

6.1.3.3 Enable SSL for Storefront? ThisdetermineswhetherZenCartwilluseHTTPSforthestorefrontsideofyourstoretoautomaticallyencryptcommunicationsonpageswhichcollectsensitivedata.Ifyoudon'thaveanSSLcertificateenabledinyourhostingserviceyet,uncheckthebox.Youcanenableitlatermanuallybyfollowingthistutorial:http://www.zen-cart.com/content.php?56-how-do-i-enable-sslNOTE:TouseSSL,ZenCart®reliescompletelyonyousupplyingvalid/workinghttps://URLs!Ifyoursitedoesn'thaveworkingSSLyet,thenyourZenCart®storewillbebrokenuntilyougetSSL,ordisableit.

PA-DSSTocomplywithPA-DSSyouMUSTenableSSL(ie:useHTTPS).Whenenabledhere,ZenCart®willautomaticallyactivateSSLonstorefrontpageswhichneedit(ie:checkout,myaccount,login,etc)aslongastheoptionisenabledhere.Additionally,built-inpaymentmoduleswhicharecapableofacceptingcreditcardsdirectlyonyoursitewillNOTfunctionifyoudonothaveSSLcapabilityavailableandenabledinZenCart®.

6.1.3.4 Storefront HTTP Domain ThisistheURLthatwillbeusedtoaccessyourstore.Again,auto-detectionshouldhavechosenthecorrectsettingandyoushouldonlychangeitifitisincorrect.

6.1.3.5 Storefront HTTP URL Ifyourstoreislocatedinasubdirectorywithinyoursite,thenaddthatsubdirectoryhere.Elsejustuseyourdomainname.Thisisnormallyauto-detectedforyouandnochangesnecessary.

6.1.3.6 Storefront HTTPS Domain Thisisthedomainnameforyourstore,butstartswithhttps://…butifyou'reusing“shared-SSL”thenyou'llneedtoputthepropershared-SSLdomainhere.OtherwisesameasStorefrontHTTPDomain.

6.1.3.7 Storefront HTTPS URL Ifyou'reusingsharedSSL,thensometimesthereisaneedtoaddausernameorsubdirectorytotheendoftheSharedSSLURLsuppliedbyyourhostingcompany.Enterthathere.Otherwiseuse

thesameasStorefrontHTTPURL.

6.1.3.8 Storefront Physical Path ThisisthelocationoftheZenCart®applicationfilesontheharddriveofyourserver.Generallythesystemwillauto-detectthis,andyoushouldonlychangeitiftheauto-detectionhasnotchosenthecorrectpath.

6.1.4 Step 3 Database Setup Clickthetitlewordsintheleft-columnformoredetailedinformation.Seesection2forreference.

6.1.5 Step 4 Admin Setup

6.1.5.1 Admin Superuser Name: Thisistheusernameusedtoinitiallyaccessyourstore'sadministrationpanel.ThisuserhasaccesstoallofthefunctionalityoftheAdministrationpanel.Youcansetupadditionaluserswith

restrictedpermissionsoncetheapplicationhasbeeninstalled.

6.1.5.2 Admin Superuser Email ThisistheemailaddressoftheinitialAdministrator,andmaybeusedforsendingpasswordresetsortestingoutgoingemailnewslettersetc.Typeitagaintoconfirmyoudidn'tmakeanytypos.

6.1.5.3 Admin Password Thisisanauto-generatedTEMPORARYpassword,andyouwillbepromptedtosetyourownpasswordafterusingthistemporarypasswordforyourfirstlogintoyouradminarea.

6.1.5.4 Admin Directory Theinstallerwillattempttoautomaticallyrenameyouradminfoldertosomethingotherthan“/admin”.Itwillshowyouherewhatthatnewfoldernameis.Youwillusethatfoldernametologintoyouradminpanelonthenextscreen.

6.1.6 Step 5 Setup Finished Nowthatsetupisfinished,anumberofpost-installationinstructionsarepresentedforyoutofollow.FurtherdetailsareenumeratedinSection7–Post-InstallationActivities,laterinthis

guide.

6.2 Using zc_install to do The Database Upgrade Step of a Site Upgrade

6.2.1 Introduction UpgradingconsistsofbothmanuallyupdatingthePHPfilesonyoursite,aswellasupgradingthedatabasestructuretoworkwiththenewrequirementsofthenewversion.ITISNOTENOUGHTOSIMPLYUPGRADETHEDATABASE.YOUMUSTALSOUPGRADEALLYOURPHPFILESACCORDINGTOTHEINSTRUCTIONSCONTAINEDINEACHINDIVIDUALRELEASE.ThedocumentyouarereadingheredoesnotaddressdoingthePHPfileupdates.Seetheproperupgradedocumentationathttp://www.zen-cart.com/upgradestounderstandanddothefullupgradeprocess.TheinstructionsbelowONLYdealwiththedatabase-sideoftheupgrade

step.DATABASEUPGRADESTEP:Todothedatabaseupgradestep,youwillusezc_installjustasyouwouldforamanualnewinstall:ToruntheZenCart®installation/upgradewizard,youwillneedtouseyourbrowsertoaccessthewebserverwhereyouinstalledZenCart®.Theinstallationwizardisaccessedfromthefolder/zc_install,ie:http://www.MY_DOMAIN.com/zc_install/Theupgradedialogsareexplainedonthefollowingpages...

6.2.2 Upgrading configure.php files, if necessary Thefirststepthatzc_installwilldoisinspectyourexistingconfigure.phpfiles,andoffertoupdatetheirformatiftheyappeartobefromanolderversion.(ThenewerfilesareMUCHleaner,andsimplertoreadandmaintain.)

6.2.3 Step 1 Welcome Screen and System Inspection Whenyoustartzc_installinconjunctionwithadatabasefromanolderversion,theInspection

willtellyouthatanupgradeisavailable,andwillgiveyouabuttontoproceedwithupgradingyourdatabase.Youmayfirstseeafewwarningsthatneedattention,suchasensuringyourconfigure.phpfilesarewritable(sothatzc_installcanauto-upgradethosefilestothenewformat).The“upgrade”buttonwillnotappearuntilcriticalissuesarefirstresolved,asdescribedon-screen.

6.2.5 Step 2 Version-Upgrade Checkboxes Nowyouarepresentedwithalistofversion-upgradestepsthatzc_installiscapableofupgradingforyou.Thesystemwillpre-inspectyourdatabaseandpre-checkthecheckboxesfortheversionstepswhichneedupgradesperformedinyourdatabase.Inanormalupgrade,yousimplyneedtoleavethecheckboxesas-is,andscrolltothebottomofthepageandfillinyourAdminusernameandpasswordandclickUpdateDatabaseNowtoauthorizetheupgrade.Checkingoruncheckingadditionalboxesisanadvancedtroubleshootingactivitywhichwould

onlyberelevantintheeventofaseriousproblemrequiringoverridingofnormaloperation.AsforhelpontheSupportForumiftheversiondetectiondoesn'tautomaticallyworkasexpected.

Aftersubmittingtheform,theupgradeprogresswillbeshownasitgoesthrougheachstage,similartotheimagehere:

Iftherearenoerrors,itwillautomaticallyprogresstoa“SetupFinished”screenwithsomefinalinstructionssuchasremovingthezc_installdirectorynowthatyou'redone.Besuretoturnoffmaintenancemode,viayourAdmin,asdescribedinthenextsection.ANDbesuretoupgradetherestofyoursite'sPHPfiles,followingtheupgradeguidanceathttp://www.zen-cart.com/entry.php?3-How-do-I-rebuild-my-site-on-the-new-version-instead-of-upgrading

6.2.6 Step 3 Database-Upgrade Step Finished REMEMBER:AnupgradeisNOTCOMPLETEifyoudonotALSOupgradeallyourPHPfilestoworkwiththenewversion.Thisinvolvesreconstructingyourcustomizationsinthenewversionsofthefiles.WiththeDatabaseUpgradestepcomplete,ifyourPHPfileshavealsobeenupdatedandyourcustomizationsmergedintothem,thenyou'rereadytologintoyourAdminandturnofftheDown-For-MaintenancemodeviaAdmin->Configuration->WebsiteMaintenance

7. Post-Installation Actions

7.1 Changing The Admin Directory Name for Security (By-Obscurity) WhenZenCart®isinitiallyinstalled,theadminpanelisfoundatINSTALL_DIRECTORY/adminSincethename“admin”ispubliclyknown,leavingitas“admin”posessomedegreeofsecuritythreat.Therefore,zc_installwillnormallyattempttorenameitforyouandtellyouthenewnameduringthelaststepofzc_install.However,ifitwasunabletodotherename,thenbeforeyoucanaccesstheadminpanelyoumustchangethenameofthatdirectorytosomethingdifficulttoguess.Ifyoudonot,youwillseethewarningmessagementionedinsection7.5below.ChangingtheadmindirectoryinvolvessimplyrenamingtheadminfoldernameusingyourFTPprogram,andisexplainedindetailinthistutorial:http://www.zen-cart.com/content.php?75-how-do-i-rename-my-admin-folder-to-prevent-unauthorized-access

7.2 Enabling SSL for HTTPS in your Admin ForPA-DSScompliance,allnon-consoleaccess(ie:allbrowseraccess)toyouradminareamustbeviaHTTPStoensurestrongcryptography.Todothis,simplyensurethattheHTTP_SERVERURLinyour/renamed-admin/includes/configure.phpfilecontainsaURLbeginningwithhttps://….

7.3 Setting Directory and File Permissions AsmentionedinthePre-InstallationActionssectionofthisguide,anumberofdirectoriesandfilesneedspecialpermissionsinorderforZenCart®tofunctioncorrectly.Ataminimumtheseinclude:

• ThedirectoryINSTALL_DIRECTORY/cacheneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/logsneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/pubneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/imagesneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/admin/images/graphsneedstobewriteable.

Alsoduringinstallationyouwillhavecreatedthesefileswithwritepermissions:

• INSTALL_DIRECTORY/includes/configure.phpand

• INSTALL_DIRECTORY/admin/includes/configure.phpForsecurity,these2filesshouldhavetheirpermissionschangedsothattheyareread-only.Ifyouneedhelpunderstandingtheconceptsoffilepermissionsandsomegeneralguidanceonmakingthesechanges,consultthistutorialarticle:http://www.zen-cart.com/content.php?51-how-do-i-set-permissions-on-files-and-foldersN.B.TheZenCart®applicationwillattempttoautomaticallysetthepermissionsofthesetwofilestoread-onlyafterinstallationiscomplete.Howeverthisdoesn'tworkautomaticallyonallservers,andyoushouldensurethatthisitisdoneproperly.(Warningswillbeprominentlydisplayedifthepermissionsonthesefilesareincorrect.)

7.4 Removing the Installation Directory Onceinstallationiscompleted,youmustremovetheINSTALL_DIRECTORY/zc_installfolder.Leavingthezc_installfolderonyourserverposesasecurityrisk,sincesomeonecouldpossiblydeleteyourstoredatabasecontentiftheygainedunauthorizedaccesstoit.Thus,untilyouremovethezc_installdirectory,awarningmessagewillbepresentedifthefolderexistswhenyouaccessyouradminconsole.

7.5 Blocked Administration Access Pleasenote,ifyouhavenotchangedyouradmindirectory,orhavenotremovedtheinstallationdirectorythenyouwillnotbeabletoaccesstheAdministrationconsoleandyouwillbepresentedwithascreenasbelow.

Furtherdetailsonhowtochangethenameoftheadmindirectorycanbefoundat

http://www.zen-cart.com/content.php?75-how-do-i-rename-my-admin-folder-to-prevent-unauthorized-access

7.6 Removing Unnecessary Directories Onceinstallationiscompleted,youshouldremovethesetwofolders,topreventsnoopersfromgaininginformationaboutyoursitethattheyhavenobusinessknowing,suchasyourZCversion,andsoon:-INSTALL_DIRECTORY/docs-INSTALL_DIRECTORY/extras

8. Accessing the Administration Panel and Configuring Administrative Users and Passwords

8.1 Introduction ZenCart®includesasystemformanagingmultipleadminusersandrestrictingtheaccessofthoseuserstoonlycertainfunctionsoftheAdministrationsystem.Initiallyonlyoneuseriscreated(Theuser/passwordyoucreatedduringinstallation).Thisuserisassigneda'Superuser'profile,andhasaccesstoalladministrationfunctionality.Additionalprofilescanbecreatedtoofferlesserpermissionstospecificadministrativeusers.Thisisexplainedfurtherinthefollowingsections.

PA-DSSSinceyouwillprobablyhaveperformedtheinstallationwithoutusingHTTPS,thereisa(small)possibilitythatasomeonemighthaveinterceptedyouradminusername/password.Ifyoudon'thaveHTTPSenabledonyoursiteyet,youneedtodothatNOW(seesection7.2ofthisguide),andthenchangeyouradminpassword.

8.2 Administrator Access to Credit Card Numbers ZenCart®doesn'tstorecompletecreditcardnumbers,noranysensitive/authenticationdatasuchasexpirydatesorCVVnumbers.Allstorageofcardnumbersconsistsofonlythefirst4-6digitsandthelast4digits,inaccordancewithPCIandmerchantagreementrules.Theonlyplacewherethesepartialcardnumbersarevisibleiswhenviewinganorderintheadministrationscreens,viaAdmin->Customers->Orders.Andifpaymentwashandledcompletelyoffsitethenit'sunlikelythatanyofthepartialcardnumberwillshowatall.

PCIDSSForPCIcompliance,youarenotpermittedtoalterthedatabasetobeabletostorecompletecardnumbers,norstorethemunencryptedinanywayunlessyouusecompletecryptographickeyinfrastructureandundergoyourownPCIassessmenttoauthorizethosechanges.Anyalterationofthisnature,oranyuseof3rd-partymoduleswhichprovidesuchfeaturesrequiresyourownPCIassessment,elseyouarenotPCIcompliant.Discussedmoreinchapter15.

8.3 Administrative User Access and PA-DSS requirements BeforemovingontohowAdminusersaremanaged,therearesomefundamentalchangesthathavebeenmadeinthisareastartingwithZenCart®v1.5.0inorderfortheapplicationtomeet

PA-DSSrequirements.Maliciousindividualswilloftentrytofindaccountswithweakornon-existentpasswordsinordertogainaccesstoanapplicationorsystem.Ifpasswordsareshortorsimpletoguess,itisrelativelyeasyforamaliciousindividualtofindtheseweakaccounts,andcompromiseanapplicationorsystemundertheguiseofavaliduserID.ThePA-DSSrequirementsareasfollows:

• Eachadminusermusthaveauniqueusername.DONOTshareadminusernameswithothers.Createseparateusersforeachpersonaccessingyourstore'sadminsection.

• Passwordsmustbeatleast7charactersinlengthPasswordsmustconsistofamixoflettersandnumbers(alphanumeric)

• Passwordsandusernamesarecasesensitive• Passwordsmustbechangedevery90days

Whenchangingpasswords,userswillnotbeabletochooseapasswordthatwasusedintheprior4passwordchanges

• Whenattemptinglogin,ifanincorrectusername/passwordisenteredmorethan6timesinarow,accesstotheadministrationsystemwillbelockedoutfor30minutes(Forevengreaterprotection,ZenCart®alsoimplementsadditionalanti-brute-forceprotectionmeasuresbeyondthisrequirement.)Thislockoutcanbeoverriddenonlybyanotherauthorizedadministrator,aftertheyfirstconfirmtheidentityofthepersonrequestingtheoverride(ie:talktothepersontowhomtheaccountbelongs,tobesurethey'renotamaliciousintruder)

• Theadministrationsystemhasa15minuteinactivitytimeout.Thatis,ifnopagesareaccessed(noclickswhichsubmitdataorloadanewpage)withina15minuteperiod,theadminuserwillbeforcedtologinagain.Extendingthistimeoutperiodwillinvalidateyourstore'sPCICompliance.

Alteringthecodetorelaxtheserequirementswillinvalidateyourstore'sPCICompliance.Further,thewordingofthePA-DSSis:“tomaintainPCIDSScompliance,anychangesmadetoauthenticationconfigurationswouldneedtobeverifiedasprovidingauthenticationmethodsthatareatleastasrigorousasPCIDSSrequirements.”DisablingPCIpassword/timeoutfeatures:NOTE:IfyouusetheswitchinAdmin->Configuration->MyStoretodisablethePA-DSSAdminSessionTimeoutEnforced,orthePA-DSSStrongPasswordRulesEnforcedsettings,YOUAREMAKINGYOURSITENOLONGERPCICOMPLIANT.Discussedinchapter14.4

8.4 Users YoucaneasilymanagetheuserswhoareallowedaccesstotheadministrationsystemusingtheAdminAccessManagement→AdminUsersmenuentry.Fromthisscreenyouwillbeabletoadd,deleteandchangethedetailsofAdminusers.NOTE:ForPCIDSScompliance,everypersonwithadministrativeaccessmusthavetheirown

uniqueuserIDandpassword,andshouldneverre-usethesameID+passwordonmorethanonesystem.

ClickingtheeditbuttonwillallowyoutochangetheAdminUsername,AdminUseremailaddressandtheprofileassignedtothatuser(althoughyoucannotchangetheprofileassignedtotheinitialAdminUser).

Clickingthe“resetpwd”buttonallowsyoutochangethepasswordassignedtotheuser.NOTE:Thesystemonlyacceptsuniqueusernames,thusnotwouserscanhavethesameuniqueuseridatanygiventime.

8.5 Profiles Profilesdescribewhichfunctionsintheadministrationsystemausercanaccess.Initiallyonlyoneprofileisavailable,the'Superuser'profile,whichgivesaccesstoalltheadministrationsystem.

Howeveritisalsopossibletocreateprofiles,sothatdifferentusersonlyhaveaccesstoasubsetoftheadministrationsystem.Forexample,youmayhaveusersthatonlyneedtorunreports,oruserswhoseresponsibilityitistoaddproducts/categories,andthoseusersshouldnothaveaccesstoanyotheradministrationsystemfunctions.NOTE:ForPCI-DSSandPA-DSScompliance,onlypersonsrequiringaccesstopaymentdetailsshouldbeallowedtoseethem.Thiscanbeachievedbycreatingspecificprofiles,andthenassigningthoseprofilestousers.YoucanaccesstheAdminProfilesmanagementpageusingtheAdminAccessManagement→AdminProfilesmenuentry.

Toaddanewprofile,clickonthe'addprofile'button.Youwillthengetascreensimilartothefollowing,whereyoucanenteranamefortheprofile,andselectwhichadministrationsystemfunctionsthatprofilehasaccessto.

TheEditbuttonwillbringupasimilarscreen,howeverinthiscaseyouwillbeabletochangethecurrentfunctionalitygrantedtoallusersassociatedwiththatprofile.

8.6 Admin Activity Logs TheAdminActivityLogstoresimportantinformationwhichmightexposemaliciousactivitybeingconductedbyadminusers(whetherknownorunknown)inthebackendofyourstore.Thesystemlogsthisdata:

• Thedateandtimeoftheaccess• Theadminidoftheusermakingtheaccess(useridentification)• Thepageintheadministrationsystemthatisbeingaccessed(whichinferstypeofevent)• Theparametersrelatedtothepagebeingaccessed(whichinfersidentificationofaffected

dataandostensiblythesuccessorfailureoftheattemptedaction)

• TheIPaddress(origination)oftheadminuserperformingtheevent• Any“suspect”activitythatshouldbereviewed,suchasmaliciousPOSTdata• Changesmadetopayment/shippingmodulesandadminusers

Therearenobuilt-insettingstoalterthisfunctionality.Itisinstalledandenabledbydefault.Tamperingwiththisloggingfunctionalityordisablingthelogsorchangingtheloggingcodewillresultinnon-compliancewithPCIDSS.Theactivitylogisheldinthedatabase,andovertimecanbecomeverylarge.Youcanmanageyouractivitylogvia:AdminAccessManagement→AdminActivitylogsItisimportanttoreviewtheselogsregularly,evendaily,tomonitorformaliciousactivityandrespondaccordingly.Thefollowingsectionsdiscussthereviewandmanagementoftheselogs.

8.6.1 Daily Log Review – Important Things To Monitor

PA-DSSPleaseNote:ItisarequirementofPA-DSSthatyoureviewtheselogsregularlytodetectunauthorizedactivityandtakecorrectiveactiontodealwithanyanomaliesdiscoveredtherein.Regularreviewoftheselogswillhelpyouavertproblemscausedbypeoplewhohavegainedunauthorizedaccesstoyouradminbackend,whetherthatbeahacker,intruder,orevenadisgruntledemployee.The“logmessage”columnexplainswhatsituationoccurred.Sometimesthisissimplyinformational,butsometimesitwilltellyousomethingmoresignificant,suchas“Failedloginattemptforbaduser123”,or“Account[poor_speller]lockedoutduetotoomanyinvalidsignonattempts”,or“Paymentmodule[authorizenet]removedby{gooduser2}”.Inaddition,the“flagged”itemsshownintheReviewscreenareitemswhichwarrantsomeattention.Ifalogentryisflagged,thatmeansthatsomepotentially-harmfulcontenthasbeenenteredintotheadminpagewhichwasinuseatthetimeofthatlogentry.Commonly-flaggeditemsinclude<script>tagswheresomeonecouldinjectmaliciousjavascripttotriggerorcreateXSSorCSRFrisksonyourstore'sadminorstorefront.Ifyoufindanentrythat'sbeenflagged,youshouldinspectthedatathatwassubmitted(ie:seethe“postdata”column)tobesureitwasintentional.Ifitwasnotintentionalorauthorized,youshouldtakecorrectiveactiontoremovethemaliciousorunwantedcontent,andalsotakecorrectiveactiontodealwithwhomeverwasloggedinandsubmittedthecontentinthefirstplace.Followyourowninternalpoliciesfordealingwithsuchbreaches.Additionally,aseveritylevelisindicatedforeachentry.Theselevelshaveasimilarratingasestablishedbythesyslogstandardasmaintainedinthecomputer/technologyindustry.Thelevelswhichapplytoyourstoreare:

• WARNING–criticaleventswhichshouldberevieweddaily,asthesedenoteremovalofimportantsettingsoradministrativeuserprivileges,orotherseriousevents.

• NOTICE–importanteventswhichshouldbemonitoredregularly(atleastweekly)toreviewwhetheradisgruntledemployeeorawebsiteintruderhasattemptedtoinsertmaliciouscontentintoyoursiteproductdescriptions,orinstallnewmodules,etc.

• INFO–generallistofallactivity(everyclick)donebyanyadministrativeuser.Usefulforpost-mortemassessmentofaproblemifoneweretooccur.

ThefollowingsectiontalksbrieflyabouthowtheAdminActivityLogviewerscreenworks.

8.6.2 Review or Export Logs Withinthissectionyoucanchoosetoexportorreviewtheadminactivitylogs.Animageofthescreenisshownonthefollowingpage.Firstselectwhichdatayouwanttoprocess,accordingtoseveritylevel,usingthepulldownmenuprovided.SelectthedesiredExportformat:-Toseethedataon-screen,simplyleavethesettingsetto“ExportasHTML”.NOTE:Thismayonlyshowthelatest50entries.Forafulldetailedreportoftheentirelog,usetheCSVoptionbelow:-Ifyouwanttoexport/savethelogsthenthispulldownmustbesetto'ExporttoCSV'IfyouaresavingtoaCSVfile,youcanchoosetoeitherdownloadtheexportedfiletoyourlocalcomputerimmediatelyorsavethefiletoyourwebserverandviewitviaFTPatalaterdate.Ineithercaseyoucanalsochoosethenameofthefileproduced.Tosaveittoyourwebserver,tickthecheckboxmarked'SaveFileonserver'.NOTE:Forthistoworkyoumustmakesurethewebserverisconfiguredsothatthefolderspecifiedby“Destination”iswritablebythewebserver(formostlinuxserversthiswouldbeforthewww-datauser).Youcanseeasampleofthescreeninthefigurebelow:

8.6.4 Purge Log History action

PA-DSSPleaseNote:ItisarequirementofPA-DSSthattheselogsarekeptforaminimumof12months.Whileweprovidemethodstosafelybackuptheselogs,andtoremovethem,storemanagersareultimatelyresponsibleforensuringthattheycanreproducetheselogsintheeventofaPCIaudit.

Clickingontheresetbuttoninthe“PurgeLogHistory”sectionofthescreenwilltakeyoutoanewpagewiththefollowinginstructions:

Pleaseensurethatyouread,understand,andheedthewarningtextbeforepurgingtheactivitylog!Attheveryleast,savetheloghistorybeforeexporting!

8.6.5 PA-DSS Logging – Technical Details

PA-DSSstandardsrequirethatwestatewhatinformationislogged.Sotoclarifythebulletedlistfromsection8.5.0earlier,thefollowingislogged:•Individualaccesstocardholderdata(givencurrentversionsofZenCartneverstoresuchdata,thereisnothingtologforthisparticularitem)•Actionstakenbyanyindividualwithadministrativeprivileges•Accesstoapplicationaudittrailsmanagedbyorwithintheapplication•Initializationofapplicationauditlogs•Invalidlogicalaccessattempts(failedlogins,showstheusernameattemptedduringthefailure)•Useofthepaymentapplication'sidentificationandauthenticationmechanisms•Creationanddeletionofsystem-levelobjectswithinorbytheapplication•Useridentification•Typeofevent•Dateandtimestamp•Successorfailureindication•Originationofevent•Affecteddata,systemcomponent,orresource

8.6.6 Centralized Logging Loggingcanbeextendedbyincorporatingpluginstoallowadditionalexternalcentralizedloggingservicestobeincorporated.Followingisanexampleplugin,consistingoftwoPHPfiles,namedwiththeexpectationofusingthegraylogloggingservice.ActualgraylogAPIcodinglogicandsecuritycredentialsmustbeaddedtomakeitfunctional.a)/admin-foldername/includes/auto_loaders/config.admin.graylog.php

<?php $autoLoadConfig[1][] = array('autoType'=>'class', 'loadFile'=>'class.admin.graylog.php', 'classPath'=>DIR_WS_CLASSES); $autoLoadConfig[40][] = array('autoType'=>'classInstantiate', 'className'=>'graylogObserver', 'objectName'=>'graylogObserver');

b)/admin-foldername/includes/classes/class.admin.graylog.php<?php /** * @package plugins * @copyright Copyright 2003-2013 Zen Cart Development Team * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0 * * Designed for v1.5.2 * * initially designed with expectation that this file is placed into /admin/includes/classes/ folder, * and corresponding config.admin.graylog.php file into admin/includes/auto_loaders folder * */ class graylogObserver extends base { function __construct() { global $zco_notifier; $zco_notifier->attach($this, array('NOTIFY_ADMIN_ACTIVITY_LOG_ADD_RECORD')); } function updateNotifyAdminActivityLogAddRecord(&$class, $eventID, $paramsArray = array()) { // insert relevant calls to graylog API here, passing the data from $paramsArray as arguments } }

9. Code Customization, Addons, and Plugins TheZenCart®communityhasavastassortmentofavailableaddons/pluginscontributedbythird-parties,mostoftenotherstoreowners,whohavewrittencustomizedcodetoextendthecapabilityofZenCart®todoadditionalthingsbeyondthecoreframeworkthatisZenCart®itself.Manyhavesimplyputtogetherthecustomizationstheymadefortheirstoreandsharedthembackasasignificantwayofparticipatingandexpandingtheever-growingcommunitythathasgrownuparoundtheZenCart®product.Youcanfindaddonstosuitalmostanyspecialneedyoumighthave.Andifyoucan'tfindsomethingexactlysuitingyourneeds,youcaneithercustomizethecodeyourselforperhapshiresomeonetodothecustomizationforyou.Youareinvitedtoshareyourcustomizationsbacktothecommunityforotherswhofollowalongafteryoutofreelyenjoyusingontheirownstores,justasyouhavebenefittedfromsimilaractionsbyothers.Ifyoudon'thavetheskillstocustomizeprogrammingPHPcodeyourselfandwishtohiresomeone,there'savasthelp-wantedcommunityavailableaswell.Youcanaccesssomehelp-wantedresourcesbyfollowingthislink:http://www.zen-cart.com/helpwanted

PA-DSSNOTE:TheZenCart®PA-DSScertificationappliesonlytotheofficialreleasedcodeprovidedbyZenVentures,LLCAnycustomizationsyou,ora3rd-party,maketothecode,whetherbyalteringadmin-providedconfigurationswitches,addingaddons/plugins,makingcodecustomizations,etcmayrenderthePA-DSScertificationvoidforyoursite.Itisuptoyoutoensurethatalladdons,plugins,customizations,andchangedswitchsettings,arePCIcompliantaccordingtothePCISecurityStandards.Ifyouhavespecificquestionsaboutwhetherachangeyou'vemadetoyoursiteisPCI-Compliant,contactyourPCIScanningvendorforassistanceandguidanceandappropriateauditing.

10. Engaging 3rd-Party Consultants or Programmers Asmentionedintheprevioussection,ifyoudon'thavetheskillstocustomizeprogrammingPHPcodeyourselfandwishtohiresomeone,there'savasthelp-wantedcommunityavailableaswell.Youcanaccesssomehelp-wantedresourcesbyfollowingthislink:http://www.zen-cart.com/helpwanted

PA-DSSNote:ItisarequirementofPA-DSSthat3rd-partiesareonlygrantedaccesstospecificcomponentstrulyrequiredtocompletetheworkrequested,andthattheyusethataccessinasecuremanner,andthattheydestroyallcopiesofallinformationobtainedoncesaidaccessisnolongerrequired.WerecommendthatyouonlyengagepersonswhodemonstrateanunderstandingofPCIDSSandwillagreeinwritingthattheworktheyperformforyouwillbecompliantwithPCIDSSrequirements.TomaintainPCIDSScompliance,anycodingchangesmadetoauthenticationorcreditcardorsecurityconfigurationsneedstobeproperlyverifiedasbeingatleastasrigorousasPCIDSSrequirements.Some“bestpractices”youshouldconsiderwhenengagingaconsultantarefoundinfollowingsections.

10.1 Webstore “Admin”/Backend access Ifyouneedtogivesomeoneaccesstoyourstore'sadminpanel,createadedicateduniqueadminuseraccount+pwdforthatperson(don'tletthemuseagenericusernamesuchastheircompanyname),andgrantthemaccesstoONLYthefeaturestheywillneedtocompletethetasksassignedtothem,andremovethataccountwhentheyarefinished.Seesection8fordetails.Ifyouradminuses2-FactorAuthentication(seesection10.5)thenALLpersonshavingaccessmustuseit.PCI-DSSrequiresthatanyoneaccessingtheAdminimplementanduseremoteaccesssecurityfeatures.AndshouldneverusethesameID+passwordonmorethanonesite;alwaysunique.

10.2 FTP Access

• FTPandSFTPAccounts(NOTE:PCI-DSSrequirestheuseofSecureFTP,notplainunencryptedFTP)Ifyouengagesomeonetodoworkonyourwebsitethatrequiresthemtohavedirectaccesstothefilesonyourwebserver,thatwillmostlikelyrequirethattheyhaveFTPaccess.YoushouldNEVERgivethemyourmasterFTPpassword.YoushouldALWAYScreateanewuser+passwordforthemusingyourhostingcompany'scontrolpanel.Ifpossible,youshouldrestricttheiraccesstoonlytheirIPaddress,soitcan'tbeabused.YoushouldALWAYSdeletetheirFTPuserassoonastheirworkiscompleted.Itisdangeroustoleaveunmonitoredaccountsactiveinthehandsofpersonsnotinyourdirectsupervisionandemployment.Similarwisdomshouldbeappliedtoemployeesaswell.

• SecureAccess–UseSFTP,notFTP

EVERYONE(includingyou!)accessingyourwebservershouldbeusingSFTPtoconnect.IftheyuseregularunencryptedFTPmode,thenyourcustomerdataandwebsitesecuritycouldbecompromised.Seesections2and4ofthisguideformoreinformationaboutSFTP.PCI-DSSandPA-DSSrequiretheuseofSecureFTP,notunencryptedFTP.

10.3 Webhosting Account's Control Panel access Itisunusualfora3rd-partytoneedaccesstoyourentirehostingaccount'scontrolpanel.Ifyoumustgivethemaccess,youmustchangethepasswordtoyourhostingaccountwhentheyarefinished.

10.4 Secure use of customer database and website files Ifyou,orathirdparty,needtomakeoruseacopyofyourstore'sdatabase,eithertoprepareastaging/testingarea,ortodebugaproblem,itisveryimportantthatthenamesofeveryonewhohasaccesstothisdataarerecorded,thattheynotsharethedatawithanyoneelse,andthatthedataissecurelydeletedwhennolongerneeded.SecureErasureisbesthandledbyasoftwaretoolthatwillsecurelyobliteratethedatafilesonyourPCandanyplacewhereyou'vestoredit.Toolsforthiscanbefoundbynumerousonlinevendors.Agreementtohandledatainthiswayshouldformanintegralpartofyourcontractwithwhomeverisgrantedaccesstothisinformation.

10.5 Two-Factor Authentication Two-FactorAuthenticationistheuseofathird-partyauthorizationmechanismtoverifyyouridentitywhenloggingin.Thisiscommonlyimplementedviatheneedtoentermorethanjustausernameandpassword,specificallynotjustsomethingyou“know”,butalsosomethingyou“have”.Seethiswikipediaarticleformoreexplanation:Two_factor_authenticationZenCart®allowsfortheuseof(butdoesn'tdirectlyimplementanyspecific)two-factorauthenticationasameanstofurtherenhancethesecurityofaccessingyoursystem.Ifyouhaveengagedtheuseofathird-partytwo-factorauthenticationservice,youcanintegrateitwithZenCart®inoneoftwoways:

a) Followtheinstructionsofyourtwo-factorauthenticationsolutionforaddingtherequireddirectivestoyour/renamed-admin/.htaccessfile.ThiswillrequirethetokenauthenticationtotakeplacebeforebeingallowedtoenteryourZenCart®adminusernameandpassword.

b) AddacustomPHPscripttohookintoyourtwo-factorauthenticationsolutionbydefiningaconstantnamedZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICEwithavaluematchingthenameofthePHPfunctionwhichwilltriggerit.ZenCart®willfirstauthenticateyouusingyourZenCart®adminusernameandpassword,andthenpassyouontoyourtwo-factorauthenticationsolutionforsubsequenttokenvalidation.(ItwillpassanarraycontainingtheZCadminuserIDnumber,username,andemailaddress,whichthetwo-factorauthenticationsystemmayoptionallyuse.AbooleanTRUEresponseisexpectedifloginisapproved.Anythingelsewilltriggerafailure.)

Thecustomcodeforthecustomfunctionwhichtriggersyourtwo-factorauthenticationsolutionshouldbeplacedinthe/renamed-admin/includes/functions/extra_functions/folder.TheconstantmentionedaboveshouldbedefinedinaseparatePHPfilelocatedinyour/renamed-admin/includes/extra_datafiles/folder.Anyadditionalclasseswhichyourcustomfunctionsneedtoinstantiateshouldbeplacedinyour/renamed-admin/includes/classes/vendors/folder.Thisfoldermayneedtobecreatedfirst.

IfyourequireTwo-FactorAuthenticationforotherremoteaccessactivitiessuchasVPNorFTP,youwillneedtoconfigurethoserespectiveapplications/utilitiestouseitasperthedocumentationprovidedbythoseutilities,muchlikeyouwouldconfigureyourFTPprogramtoknowwhichserver,username,password,etctouseforaccessingyourwebserver.NOTE:ThePCI3specificationrequiresthatalladminloginsmustusetwo-factorauthentication.

11. Removing Old Non-PCI-Compliant Data Ifyourstorehasusedanypaymentmodulesthathavestoredfullcreditcarddataorcvvnumbers,youmustdeleteallsuchhistoricaldatafromyourdatabaseandyourbackups.

PCICompliance:YoumustNOTbeusinganypaymentmodulethatstorescompletecreditcardnumbersorcvvnumbersinyourdatabase,noronewhichemailscompletecreditcardnumbersorcvvnumberstothestoreowneroranyoneelse.ZenCarthasNOTstoredcreditcardnumberssincev1.3.9a,releasedin2010.However,ifyouaddedpluginstoaddthatfunctionality,orifyouhadusedapriorversion,youwillneedtotakestepstoclearoutanycreditcarddatawhichyouhadstoredinyourstore.YOUMUSTDOTHISforPCIcompliance.

11.1 Removing Old Credit Card Data From Database Records Whenviewinganorderinyourstore'sAdmin->Customers->Orders->Editscreen,ifafullcardnumberorcvvnumberisfound,a“Delete”linkwillshow,andclickingwillreplacethatdatawithblanks.Toperformthecleanupdatabase-wideusingphpMyAdmin,youmayrunthefollowingSQLquery:

update zen_orders set cc_number = NULL, cc_cvv = NULL where cc_number != ''; optimize table zen_orders;

(Youmayneedtoremoveorsubstitutethe“zen_”prefixonthosetwotablenamesforthequerytoworkonyoursite.ChecktheDB_PREFIXsettinginyourconfigure.phpfiletodeterminewhatprefixyouneedtouse.IfDB_PREFIXisblank,thenremove“zen_”intheexamplesabove.)

Afteryou'vedonethis,youneedtoalsosecurelydeletethephysicaldatafromtheserver.Seebelow.

11.2 Suggested Procedure For Secure Erasure of Old CHD data IfyourstorehasusedanymethodsofstoringfullcreditcardnumbersorCVVnumbers,thePCIDSSrequiresthatyoutakespecificmeasurestosecurelydeletealldatathatcouldbeusedtoreconstructhistoricaldatabaserecordsorlogscontainingcreditcard/cvvdetails.Thefollowingstepsoutlineanapproachonecoulduseforpurgingthatdatasecurely.Thesestepsrequirethatyouhaveadministratorsysadminaccesstoyourserver.Thusitmaybenecessarytoengageyourhostingcompany'sserveradministratortocompleteseveralofthesesteps.

a) Usethedeletionmethodsmentionedinsection11.1abovetoremovethecreditcard/cvvdatafromthedatabasetablerecords.

b) TakethestoreDownForMaintenancec) MakeacompleteMySQLbackupofyourstore'sdatabasetables.Thiswillbeusedtorestorethedata

afterthedeletion.Testyourbackuptoensurethatitisreliable,andmakeextracopiesforsafety.

d) UsingyourMySQLconsole,orhostingcontrolpaneltools,deleteyourstore'sdatabaseanddbuser.

e) SERVERADMIN:ShutdownMySQLf) SERVERADMIN:Useanindustry-acceptedPCICompliantsecure-deletiontool(suchassfillwhich

comesbuilt-intomoststandardLinuxdistributionsorcanbefoundintheTHC:SecureDeleteToolkit)to

deleteallsensitivedatausinganerasuresettingstrongenoughtopreventforensicrecovery.Deleteallsensitivedataincludingatleast:

i. Thephysicalfilesontheserverwhichstoredyourstore'sMySQLdatabaseandMySQLlogfiles

ii. Freediskspace(“slack”space).Removealltracesofthedatafromthefreespace(“deletedfiles”).

iii. Allbackupcopiesofthedatabasetablesstoredonanymedia,includingremoteorphysicalserverharddiskbackupimages,backups(exports/dumps)youhadstoredonyourPCorCDs/DVDsorthumbdrives.

iv. AlldebuglogfilesassociatedwithanypaymentmodulesthatrecordedCC/CVVnumbersinflatfiles.

g) SERVERADMIN:StartupMySQL

h) Recreateyourstore'sMySQLdatabase,username,password,andimportyourdatabasefromthebackupyoumadeinstep(c)earlier.Testyourstorefornormaloperation.

12. Network Diagram

Notes:

• Insomehostingconfigurations,theWebServerandDatabaseServermayresideonthesamephysicalserver.

• ItisrecommendedthatnowirelessbasedsystemsshouldbeconnectedtotheWeb/DatabaseServerenvironment.Wheresuchwirelessequipmentisconnectedthentheapplicationuserortheirhostingprovidershould:

• Installperimeterfirewallsbetweenanywirelessnetworksandsystemsthatstore,process,ortransmitcardholderdataandthatPerimeterfirewallsmustdenyorcontrolalltrafficfromthewirelessenvironmentintothecardholderdataenvironment.

• Changedefaultencryptionkeys

• ChangedefaultSNMPcommunitystrings

• Changedefaultpasswordsforaccesspoints

• Updatefirmwaretosupportstrongencryptionforauthenticationanddatatransmission

• Enablestrongencryption(WPA2orsimilar)

• Changeotherdefaultvaluesasapplicable

• Useindustrybestpracticestoimplementstrongencryptionforauthenticationandtransmission

13. Dataflow Diagram

14. Notes about PA-DSS Compliance

14.1 Cardholder Data a.StorageOut-of-the-box,ZenCart®doesnotstorecardholderdata,andiscrippledfrombeingabletostoreentirecardnumbers(PAN)byvirtueofdatabasefieldlengthsbeingtooshorttostoreacompletecardnumber.Thus,ZenCart®doesnotdisplaythecompletePAN;ifanypartialPANinformationisknown(wouldnotbeknownifpaymentwashosted/processedexternally)onlythefirst4-6andlast4digitsareshown,andvisibleontheAdminindividual“order”pageandduringcheckoutduringpayment-confirmation.Thesesettingsarenotconfigurable.TomaintainPCIDSScompliance,anycodingchangesmadetohandlingorstorageofcardholderdatawouldneedtobeverifiedasprovidinghandlingorstoragemethodsthatareatleastasrigorousasPCIDSSrequirements.b.SMSorMessagingSystemsWhileZenCart®doesnotgiveyouanycompletecardholderdatatocopy/paste,weremindyouthatitisunwiseandunsafetopasscreditcarddataviaanymessagingtechnologies.Justdon'tdoit.c.SessionsFurther,ZenCart®doesnotstorecardholderdatainsessions.Asastatelessapplication,ZenCart®doesnotretainanyofthesubmittedcardholderinformationbetweenclicksonthepages.Forexample,ifacustomerusesamodulewhichcollectspaymentdirectlyonaZenCart®site,theprovidedcreditcarddata(ie:thecardnumberandCVVandexpirydate)arebrieflystoredinmemoryvariables.Afteritfinishesprocessingwhateverstepsthatpageexecutes,whetherthat'sforauthorizationoranythingelse,thosevariablesareremovedfrommemory(internalmemorypointersaredestroyedfortheobjectsandvariableswhichhavegoneoutofscopebyvirtueofcodecompletion)bythegarbage-collectionproceduresinternaltoPHP.

14.2 Cryptographic Keys and Key Management Cryptographickeysarenotrequiredbecausecardholderdataisnotstored.Seeexplanationabove.ZenCart®hasneverusedorimplementedcryptographickeysaspartofthecorecodeout-of-the-box.Thustherearenorequirementstomanagesecuredeletionorretirementofhistoricalcryptographickeys.Ifyouhaveeveraddedaplugin/moduletoaddcryptographickeys,itisyourresponsibilitytosecurelyprotectandretireandotherwisemanagethosekeysinaccordancewithPCIDSSrequirements,anddemonstratesuchaspartofyourownself-assessmentorcertificationprocess.

14.3 Protocols, Services, Dependent Software and Hardware TheservicesandprotocolsandsoftwarecomponentsusedbyZenCart®arelistedbelow.FORDETAILSofspecificversionrequirementsofeach,seesections2.3,2.4.Toinstallandconfigureanyofthem,seetherelevantdocumentationprovidedbytheirownauthors.

• APACHEandPHPZenCart®isaPHPapplicationwhichrespondstorequestsdirectedtoPHPviaawebserverservicerunningonyourserver.Alternatewebserverenginescouldbeusedbutareoutofscope.

• MySQLZenCart®followsyourconfigurationinstructionstocontactandconnecttotheMySQLservicerunningontheserveryouspecifyinyourconfiguration,usingthemysqliAPIinPHP.IfyouchoosetohostyourMySQLdatabaseonaseparateserver,youwillneedtoopenport3306inyourservers'firewalls(orwhateveralternateportyoumightreconfigureMySQLtouseviamy.cnfconfigurationfilesettings)toallowthedatabasecommunication.HostingyourdatabaseonaseparateserverisnotnecessarytorunZenCart,nortobePCICompliant.

• HTTPandHTTPSHTTPandHTTPSareusedtocommunicatebetweencustomerbrowsersandthewebserver,andfromthewebservertoany3rd-partyservices.

• CURLandfsockopenSomeexternalcommunicationto3rdpartyservicesisconductedviaPHPlibcurl(cURL)orthePHPfsockopen()client.

• TLS/SSLInthebrowser,HTTPSisusedwhereneededtoprotectsensitivedataifthestoreownerhasconfiguredZenCart®touseit.InthebackgroundTLSisused(versionautonegotiatedviaCURL)toprotectsensitivedatawhentransmittedtoconfiguredexternalservices,providedthehostingwebserveroffersit.AssuchOpenSSLisneededforsuchexternalcommunications.

• RESTAPIsZenCart®v1.xdoesnotcurrentlyserveaRESTAPI,butdoescommunicatewith3rd-partyAPIs,whethertheybeRESTorSOAP,etc.

• HardwareZenCart®hasnospecifichardwarerequirementsuniquetotheservicesitprovides.Itcanrunonvirtuallyanyserverwhichcanruntheaboverequiredsoftware.

14.4 Settings sensitive to PCI compliance IfyouwantyoursitetobePCICompliant,youmustleavethefollowingfeaturessettotheirdefaults:

-Admin->Configuration->MyStore->PA-DSSAdminSessionTimeoutEnforced?–ShouldbeON(1)-Admin->Configuration->MyStore->PA-DSSStrongPasswordRulesEnforced?–ShouldbeON(1)-Admin->Configuration->Logging->LogDatabaseQueries–Shouldbeoff(false)

15. Additional Requirements for PA-DSS Compliance

15.1 Consequences of altering the system to store cardholder data Out-of-the-box,ZenCart®doesnotstoreanycardholderdata,andiscrippledfrombeingabletostoreentirecardnumbersbyvirtueofdatabasefieldlengthsbeingtooshorttostoreacompletecardnumber.Thatsaid,ifyouoranyonewithaccesstoyoursitechangesthedatabaseeitherbydirectlyeditingitorbyinstallingapluginwhichaltersittostorecardholderdata,youareinvalidatingthePA-DSScomplianceandallsuchchangeswouldneedtobeverifiedasimplementingcompliantproceduresthatareatleastasrigorousasPCIDSSrequirements..YouwillneedtoensurethatyouralterationscomplywiththePADSSspecifications,includingbutnotlimitedtothefollowing:a) Whencollectingmagneticstripedata,cardvalidationcodes,PINs,and/orPINblocksfor

troubleshootingpurposesbesurethatyou:•Collectthesedataonlywhenneededtosolveaspecificproblem•Storethesedataonlyinspecific,knownlocationswithlimitedaccess•Collectaslittleofthesedataasnecessarytosolvethespecificproblem•Encryptthesedatawhenstored•Securelydeletethesedataimmediatelyafteruse

b) Ifyouaddtheabilitytostorecardholderdata,thenitisyourresponsibilitytoensurethat

exceedingtheacceptableretentionperiodmustbesecurelydeleted,anditisyourresponsibilitytodemonstratethatyouhavestudiedandproventhatyouhavesecurelydeletedthedataincompliancewithPCIandPA-DSSrequirements.Youractivitiessurroundingsecuredeletionextendbeyondthescopeofthisdocumentandmustincludeallsubsystemsanddependencieswhichyouinvokewhenaddingtheabilitytostoresuchdata

c) YoumustnotalterthesoftwaretostorecardholderdataonInternet-accessiblesystems(ie:webserversanddatabaseserversmustnotbeonthesameserver,andthestorageservermustnotbeconnectedtotheinternet)

d) Ifyoualtertheapplicationtoallowand/orfacilitatethesendingofprimaryaccountnumbers

byend-usermessagingtechnologies,youmustrenderthePANunreadableand/orimplementstrongcryptography

e) Ifyouaddfunctionalitywhichmanagesencryptionkeys,forPCIcomplianceyoumustfurther

demonstratethatyou:• restrictaccesstokeystothefewestnumberofcustodiansnecessary• storekeyssecurelyinthefewestpossiblelocationsandforms• implementstep-by-stepprocedurestogenerate,distribute,protect,change,store,and

retire/replaceencryptionkeyswherecustomersorresellers/integratorsareinvolvedinthesekeymanagementactivities

• provideasampleKeyCustodianformforkeycustodianstoacknowledgethattheyunderstandandaccepttheirkey-custodianresponsibilities

• ensurethatcryptographickeymaterialand/orcryptogramsfrompriorversionsofthe

applicationmustberenderedirretrievable.SuchirretrievabilityisabsolutelynecessaryforPCIDSScompliance

• providestep-by-stepprocedurestore-encrypthistoricdatawithnewcryptographicmethodsand/orkeys

15.2 Default Accounts PCIcompliancerequiresthatyourserver'sdefaultaccounts(includingbutnotlimitedto:themysql“root”user,yourserver's“root”or“Administrator”,etc)needtohavesecureauthenticationcontrols(securecomplexpasswords),eveniftheaccountisnotused.Foreachofthe“default”accounts,setasecurepassword.Thenideallythoseaccountsshouldbedisabledornotused(ie:don'tlogintoyourserverusing“root”;instead,disable“root”accessandcreateanotheruserwithrootprivilegesandaverysecurecomplexpassword,andusethatuserforallserverlogin).MySQLForexample,yourMySQLdatabasemustnotuse“root”withoutasecurepassword.Inpracticethisdefaultaccountshouldnotbeusedatall.ForinstructionsonLinux,seetheAppendiceslaterinthisdocument,andforotherserverconfigurations,seetheMySQLdocumentationonline.ZenCartThereareno“default”accountsinZenCart.YoucreateyourownuniqueAdministratorLoginwhenrunningthezc_installsetupscript.However,ifyouchoosetoinstalldemodataanddonotcompletethefinalstageofzc_installtocreateanadminuser,thenthereWILLbeadefaultusernamed“Admin”withapasswordof“admin”.YOUMUSTCHANGEthatpasswordforPCIcompliance.Todothis,logintoyourAdminpanel,usingthat“Admin”userwithpassword“admin”,andclickthe“Account”linkinthetoprightcorner(nexttotheLogofflink)andclickthe“ResetPwd”button.Fillinthenewpasswordwithastrongsecurepassword(min7characters,withatleastonecapitalandonedigit)andclickUpdatetosavethenewpassword.Ifyoudon'tdothis,awarningmessagewillappearinyouradminconsoleuntilyoudo.OperatingSystemEveryoperatingsystemisdifferent.ForaLinuxserver,the“root”userexistsbydefault.Whoevermanagestheservermustbesuretosetanduseastrongpasswordforthisaccount.Orbetteryet,theyreallyshoulddisablerootloginaltogetherandusesecureSSHkeysand/ortwo-factorauthenticationtools.Securinganoperatingsystemisamuchlargertopicthanthisdocument.Consultthedocumentationforyouroperatingsystemforinstructionsonestablishingstrongsecurepasswordcontrolsforyourspecificsystem.OthersZenCarthasnootherspecificsystemdependencieswhichrequirepasswords.Butifyourservermakesuseofanyadditionalsoftwaretoolsforwhichapasswordiscreated,youmustALWAYSchangethosedefaultpasswordstousestrongsecurepasswords.Ifyoudon'tdothis,thenyou'releavingopenholesthathackerscouldpotentiallyuseasmaliciousattackvectorstodamageyourserverorstealconfidentialdata.

15.3 Strong Authentication Controls ReiteratingthenoteinSection5.1:itisrequiredthatyouusestrongpasswordsforaccountsondependentsubsystemssuchasMySQLusedtostoredatafortheapplication.Thatis:youmustcreateaMySQLuser(otherthan“root”oranyotherdefaultvalue)andassignastrongpasswordtothatuser,andthensupplythatusernameandpasswordtoZenCarttouse.And“root”shouldneverbeused–Seesections5.1and15.2.Inadditiontostrongpasswords,itisrecommendedthatyouinvoketwo-factorauthenticationforaccesstoyourZenCartAdminandtoyourserver'sconsole.

15.4 Secure Access a)FirewallIncaseitisnotself-evident,youshouldalwaysbeusingasecurelyconfiguredfirewallorpersonalfirewallproductonbothyourwebserverandanypersonalcomputerwithwhichyouaccessyourwebsite.b)Adminaccess(onecomponentof“non-consoleaccess”)Additionally,tofurtherreiteratepointsmadeinSections2.1,2.4and5.1,allnon-consoleaccess(thatis,anyaccesstoyourstore'sdataoradmintoolsotherthanfromthephysicalterminalscreenconnectedtothewebserveratthehostingcompany…sothatmeansALLaccessbyyou)totheAdminsectionmustbedoneoverHTTPSc)FTP,SFTP,RemoteAccess(anothercomponentof“non-consoleaccess”)Similartotheabovepoint,allremoteaccess(FTP,SFTP,allconnectionstothewebserverforalteringoraccessingthefileswhichrunyourstore)mustbedoneviasecurechannelssuchasSFTPorFTP-with-Implicit-TLS.

16. Appendices

16.1 MySQL Root Password Reset Asexplainedpreviously,forPCICompliance,youmustNOTallowMySQLtousethedefault(blank)passwordforthe“root”account.Tochangethe“root”password,followtheseinstructions:FromtheMySQLdocumentation:C.5.4.1. How to Reset the MySQL Root Password

If you have never set a root password for MySQL, the server does not require a password at all for connecting as root. However, this is insecure. For instructions on assigning passwords, see Section 2.10.2, “Securing the Initial MySQL Accounts”.If you know the root password, but want to change it, see Section 13.7.1.6, “SET PASSWORD Syntax”.If you set a root password previously, but have forgotten it, you can set a new password.C.5.4.1.3. Res et t ing the Root Pas sword: Gener ic Ins truct ions

The preceding sections provide password-resetting instructions for Windows and Unix systems. Alternatively, on any platform, you can set the new password using the mysql client (but this approach is less secure):1. Stop mysqld and restart it with the --skip-grant-tables option. This enables anyone to connect without a password and with all privileges. Because this is insecure, you might want to use --skip-grant-tables in conjunction with --skip-networking to prevent remote clients from connecting.2. Connect to the mysqld server with this command:shell> mysql 3. Issue the following statements in the mysql client. Replace the password with the password that you want to use.mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') -> WHERE User='root'; mysql> FLUSH PRIVILEGES; The FLUSH statement tells the server to reload the grant tables into memory so that it notices the password change.

You should now be able to connect to the MySQL server as root using the new password. Stop the server, then restart it normally (without the --skip-grant-tables and --skip-networking options).

16.2 Password Security in Zen Cart® Passwordsforbothcustomersandadministratorsareanimportantsubject.ZenCart®doesnotstoreunencryptedpasswords,andassuchcanneverrevealauser'spasswordtothatuserortoathirdparty.Passwordsareone-wayencryptedbygeneratinga128-bitsaltedbcrypt(blowfish)hashwherebcryptisavailable,oralternativelywithaSHA256hashusingasaltofequallength.PriorversionsofZenCart®implementasaltedMD5hashinaone-wayencryptionalgorithm.Oldpasswordsareautomaticallyupdatedtothenewencryptionmethodforgreatersecurity.ItisadvisabletousethelatestsupportedversionofPHPformaximumsecurity.TomaintainPCIDSScompliance,anycodingchangesmadetoauthenticationorpasswordcodeorconfigurationswouldneedtobeverifiedasprovidingauthenticationmethodsthatareatleastasrigorousasPCIDSSrequirements.

16.3 Wireless (WiFi) Networks Ifyouareusingawirelessnetworktoaccessyouronlinestore,itMUSTbeconfiguredsecurely.

• Yourwirelessroutershoulduseindustry-standardbest-practicesforstrongencryptionandtransmission,suchasthepopularIEEE802.11.ispecification.(Mostroutersalreadydothis,butyoushouldverifyit.)

• Thewirelessnetworkneedsapassword.• DONOTUSEthedefaultpasswordwrittenonalabelonthesideoftherouter,norone

listedinthemanualasthedefaultororiginalwirelesspassword.• Thewirelessnetworkmustuseastrongsecurecomplexpassword.Notsomethingeasily

guessed,andsomethingatleast7characterslong,withatleastonedigitandpreferablysomeuppercaselettersandsymbols.

• DONOTUSE“WEP”securitymode.UseWPA2withTKIPmodeifpossible.(AESislesssecure.)

• Changethedefaultadministrative“user”(oftencalled“admin”or“cusadmin”or“root”)anduseastrongcomplexpassword,notthesameasthewirelesspasswordabove.Minimum7characters,withatleastonedigitandpreferablysomeuppercaselettersandsymbols.

• SNMPcommunityfeaturesshouldbedisabled.OrtheSNMPcommunitynamesshouldbechanged;don'tleavethenamessetatdefaults.

• Securetherouterinaplacewheredisgruntledemployeesorunauthorizedpersonswillnotbeabletogainaccesstothephysicaldevice.Nobodyshouldbeabletoaccessthedevice'sresetbuttonwithoutauthorization,elsetheymightbeabletocompromiseyoursecurity.

Anytimeyou“reset”yourwifirouter(ie:typicallydonebypressingthelittle“pinhole”button)youwillneedtodoallthepasswordconfigurationonitagain.Anytimeyouremployeeschange(anyonewithknowledgeoforaccesstothepasswordsleaves),youwillneedtodoallthepasswordconfigurationagain,usingnewpasswords.Thesearecommonwirelesssecuritysettingsandpracticesthatshouldbeimplementedtoensurethesecurityofyouronlinebusiness.TheyarenotspecifictoZenCart®butneverthelessshouldbeimplementedforyourownsecurity.

17. Implementation Guide Changelog Date Version Changesfrompreviousversion10thOct.201022ndApril201111thMay201117May201124August201120Sept201126Sept20119Nov20118Aug201320Aug201322Oct20133Dec201320Feb201414Mar201420Apr20144July20144July201413Aug201414Nov201430Apr201515Mar2016Nov2018

1.41.51.61.71.7d1.7f1.7g1.81.91.9.11.9.21.9.31.9.41.9.51.9.61.9.71.9.81.9.8.21.9.8.31.9.8.41.9.8.51.9.8.6

Minorgrammaticalfixesandaddedsection7Addedsectionsregardingadminusers/profilesandPA-DSSregulationsrelatedtopasswords(section8etal)AddedSFTPguidanceandexplanationofunzip,FTP/SFTPAddedsectionaboutengaging3rd-partyservicesvsFTPetcAddeddiscussionaboutremovinghistoricalPAN/CVVdataAddnewsectionsforNetworkanddataflowdiagramsandnotationtoindicatethatcreditcardgatewaymoduleswillnotfunctionifHTTPSisnotenabled.Addedsectionexplaininghowtointegrateatwo-factorauthenticationsystemifrequiredinthemerchant'senvironmentAddedsectionexplaininghowtosecurelyeraseoldCHDAddedlinktoinstructionsforenablingSSLforentireadminAddedexplanationthattheinitialadminpasswordisonlytemporaryandmustbechangedonfirstlogin.Updateadmin-renameinstructions,andforupgrading(5.2)Addsectiononreviewingadminactivitylogs(8.5.1).PA-DSSRemediation,plusupdatingtrademarksymbolsAddedsection2.1,expandedsection4,andclarificationto5.1(2)Improvementstoconsistency.Updated“upgrade”sectiontext.UpdatedforPA-DSSv2requirements,andtoaddnew/logs/folder,StampZCv1.5.2.UpdatestoclarifywordingrelevanttoPA-DSSv2.0requirementsUpdatestocomplywithadditionalwordingrequiredbyPCIrules.AddedacopyofthegenericMySQLroot-passwordresetinstructions.UpdatestocomplywithfuturePA-DSSv3.0requirementsVersionupdateforZCv1.5.3MiscupdatesrequestedduringPA-DSSreviewVersionupdateforv1.5.4;updatedsectiononactivityloggingRemindertomaketheserverlog-exportfolderwritableAddedremindertoalwaysdownloadnewversionsviaHTTPSUpdated“SSL”referencesto“SSLforHTTPS”forclarity.VersionupdateforZC1.5.5,includingupdatedzc_installscreenshotsVersionupdateforZC1.5.6

implementation guide - zen-cart.com · ©zen cart® development team implementation guide – rev...

Documents

zen buddhist landscapes and the idea of temple - zen-

wine tasting 12th of september, 2013 (deli-cart.com)

the zen...

zen mind, beginner's mind - regina zen...

the zen definition – a guideline for the zen pilot...

entrematic zen - new-remote.com manuale d’uso per...

personal heating and cooling devices: increasing ... - fme...

zen flesh zen bones

zen os - open zen community network

zen decoders zen - gaugemaster.com€¦ · overview: zen...

zen rain - bestende.com · zen rain zen rain • zen rain...

cubicle zen

japanese aesthetic sense― zen and zen calligraphy，zen

zen alarm clock booklet - now & zen

zen cart(tm) implementation guide,...

zen-soft01-v4 zen support software operation manual

zen operation manual · 2019-11-02 · between the zen and...

2 ignite - · pdf filethree steps phase 2 supplements zen...

wine tasting 2014 12 06 sinterklaas (deli-cart.com)

a zen master in meditation, th century zen buddhism -...