implementation guide - zen-cart.com · ©zen cart® development team implementation guide – rev...

©ZenCart®DevelopmentTeam ImplementationGuide–rev1.9.8.6 Page1

ZenCart®Documentation

ImplementationGuide

forZenCart®Version1.5.6Document ImplementationGuideAuthor ZenCart®TeamDocumentRevision DocumentRev1.9.8.6DocumentRevisionDate 15November2018

Contentcopyright©2015ZenCartDevelopmentTeam.Allrightsreserved.Allcompanyand/orproductnamesmaybetradenames,trademarksand/orregisteredtrademarksoftherespectiveownerswithwhichtheyareassociated.


1. Introduction .................................................................................................................................. 5 2. Installation Requirements .............................................................................................................. 5

2.1 Before Starting, Ask Yourself These Questions: ..................................................................... 5 2.1.1 Do You Have A Domain? ............................................................................................... 5 2.1.2 Am I Using A Wireless Network? .................................................................................. 5 2.1.3 Are You Using a Personal Firewall on Your Computers? ................................................ 5 2.1.4 Do You Have A Good Text Editor Program? .................................................................. 5 2.1.5 Do You Have Access To Your Webhosting Control Panel to Create a MySQL Database and User? ...................................................................................................................................... 6 2.1.6 Do You Have Reliable FTP/SFTP Software?.................................................................. 6

2.2 Domain Name Requirements ................................................................................................. 7 2.3 Server Hardware Requirements ............................................................................................. 7 2.4 .................................................................................................................................................... 7 2.5 Server Software Requirements .............................................................................................. 7 2.6 Other Installation Requirements ............................................................................................ 9

3. Obtaining the Current Zen Cart®Release ................................................................................... 10 3.1 Verifying integrity using Hash Keys .................................................................................... 10 3.2 Patches ................................................................................................................................ 10 3.3 Updates/Upgrades ............................................................................................................... 10 3.4 Notification of New Releases/Updates ................................................................................. 10

4. Unpacking and Uploading the Application Software Files ........................................................... 11 4.1 Tools Required .................................................................................................................... 11 4.2 Unzipping/Unpacking.......................................................................................................... 11 4.3 Where Do I Upload To? ....................................................................................................... 11 4.4 Advanced Method ............................................................................................................... 12

5. Pre-Installation Actions ............................................................................................................... 12 5.1 New Installations ................................................................................................................. 12

5.1.1 File/Folder Permissions ............................................................................................... 12 5.2 Upgrades ............................................................................................................................. 13

6. Running the Web-Based Installer ................................................................................................ 15 6.1 New Installs ........................................................................................................................ 15

6.1.1 Introduction ................................................................................................................. 15 6.1.2 Step 1 Welcome and System Inspection ....................................................................... 16 6.1.3 Step 2 System Setup .................................................................................................... 19 6.1.4 Step 3 Database Setup.................................................................................................. 21 6.1.5 Step 4 Admin Setup ..................................................................................................... 22


6.1.6 Step 5 Setup Finished .................................................................................................. 24 6.2 Using zc_install to do The Database Upgrade Step of a Site Upgrade .................................. 24

6.2.1 Introduction ................................................................................................................. 24 6.2.2 Upgrading configure.php files, if necessary ................................................................. 25 6.2.3 Step 1 Welcome Screen and System Inspection ............................................................ 25 6.2.4 ............................................................................................................................................ 26 6.2.5 Step 2 Version-Upgrade Checkboxes ........................................................................... 26 ................................................................................................................................................... 27 6.2.6 Step 3 Database-Upgrade Step Finished ....................................................................... 28

7. Post-Installation Actions ............................................................................................................. 29 7.1 Changing The Admin Directory Name for Security (By-Obscurity) ..................................... 29 7.2 Enabling SSL for HTTPS in your Admin ............................................................................. 29 7.3 Setting Directory and File Permissions ................................................................................ 29 7.4 Removing the Installation Directory .................................................................................... 30 7.5 Blocked Administration Access ........................................................................................... 30 7.6 Removing Unnecessary Directories ..................................................................................... 31

8. Accessing the Administration Panel and Configuring Administrative Users and Passwords ......... 32 8.1 Introduction ......................................................................................................................... 32 8.2 Administrator Access to Credit Card Numbers .................................................................... 32 8.3 Administrative User Access and PA-DSS requirements ....................................................... 32 8.4 Users ................................................................................................................................... 33 8.5 Profiles ................................................................................................................................ 34 8.6 Admin Activity Logs ........................................................................................................... 35

8.6.1 Daily Log Review – Important Things To Monitor....................................................... 36 8.6.2 Review or Export Logs ................................................................................................ 37 8.6.3 ............................................................................................................................................ 38 8.6.4 Purge Log History action ............................................................................................. 38 8.6.5 PA-DSS Logging – Technical Details ........................................................................... 39 8.6.6 Centralized Logging .................................................................................................... 39

9. Code Customization, Addons, and Plugins .................................................................................. 41 10. Engaging 3rd-Party Consultants or Programmers .................................................................... 42

10.1 Webstore “Admin”/Backend access ..................................................................................... 42 10.2 FTP Access.......................................................................................................................... 42 10.3 Webhosting Account's Control Panel access ........................................................................ 43 10.4 Secure use of customer database and website files ............................................................... 43 10.5 Two-Factor Authentication .................................................................................................. 43


11. Removing Old Non-PCI-Compliant Data ................................................................................ 45 11.1 Removing Old Credit Card Data From Database Records .................................................... 45 11.2 Suggested Procedure For Secure Erasure of Old CHD data.................................................. 45

12. Network Diagram .................................................................................................................... 47 13. Dataflow Diagram ................................................................................................................... 48 14. Notes about PA-DSS Compliance ............................................................................................ 49

14.1 Cardholder Data .................................................................................................................. 49 14.2 Cryptographic Keys and Key Management .......................................................................... 49 14.3 Protocols, Services, Dependent Software and Hardware ...................................................... 50 14.4 Settings sensitive to PCI compliance ................................................................................... 50

15. Additional Requirements for PA-DSS Compliance .................................................................. 52 15.1 Consequences of altering the system to store cardholder data .............................................. 52 15.2 Default Accounts ................................................................................................................. 53 15.3 Strong Authentication Controls ............................................................................................ 54 15.4 Secure Access ...................................................................................................................... 54

16. Appendices ............................................................................................................................. 55 16.1 MySQL Root Password Reset .............................................................................................. 55 16.2 Password Security in Zen Cart® .......................................................................................... 55 16.3 Wireless (WiFi) Networks ................................................................................................... 55

17. Implementation Guide Changelog ........................................................................................... 57


1. Introduction ThisImplementationGuideismeanttohelpyounotonlywithimportantsubjectsrelatedtoinstallingorupgradingtheZenCart®applicationbutalsotounderstandtheissuesrelatedtosecurelyimplementingZenCart®inamannerthatisPA-DSScompliant.

PA-DSSItisarequirementofthePA-DSSthatyoufollowtheinstructionsinthisImplementationGuidewheninstallingorupgradingyourZenCart®application.Notealso,thatthisguideiswrittenforthev1.5.6releaseofZenCart®unlessotherwisenoted.

2. Installation Requirements

2.1 Before Starting, Ask Yourself These Questions:

2.1.1 Do You Have A Domain? IfNo,stopandrefertosection2.2forinformationaboutregisteringadomainforyourwebsite.Youneedadomainnametohostyourwebstoreonawebserver.

2.1.2 Am I Using A Wireless Network? Ifyouareusingawirelessnetworktoaccessyouronlinestore,itMUSTbeconfiguredsecurely.Thatmeanssecuringyourwifinetworkwithastrongcomplexpassword,andNOTusingtheoneprovidedbydefaultwhenresettingitorunboxingit.SeetheAppendixofthismanualforadditionalrequirementsforproperlysecuringyourwirelessnetwork.

2.1.3 Are You Using a Personal Firewall on Your Computers? Forsecurity,youshouldalwaysuseapersonalfirewallwhenaccessinganyonlinesystems,especiallyyourownonlinestore'sadministrationarea.

2.1.4 Do You Have A Good Text Editor Program? Ifno,stop…youwillneedagoodTextEditingapplicationsuchasVisualStudioCode,SublimeText,Notepad++,UltraEdit,BBedit,Kedit,ormaybeamoreadvancedtoollikePhpStorm.ThistexteditorapplicationwillbeusedformodifyingthefilesifyoucustomizetheZenCart®software.NOTE:DoNOTusecPanelforeditingfiles,norMicrosoftWordorothersoftwaredesignedforfancywriting…youwantanicecleantexteditorwhichdoesn'taddextra“junk”intothefiles.


2.1.5 Do You Have Access To Your Webhosting Control Panel to Create a MySQL Database and User?

BEFOREYOUPROCEEDTOINSTALLATION,makesureyouhaveaccesstoaMySQLdatabase,andusername/passwordtothatdatabase.Youmayneedtocreatethedatabaseusingyourwebhostingaccount'scontrolpanel.Contactyourwebhostingcompanyforassistance.ZenCart®cannotcreatethedatabaseforyou.Youmustuseastrongsecurepassword.(YouneedtograntthefollowingpermissionstoyourMySQLdatabaseuser:SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER,INDEX,DROP.IfyoumustchoosefrommoregenericoptionssuchaswithanhSpherehost,thiswouldbeequivalentto“dba”accessoratleast“read/write”.)InafullyPCI-Complianthostingsetup,thedatabaseserverwouldbebehindaDMZ,onaseparateserverotherthanthemainwebserver.InthiscasetheDMZfirewallwillneedtohaveport3306openforcommunicationbetweenthetwoservers'IPaddresses.Itmayalsobenecessarytograntadditionalprivilegestothedatabaseusernameyoucreatedinthisstep.Yourserveradministrator(hostingcompany)canassistyouwiththeseconfigurationdetails.Youwillalsoneedtoknowtheappropriate“host”addressforthedatabaseserver.Ifitis“localhost”thenthatmeansthedatabaseisonthesameserverasthewebserverengine,whichisusuallynotaPCI-Compliantconfiguration.Yourhostingcompany/serveradministratorcanprovideyouwiththecorrect“hostname”orIPaddressforthedatabaseserver.Youwillusethisinformationduringinitialsetupviathezc_installscriptexplainedinthefollowingsections.

2.1.6 Do You Have Reliable FTP/SFTP Software? IfNo,stop.YouneedtoobtainareliableFTPsoftwarepackagesuchasFileZilla,WinSCP,orTransmit.Thisapplicationisusedtotransferfilesbetweenyourcomputerandyourwebserver.(“FTP”isaverycommonwebsiteacronymfor“FileTransferProtocol”)(“webserver”referstothecomputerontheinternetwhereyouhaveyoursite/domainhosted)YoushoulduseanFTPprogramcapableofconnectinginsecureSFTPmode(orFTP-with-Implicit-TLS)whenworkingwithyourwebsite.TutorialsonhowtouseFTP/SFTPareavailableonlinefromthevendorofyourFTPsoftware,orgenericallyfromanynumberofonlinereferencewebsites.Wheneveranyonementions“FTP”,youshoulduseSFTPorFTP-with-Implicit-TLSinstead.Thisincludesanysubcontractorsyouhiretoworkonyourwebsiteforyou.WhySFTPvsFTP?PlainFTPmodetransfersfilesinplain-textovertheinternet,whereasSFTP(“SecureFTP”)usesasecureencryptedconnectionfordoingthetransfer.Thisisimportantsincethefilesyouaretransferringto/fromyourservermayincludesensitiveinformation.UsinganSFTPconnectionwillcauseyourdatatobeencryptedasitistransferred,thusprotectingitfrompryingeyes.ManyFTPprogramscapableofSFTPareavailableforfreeorforamodestfeefromvariousonlinevendors.OneverypopularsuchapplicationisFileZilla,whichworksonbothWindows®andMac


OSX®.Somepeoplepreferthemoreadvancedlook/feelofpaidapplications.Thechoiceisyours.NOTE:Ifyourhostingcompanyprovidesafile-uploadserviceorFTPappthatrunsinsideyourbrowser,westronglyrecommendthatyouDONOTusethatforuploadinglargeamountsoffilestoyourserver.Theymayworkforindividualfiles,butareseldomreliablewhenuploadinglargenumbersoffilessuchasafreshinstallofZenCart,sincetheywilloftentimeoutwithoutshowinganyerror,andleaveyouwithadamagedsetoffileswhichoperateunpredictably.Incompleteuploadsarethemostcommoncauseofproblemsonnewsites.

2.2 Domain Name Requirements Youwillneedaregistereddomainname,connectedtoyourwebhostingaccountatyourwebhostingcompany.Ifyouneedtoregisteradomainname,werecommendusinghttps://hover.comTemporaryuseofmerelyanIPaddressmayworkduringinitialinstallation,buttoactuallyrunyourshopwillrequireuseofadomainname.Ifyourdomainisbrand-newandispendinginitialsetupbyyourhostingcompany,atemporarydomainnamemaybesuppliedtoyousoyoucangetstartedwithoutwaiting.Changingthedomain-nameinZenCart®afterinitialsetupwillrequiremanualeditingofyourconfigure.phpfiles.Anarticleonmakingsuchchangescanbefoundathttps://tutorials.zen-cart.com

2.3 Server Hardware Requirements ZenCart®itselfdoesnot“require”anyparticularhardware,aslongasthehardwareyouuseforyourhostingservicesupportsthesoftwarerequirementsthatfollow.However,youshouldbeawarethatsomehardwareconfigurationssuchasinadequateserverRAM,slowserverharddrives,excessivelyrestrictivefirewalls,etc,canadverselyaffecttheoperationoftheZenCart®application.

2.4

2.5 Server Software Requirements Technicallyspeaking,ZenCart®v1.5.6willworkwiththefollowingminimumrequirements: PHPversion>=5.4upto7.3 MySQLversion>5.1upto5.7.xorMariaDB10.1to10.3 Apacheversion>2.2or2.4However,forPA-DSScompliance,youmustusethelateststableversionsofPHP,MySQLandApache.Asofthedateofthiswriting,therecommendedversionsforPA-DSScomplianceare:

PHPversion>=7.2.12or7.3(ref:http://php.net)MySQLversion>=5.7.24or5.6.42(ref:https://dev.mysql.com/downloads/mysql)Apacheversion>=2.4.37(ref:https://httpd.apache.org)


Note:WhilewerecommendtheuseofApacheasyourwebserversoftware,ZenCart®willalsoworkwithMicrosoftIISandotherWebServers(e.g.nginx),howeversomesecurityfeatureswillceasetowork.Additionalinformationonthisisprovidedinthenextsectionregarding.htaccess.TheZenCart®PA-DSScertificationisperformedonLinux+Apache,sousingitonIISornginxinvalidatesthecertificationforyoursite,andwillrequireyoutoself-certifyusingyourownQualifiedSecurityAssessor.

PHPExtensionsYouwillalsoneedtoensurethatyourPHPversionhasthefollowingmodulesinstalled:

• cURL–Requiredforsomeshippingandpaymentmethods.(eg:sudoapt-getinstallphp-curl)

• OpenSSLsupport–UsuallythisiscompiledintoPHPandcURLuponinstallofPHPSSLCertificateforHTTPSUnlessyouwillhavenocustomersaccessingyoursiteviatheinternet,youwillwantanSSLcertificateaddedtoyourhostingaccount.A“shared”certificatemaywork,butdedicatedispreferredasitisamoreseamlessexperienceforyourcustomersandismucheasiertoconfigure.AnSSLCertificateisusedtoencryptsensitivedatawhentransmittingfromthecustomer'sbrowsertoyoursiteSecureTLS(particularlysupportforTLS1.2or1.3)TLSisusedtoencrypttransmissionsfromyoursitetopaymentgatewaysorothersystemslikeshipping-quoteservices,3rd-partyorderfulfilmentservices,etc.It'simportantthatyourwebserverbeproperlyconfiguredforTLStobeusedwithCURL,andnotsupportold/insecureversionsofSSL/TLS.SFTPorFTP-with-Implicit-SSL/TLSYouwillalsoneedtoensurethatyourhostingserviceallowsyoutouseSFTPorFTP-with-implicit-TLSfortransferringfilesto/fromyourhostingserver.Seesection2.1.6aboveformoredetail.


MySQLZenCartv1.5.6alreadyaccommodatesthis,butitismentionedhereforcompatibilityreasons:AsofMySQL5.6theNO_ZERO_DATEandNO_ZERO_IN_DATEmodesaredeprecated,andasofMySQL5.7theyareincludedinSTRICT_ALL_TABLESandSTRICT_TRANS_TABLESmodes.Ifyourdatabasecontainsfieldswith0000-00-00inthedataortheschema,youmayneedtoensurethatyourMySQLserverisconfiguredwitheitherSTRICT_ALL_TABLESorSTRICT_TRANS_TABLESmode…ormakeappropriatechangestoyourPHPfilesandthedataalreadyinyourdatabasetables,andyourdatabaseschema.SomestrictGROUPBYrulesmayalsoneedaddressing.

2.6 Other Installation Requirements

PA-DSS.htaccessrequirementsZenCart®usesApache.htaccessfilestobetterprotectsomedirectoriesforsecuritypurposes.YoushouldensurethatyourApachesettingsallowfortheuseof.htaccessfilesonyourWebserver(mostdo).IfyouareunsurepleasecheckwithyourHostingprovider.Specifically,ApachemustbeconfiguredwithAllowOverridesettoeither'All'oratleastboth'Limit'and'Indexes'parameters,andpreferablythe'Options'parameteraswell.eg:<directory/name-of-your-document-root-folder-here>AllowOverrideAll#Options-Indexes#uncommentthistopreventalldirectory-listings</directory>IISornginxIfyouarenotusingApacheasthewebserver(e.g.youareusingIISornginx)thenyoushouldtakestepstoprotectthedirectoriesinasimilarmannertothe.htaccessfilesZenCart®suggests.Inspecteach.htaccessfileinthedistributionfilesandbuildcorrespondingrulesappropriateforyourwebserverengine.SSLCertificatesforHTTPSYourwebservermustbeabletoservepagesusingSSLencryptionandyoushouldhaveanSSLcertificatecorrectlyinstalledforyourdomain.IfyoudonothaveSSLorareunsure,thenonceagainyoumustconferwithyourHostingprovider.TLS-YourwebservermustbeconfiguredtouseonlysecureversionsofTLS.SecureFTPYourhostingservicemustalsooffertheabilitytouseSFTPorFTP-with-implicit-TLSfortransferringfilesto/fromtheserver.


3. Obtaining the Current Zen Cart®Release ThecurrentreleaseisobtainableviaSourceForge:https://sourceforge.net/projects/zencart/filesorAmazonAWSviahttps://www.zen-cart.com/latest_https.Thereleaseisprovidedasa.zipfile.ForPCICompliance,youshouldverifytobesureyourbrowserisactuallydownloadingviaHTTPS.

3.1 Verifying integrity using Hash Keys Hashkeysareawayofcheckingthevalidityofazipfile.WeprovidebothMD5andSHA1hashesforthecurrentrelease.ThevalidationhashescanbeseenbelowthedownloadlinkonthehomepageoftheZenCart®supportwebsiteathttps://www.zen-cart.com.ThehashesarealsoshownonSourceForge.ThereisalsoinformationonhowtouseandcheckthehashkeysinthefollowingFAQarticle:http://www.zen-cart.com/content.php?305-how-to-validate-the-integrity-of-a-downloaded-file

3.2 Patches Thenormaldistributionofupdatesistoreleaseanewversionwithfixesincluded.Intherareoccasionthataseparate.zipfileisreleasedasapatch,thesamehash-verificationdescribedaboveshouldbeperformedonthezipfilebeforeunzippingtoinstallitonyourwebsite.Again,thesezipswillbereleasedonSourceForge.

3.3 Updates/Upgrades Updatesmustbeperformedmanually.Thereisnobuilt-inautomatedfacilityforupgradingthesoftware.(Thesoftwarecanautomaticallybringyourdatabasecontentup-to-datewhenupgrading,butthisONLYhandlesthedatabasedata,andnotthePHPfileswhichruntheactualsoftwarelogic.)PCI-DSSandPA-DSSrequiresthatwespecificallyinformyouthat“thepaymentapplicationdoesnotreceiveautomaticupdates”andfurtherrequiresthatwhenyouoryouragentinstallsupdatesthattheydosoinasecurePCI-DSSandPA-DSScompliantmanner,andthataccessforsaidpurposeislimitedtothedurationoftimerequiredtoperformsaidtasksandaccessisremovedthereafter.Seesection10ofthisguideformoreguidance.

3.4 Notification of New Releases/Updates Therearenumerouswaystobecomeawareofanewrelease.Butallupdatesareobtainedmanuallybythemerchantthemselves,andtransmittedtotheserverthemselves.Installationisnotautomated.

• NotificationinyourAdminconsole.Thereisabuttonintheupperrightcornerofyouradminconsolewhichcanbeusedtocheckfornewversions.Insomecasesthisbuttonmayautomaticallydisplayamessagethatanewversionisavailable.ThisisdonebyqueryingtheZenCart®versioningservertodeterminewhatthelatestversionnumberis.ItdoesnottransmitanyspecificinformationtotheZenCartversioningserver.Itsimplycomparesyourversionwiththelatestversionavailable,andinformsyouifthereisadifference.


• NotificationpostsontheZenCart®supportsite.YoucansubscribeyourselftothesenoticesbyregisteringontheZenCart®supportsiteandclickingtheSubscribeoption(link)intheNewsAndAnnouncementssection.

• AlertsonSourceForge.netortheZenCart®wikisite,andthe@ZenCarttwitterfeed.

4. Unpacking and Uploading the Application Software Files

4.1 Tools Required Beforeyoucanunpackanduploadthefilestoyourserver,youwillneedtwoimportanttools:

• An“unzip”utility,suchas7-zip,WinZip,unRar,BetterZip,etc.Manyunziputilitiesareavailableforfree,forvariouscomputeroperatingsystems.Chooseonethatsuitsyourcomputerbest.IMPORTANT:Whenyouunzip,youneedtoensurethatyourunzipprogramretainstheembeddedfile-structure.Usuallythatsettingisproperly“on”bydefault,butifitpromptsyousaying“xxxxxxfilealreadyexists–overwrite?”orsimilar,thenit'smostlikelyonlyextractingthe“files”andnotalsothe“folders.Inthatcaseyou'llneedtomakeappropriateadjustmentstoyourunzipapplicationsettingsbeforeyoucanproperlyunziptheZenCart®files.

• AnFTPapplicationcapableofSFTP.Seesection2formoreinformationonFTPandSFTP.YoumustusestrongsecurepasswordsforyourFTP/SFTPaccesstoyourwebserver.

4.2 Unzipping/Unpacking TheZenCart®releaseispackagedasazipfile.Youwillneedtounzipthisfileusinganappropriatetool/applicationonyourlocalcomputer,beforeuploadingittoyourwebserver.NOTE:Whenyouunzipthefileitwillcreateafolder,whichwillbenamedsomethinglike

zen-cart-v1.x.x-xxxxxx...NOTE:Youshouldnotuploadthis“zen-cart-v1.x.x.-xxxxx...”directorytoyourwebserver,butratherthecontentsofthatdirectory.

4.3 Where Do I Upload To? Thedirectoryonyourwebserverthatyouneedtouploadtoisusuallyspecifictothehostingplatformyouareusing,andyouwillneedtocheckthosedetailswithyourhost.Usuallythiswillbethe“public_html”or“www”or“httpdocs”or“http”folder,dependingonhowyourhostingcompanyhasconfiguredtheirserver.Basically,inyourFTPapplication,lookfora“public_html”or“www”or“htdocs”or“httpdocs”or“wwwroot”folder.Thesearethecommonfoldernamesforwhatisreferredtoasthe“webroot”,whichiswhereallwebsitecontentisservedfrom.YourZenCartfiles(oranyfilestorunyourwebsite,forthatmatter)needtobeunderthatfolder.Ifthey'renot,thenyou'regoingtoencounter“notfound”errors…becausethecontentisnotfound!


4.4 Advanced Method Youcanoptionallysavesometimebyuploadingthezipfiledirectlytoyourserver(usingFTPetc.),andunpackingitinsituifyourhostingcompanyprovidesyouameansofunzippingfilesontheserverside.Talktoyourhostingcompanyaboutthis.

5. Pre-Installation Actions

5.1 New Installations BeforerunningtheZenCart®installeryouwillneedtoaddressthefollowing.

1) MySQLDatabaseEnsurethatyouhavecreatedanemptyMySQLdatabase(andcorrespondingusernameandstrongsecurepassword)forusewithZenCart®.Howyoudothisdependsonyourhostingconfiguration.UsualmethodsincludeusingcPanelorphpMyAdmin.Ifyouareunsure,pleasecheckwithyourhostingcompany.StrongsecurepasswordsarerequiredforPCI/PA-DSScompliance.ForPCIcompliance,youmustNOTusethe“root”accountforyourdatabasecredentials.Also,seesection2fornotesaboutMySQLconfigurationdetailsneededforproperlyconfiguringitinasecureDMZscenario,asrequiredforPCIcompliance.

2) configure.phpfilesTwofilesneedtobecreatedontheserver.Thesearetheconfigure.phpfilesthatwillcontainimportantinformationtoidentifythesettingsofyourparticularserverandthelocationofthefilesthatyoujustloaded.Aftertheyhavebeencreated,youwillthenneedtochangethepermissionsonthesefiles.

Foranewinstall,thesimplestwaytodothisistorenamethesetwofiles:- /includes/dist-configure.phpto/includes/configure.php-/admin/includes/dist-configure.phpto/admin/includes/configure.php

3) Setfileandfolderpermissionsasexplainedinthenextsection.

5.1.1 File/Folder Permissions ChangingpermissionsonthesefilescanoftenbedoneusingyourFTPapplication(unlessyouarehostedonaWindowsserver).Or,youcanuseaFileManagerconsoleprovidedbyyourhostingcompany'scontrolpanel.Ifyouneedhelpunderstandingtheconceptsoffilepermissionsandsomegeneralguidanceonmakingthesechanges,consultthistutorialarticle:http://www.zen-cart.com/content.php?51-how-do-I-set-permissionsInthefollowinginstructions,the“INSTALL_DIRECTORY”isthe“webroot”folderintowhichyouuploadedyourZenCartfilesasexplainedintheprevioussection.

4) EnsurethattheINSTALL_DIRECTORY/includes/configure.phpandINSTALL_DIRECTORY/admin/includes/configure.phparewriteable.Thesefileneedstobewriteableduringtheinstallationonly,sothattheinstallermaysavesomeimportant


settingstothem.Oncetheinstallationiscompleteyouwillneedtomakethefilesreadonlyagain.

5) EnsurethatthedirectoryINSTALL_DIRECTORY/cacheiswriteable.Thisdirectoryneedstobewriteable,astheZenCart®applicationmayneedtostoresomeimportantfileshere(ie:SessionandCachedata).

6) EnsurethatthedirectoryINSTALL_DIRECTORY/logsiswriteable.Thisdirectoryneedstobewriteable,astheZenCart®applicationmayneedtostoresomeimportantfileshere(ie:namelyPHPerrorlogsanddebugoutput).

7) EnsurethatthedirectoryINSTALL_DIRECTORY/imagesiswriteable.Theimagesdirectoryneedstobewriteabletoallowfortheuploadingofproductandotherimagesthatyouwilluseinyourstore.Youradminbackendwillbeusedforuploadingproduct/categoryimageshere.

8) EnsurethatthedirectoryINSTALL_DIRECTORY/pubiswriteable.Thepubdirectoryneedstobewriteabletoallowforthedownloadingofanyvirtualproductsthatyousell,eg.Mediafiles(mp3/wmv/pdf).Ifyoudonotintendtoeversellthesetypesofproductsthenthisdirectorydoesnotneedtobewriteable.

9) EnsurethatthedirectoryINSTALL_DIRECTORY/admin/images/graphsiswriteable.Thisdirectoryneedstobewriteabletoallowforthecreationofgraphimagesthatrepresentthestatisticsforanybannersyoumayserve.Ignorethisifyou'renotusingtheBannerManager.

Note:Afterinstallationiscomplete,youwillneedtochangesomepermissionsagain.Moreinformationisgivenlaterinthisdocument(SeethesectiononPost-InstallationActions.)

5.2 Upgrades Upgradingyoursitebetweenv1.xversionsisonlyascomplexastheamountofcustomizationyou'vemadetoyoursite.You'llneedtoconsiderupgradestoanyplugins/addonsyou'veinstalled,aswellaschangesyou'vemadetoanycorefiles,andanychangesmadebyoverridingfileswithcustomversionsofthosefiles.AproperFULLUPGRADEbetweenv1.xversionsisessentiallyarebuildofyourcurrentsite,butusingthenewversion.Whilethatmaysounddaunting,itdoesn'tneedtobe.ThereareautomatedtoolssuchasWinMergeorBeyondComparewhichcanhelpyouquicklyidentifyallthechangesyoumadetoyouroldsite,sothatyoucaneasilyre-makethosechangestoyournewsite.Alwaysreadthe“WhatsNew”and“ChangedFiles”logslocatedinthe/docs/folderofthenewversion'srelease-zipfile,becausespecificupgradeinstructions,ifany,foreachversionwillbelistedthere.

Warning:Youshouldneverdirectlyupgradealivesite.Alwaystestitseparatelyfirst!

Yourupgradeshouldbestagedusingaseparatefolder+databaseonyourserver,andthenmigratedtothelivesiteonlyafteryou'vetestedtoconfirmthatnoproblemshavebeenintroducedinyourimplementationoftheupgrade.


Asimplifiedguideforupgradingisfoundathttp://www.zen-cart.com/entry.php?3-How-do-I-rebuild-my-site-on-the-new-versionPleaseseehttp://www.zen-cart.com/upgradesforguidanceregardingupgradingyoursite.


6. Running the Web-Based Installer

6.1 New Installs

6.1.1 Introduction ToruntheZenCart®installationwizard,youwillneedtouseyourbrowsertoaccessthewebserverwhereyouinstalledZenCart®.Theinstallationwizardisaccessedfromthefolder/zc_install.Soifyouhavesetyourwebserveruptobeaccessedashttp://www.MY_DOMAIN.com/Thenyouwouldneedtosetyourbrowserurltohttp://www.MY_DOMAIN.com/zc_install/Note.IfyouattempttoloadtheURLwhereyourstorewillultimatelyreside,beforerunningtheInstallationwizard,youmaygetablankpage,orascreenthatlookslikethescreenshotbelow.


6.1.2 Step 1 Welcome and System Inspection TheSystemInspectionpagechecksthatvariousrequiredwebservercomponentsexist,andpermissionsaresetcorrectlyfortheZenCart®applicationtofunctioncorrectly.Youshouldreviewallitemsonthispageandtakeanynecessaryactionstocorrectproblemshighlightedhere,beforecontinuing.Thisscreenshotshowsthewarningaboutmissingconfigure.phpfiles(whichyoucreatemanually):


Onceyou'vecreatedthosemissingfilesandmadethemwritable,clickRefreshandtheinspectionwillrunagain,showingyouanynecessaryupdatedsuggestions.


Whenitispossibletoproceed,the“CleanInstall”buttonwillappear,asshownhere:

Theimageabovehasanindicatoraboutsomepre-existingconfigure.phpfiles.Ifthisisyourfirstinstall,youwon'tseethefirstgreenboxabove.IfyoualreadyhaveaZenCartstoresetupinthisdatabase,youmayalsoseean“Upgrade”buttonhere.Ifyouclick“CleanInstall”here,youwilleraseanyZenCartdataalreadyinthatdatabase.Forinstructionsondoingupgrades,seethechapteronupgrading,laterinthisguide.


6.1.3 Step 2 System Setup


6.1.3.1 Agree to license terms Clickthe“Agreetolicenseterms”textontheleftcolumntoviewtheGPL2licenseterms.Thencheckthecheckboxtoindicateyouragreementtothelicense.

6.1.3.2 Admin Server Domain EntertheURLtoyourstorehere.Itshouldhavebeenauto-detectedforyou.ButifyoursitehasSSLcapability,youshouldputtheSSLURLhere.Additionally,ifyourSSLisactually“sharedSSL”whichusesaURLdifferentfromyourstore'sactualdomainname,enterthatshared-SSLURLhere.

6.1.3.3 Enable SSL for Storefront? ThisdetermineswhetherZenCartwilluseHTTPSforthestorefrontsideofyourstoretoautomaticallyencryptcommunicationsonpageswhichcollectsensitivedata.Ifyoudon'thaveanSSLcertificateenabledinyourhostingserviceyet,uncheckthebox.Youcanenableitlatermanuallybyfollowingthistutorial:http://www.zen-cart.com/content.php?56-how-do-i-enable-sslNOTE:TouseSSL,ZenCart®reliescompletelyonyousupplyingvalid/workinghttps://URLs!Ifyoursitedoesn'thaveworkingSSLyet,thenyourZenCart®storewillbebrokenuntilyougetSSL,ordisableit.

PA-DSSTocomplywithPA-DSSyouMUSTenableSSL(ie:useHTTPS).Whenenabledhere,ZenCart®willautomaticallyactivateSSLonstorefrontpageswhichneedit(ie:checkout,myaccount,login,etc)aslongastheoptionisenabledhere.Additionally,built-inpaymentmoduleswhicharecapableofacceptingcreditcardsdirectlyonyoursitewillNOTfunctionifyoudonothaveSSLcapabilityavailableandenabledinZenCart®.

6.1.3.4 Storefront HTTP Domain ThisistheURLthatwillbeusedtoaccessyourstore.Again,auto-detectionshouldhavechosenthecorrectsettingandyoushouldonlychangeitifitisincorrect.

6.1.3.5 Storefront HTTP URL Ifyourstoreislocatedinasubdirectorywithinyoursite,thenaddthatsubdirectoryhere.Elsejustuseyourdomainname.Thisisnormallyauto-detectedforyouandnochangesnecessary.

6.1.3.6 Storefront HTTPS Domain Thisisthedomainnameforyourstore,butstartswithhttps://…butifyou'reusing“shared-SSL”thenyou'llneedtoputthepropershared-SSLdomainhere.OtherwisesameasStorefrontHTTPDomain.

6.1.3.7 Storefront HTTPS URL Ifyou'reusingsharedSSL,thensometimesthereisaneedtoaddausernameorsubdirectorytotheendoftheSharedSSLURLsuppliedbyyourhostingcompany.Enterthathere.Otherwiseuse


thesameasStorefrontHTTPURL.

6.1.3.8 Storefront Physical Path ThisisthelocationoftheZenCart®applicationfilesontheharddriveofyourserver.Generallythesystemwillauto-detectthis,andyoushouldonlychangeitiftheauto-detectionhasnotchosenthecorrectpath.

6.1.4 Step 3 Database Setup Clickthetitlewordsintheleft-columnformoredetailedinformation.Seesection2forreference.


6.1.5 Step 4 Admin Setup

6.1.5.1 Admin Superuser Name: Thisistheusernameusedtoinitiallyaccessyourstore'sadministrationpanel.ThisuserhasaccesstoallofthefunctionalityoftheAdministrationpanel.Youcansetupadditionaluserswith


restrictedpermissionsoncetheapplicationhasbeeninstalled.

6.1.5.2 Admin Superuser Email ThisistheemailaddressoftheinitialAdministrator,andmaybeusedforsendingpasswordresetsortestingoutgoingemailnewslettersetc.Typeitagaintoconfirmyoudidn'tmakeanytypos.

6.1.5.3 Admin Password Thisisanauto-generatedTEMPORARYpassword,andyouwillbepromptedtosetyourownpasswordafterusingthistemporarypasswordforyourfirstlogintoyouradminarea.

6.1.5.4 Admin Directory Theinstallerwillattempttoautomaticallyrenameyouradminfoldertosomethingotherthan“/admin”.Itwillshowyouherewhatthatnewfoldernameis.Youwillusethatfoldernametologintoyouradminpanelonthenextscreen.


6.1.6 Step 5 Setup Finished Nowthatsetupisfinished,anumberofpost-installationinstructionsarepresentedforyoutofollow.FurtherdetailsareenumeratedinSection7–Post-InstallationActivities,laterinthis

guide.

6.2 Using zc_install to do The Database Upgrade Step of a Site Upgrade

6.2.1 Introduction UpgradingconsistsofbothmanuallyupdatingthePHPfilesonyoursite,aswellasupgradingthedatabasestructuretoworkwiththenewrequirementsofthenewversion.ITISNOTENOUGHTOSIMPLYUPGRADETHEDATABASE.YOUMUSTALSOUPGRADEALLYOURPHPFILESACCORDINGTOTHEINSTRUCTIONSCONTAINEDINEACHINDIVIDUALRELEASE.ThedocumentyouarereadingheredoesnotaddressdoingthePHPfileupdates.Seetheproperupgradedocumentationathttp://www.zen-cart.com/upgradestounderstandanddothefullupgradeprocess.TheinstructionsbelowONLYdealwiththedatabase-sideoftheupgrade


step.DATABASEUPGRADESTEP:Todothedatabaseupgradestep,youwillusezc_installjustasyouwouldforamanualnewinstall:ToruntheZenCart®installation/upgradewizard,youwillneedtouseyourbrowsertoaccessthewebserverwhereyouinstalledZenCart®.Theinstallationwizardisaccessedfromthefolder/zc_install,ie:http://www.MY_DOMAIN.com/zc_install/Theupgradedialogsareexplainedonthefollowingpages...

6.2.2 Upgrading configure.php files, if necessary Thefirststepthatzc_installwilldoisinspectyourexistingconfigure.phpfiles,andoffertoupdatetheirformatiftheyappeartobefromanolderversion.(ThenewerfilesareMUCHleaner,andsimplertoreadandmaintain.)

6.2.3 Step 1 Welcome Screen and System Inspection Whenyoustartzc_installinconjunctionwithadatabasefromanolderversion,theInspection


willtellyouthatanupgradeisavailable,andwillgiveyouabuttontoproceedwithupgradingyourdatabase.Youmayfirstseeafewwarningsthatneedattention,suchasensuringyourconfigure.phpfilesarewritable(sothatzc_installcanauto-upgradethosefilestothenewformat).The“upgrade”buttonwillnotappearuntilcriticalissuesarefirstresolved,asdescribedon-screen.

6.2.4

6.2.5 Step 2 Version-Upgrade Checkboxes Nowyouarepresentedwithalistofversion-upgradestepsthatzc_installiscapableofupgradingforyou.Thesystemwillpre-inspectyourdatabaseandpre-checkthecheckboxesfortheversionstepswhichneedupgradesperformedinyourdatabase.Inanormalupgrade,yousimplyneedtoleavethecheckboxesas-is,andscrolltothebottomofthepageandfillinyourAdminusernameandpasswordandclickUpdateDatabaseNowtoauthorizetheupgrade.Checkingoruncheckingadditionalboxesisanadvancedtroubleshootingactivitywhichwould


onlyberelevantintheeventofaseriousproblemrequiringoverridingofnormaloperation.AsforhelpontheSupportForumiftheversiondetectiondoesn'tautomaticallyworkasexpected.


Aftersubmittingtheform,theupgradeprogresswillbeshownasitgoesthrougheachstage,similartotheimagehere:

Iftherearenoerrors,itwillautomaticallyprogresstoa“SetupFinished”screenwithsomefinalinstructionssuchasremovingthezc_installdirectorynowthatyou'redone.Besuretoturnoffmaintenancemode,viayourAdmin,asdescribedinthenextsection.ANDbesuretoupgradetherestofyoursite'sPHPfiles,followingtheupgradeguidanceathttp://www.zen-cart.com/entry.php?3-How-do-I-rebuild-my-site-on-the-new-version-instead-of-upgrading

6.2.6 Step 3 Database-Upgrade Step Finished REMEMBER:AnupgradeisNOTCOMPLETEifyoudonotALSOupgradeallyourPHPfilestoworkwiththenewversion.Thisinvolvesreconstructingyourcustomizationsinthenewversionsofthefiles.WiththeDatabaseUpgradestepcomplete,ifyourPHPfileshavealsobeenupdatedandyourcustomizationsmergedintothem,thenyou'rereadytologintoyourAdminandturnofftheDown-For-MaintenancemodeviaAdmin->Configuration->WebsiteMaintenance


7. Post-Installation Actions

7.1 Changing The Admin Directory Name for Security (By-Obscurity) WhenZenCart®isinitiallyinstalled,theadminpanelisfoundatINSTALL_DIRECTORY/adminSincethename“admin”ispubliclyknown,leavingitas“admin”posessomedegreeofsecuritythreat.Therefore,zc_installwillnormallyattempttorenameitforyouandtellyouthenewnameduringthelaststepofzc_install.However,ifitwasunabletodotherename,thenbeforeyoucanaccesstheadminpanelyoumustchangethenameofthatdirectorytosomethingdifficulttoguess.Ifyoudonot,youwillseethewarningmessagementionedinsection7.5below.ChangingtheadmindirectoryinvolvessimplyrenamingtheadminfoldernameusingyourFTPprogram,andisexplainedindetailinthistutorial:http://www.zen-cart.com/content.php?75-how-do-i-rename-my-admin-folder-to-prevent-unauthorized-access

7.2 Enabling SSL for HTTPS in your Admin ForPA-DSScompliance,allnon-consoleaccess(ie:allbrowseraccess)toyouradminareamustbeviaHTTPStoensurestrongcryptography.Todothis,simplyensurethattheHTTP_SERVERURLinyour/renamed-admin/includes/configure.phpfilecontainsaURLbeginningwithhttps://….

7.3 Setting Directory and File Permissions AsmentionedinthePre-InstallationActionssectionofthisguide,anumberofdirectoriesandfilesneedspecialpermissionsinorderforZenCart®tofunctioncorrectly.Ataminimumtheseinclude:

• ThedirectoryINSTALL_DIRECTORY/cacheneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/logsneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/pubneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/imagesneedstobewriteable.• ThedirectoryINSTALL_DIRECTORY/admin/images/graphsneedstobewriteable.

Alsoduringinstallationyouwillhavecreatedthesefileswithwritepermissions:

• INSTALL_DIRECTORY/includes/configure.phpand


• INSTALL_DIRECTORY/admin/includes/configure.phpForsecurity,these2filesshouldhavetheirpermissionschangedsothattheyareread-only.Ifyouneedhelpunderstandingtheconceptsoffilepermissionsandsomegeneralguidanceonmakingthesechanges,consultthistutorialarticle:http://www.zen-cart.com/content.php?51-how-do-i-set-permissions-on-files-and-foldersN.B.TheZenCart®applicationwillattempttoautomaticallysetthepermissionsofthesetwofilestoread-onlyafterinstallationiscomplete.Howeverthisdoesn'tworkautomaticallyonallservers,andyoushouldensurethatthisitisdoneproperly.(Warningswillbeprominentlydisplayedifthepermissionsonthesefilesareincorrect.)

7.4 Removing the Installation Directory Onceinstallationiscompleted,youmustremovetheINSTALL_DIRECTORY/zc_installfolder.Leavingthezc_installfolderonyourserverposesasecurityrisk,sincesomeonecouldpossiblydeleteyourstoredatabasecontentiftheygainedunauthorizedaccesstoit.Thus,untilyouremovethezc_installdirectory,awarningmessagewillbepresentedifthefolderexistswhenyouaccessyouradminconsole.

7.5 Blocked Administration Access Pleasenote,ifyouhavenotchangedyouradmindirectory,orhavenotremovedtheinstallationdirectorythenyouwillnotbeabletoaccesstheAdministrationconsoleandyouwillbepresentedwithascreenasbelow.

Furtherdetailsonhowtochangethenameoftheadmindirectorycanbefoundat


http://www.zen-cart.com/content.php?75-how-do-i-rename-my-admin-folder-to-prevent-unauthorized-access

7.6 Removing Unnecessary Directories Onceinstallationiscompleted,youshouldremovethesetwofolders,topreventsnoopersfromgaininginformationaboutyoursitethattheyhavenobusinessknowing,suchasyourZCversion,andsoon:-INSTALL_DIRECTORY/docs-INSTALL_DIRECTORY/extras


8. Accessing the Administration Panel and Configuring Administrative Users and Passwords

8.1 Introduction ZenCart®includesasystemformanagingmultipleadminusersandrestrictingtheaccessofthoseuserstoonlycertainfunctionsoftheAdministrationsystem.Initiallyonlyoneuseriscreated(Theuser/passwordyoucreatedduringinstallation).Thisuserisassigneda'Superuser'profile,andhasaccesstoalladministrationfunctionality.Additionalprofilescanbecreatedtoofferlesserpermissionstospecificadministrativeusers.Thisisexplainedfurtherinthefollowingsections.

PA-DSSSinceyouwillprobablyhaveperformedtheinstallationwithoutusingHTTPS,thereisa(small)possibilitythatasomeonemighthaveinterceptedyouradminusername/password.Ifyoudon'thaveHTTPSenabledonyoursiteyet,youneedtodothatNOW(seesection7.2ofthisguide),andthenchangeyouradminpassword.

8.2 Administrator Access to Credit Card Numbers ZenCart®doesn'tstorecompletecreditcardnumbers,noranysensitive/authenticationdatasuchasexpirydatesorCVVnumbers.Allstorageofcardnumbersconsistsofonlythefirst4-6digitsandthelast4digits,inaccordancewithPCIandmerchantagreementrules.Theonlyplacewherethesepartialcardnumbersarevisibleiswhenviewinganorderintheadministrationscreens,viaAdmin->Customers->Orders.Andifpaymentwashandledcompletelyoffsitethenit'sunlikelythatanyofthepartialcardnumberwillshowatall.

PCIDSSForPCIcompliance,youarenotpermittedtoalterthedatabasetobeabletostorecompletecardnumbers,norstorethemunencryptedinanywayunlessyouusecompletecryptographickeyinfrastructureandundergoyourownPCIassessmenttoauthorizethosechanges.Anyalterationofthisnature,oranyuseof3rd-partymoduleswhichprovidesuchfeaturesrequiresyourownPCIassessment,elseyouarenotPCIcompliant.Discussedmoreinchapter15.

8.3 Administrative User Access and PA-DSS requirements BeforemovingontohowAdminusersaremanaged,therearesomefundamentalchangesthathavebeenmadeinthisareastartingwithZenCart®v1.5.0inorderfortheapplicationtomeet


PA-DSSrequirements.Maliciousindividualswilloftentrytofindaccountswithweakornon-existentpasswordsinordertogainaccesstoanapplicationorsystem.Ifpasswordsareshortorsimpletoguess,itisrelativelyeasyforamaliciousindividualtofindtheseweakaccounts,andcompromiseanapplicationorsystemundertheguiseofavaliduserID.ThePA-DSSrequirementsareasfollows:

• Eachadminusermusthaveauniqueusername.DONOTshareadminusernameswithothers.Createseparateusersforeachpersonaccessingyourstore'sadminsection.

• Passwordsmustbeatleast7charactersinlengthPasswordsmustconsistofamixoflettersandnumbers(alphanumeric)

• Passwordsandusernamesarecasesensitive• Passwordsmustbechangedevery90days

Whenchangingpasswords,userswillnotbeabletochooseapasswordthatwasusedintheprior4passwordchanges

• Whenattemptinglogin,ifanincorrectusername/passwordisenteredmorethan6timesinarow,accesstotheadministrationsystemwillbelockedoutfor30minutes(Forevengreaterprotection,ZenCart®alsoimplementsadditionalanti-brute-forceprotectionmeasuresbeyondthisrequirement.)Thislockoutcanbeoverriddenonlybyanotherauthorizedadministrator,aftertheyfirstconfirmtheidentityofthepersonrequestingtheoverride(ie:talktothepersontowhomtheaccountbelongs,tobesurethey'renotamaliciousintruder)

• Theadministrationsystemhasa15minuteinactivitytimeout.Thatis,ifnopagesareaccessed(noclickswhichsubmitdataorloadanewpage)withina15minuteperiod,theadminuserwillbeforcedtologinagain.Extendingthistimeoutperiodwillinvalidateyourstore'sPCICompliance.

Alteringthecodetorelaxtheserequirementswillinvalidateyourstore'sPCICompliance.Further,thewordingofthePA-DSSis:“tomaintainPCIDSScompliance,anychangesmadetoauthenticationconfigurationswouldneedtobeverifiedasprovidingauthenticationmethodsthatareatleastasrigorousasPCIDSSrequirements.”DisablingPCIpassword/timeoutfeatures:NOTE:IfyouusetheswitchinAdmin->Configuration->MyStoretodisablethePA-DSSAdminSessionTimeoutEnforced,orthePA-DSSStrongPasswordRulesEnforcedsettings,YOUAREMAKINGYOURSITENOLONGERPCICOMPLIANT.Discussedinchapter14.4

8.4 Users YoucaneasilymanagetheuserswhoareallowedaccesstotheadministrationsystemusingtheAdminAccessManagement→AdminUsersmenuentry.Fromthisscreenyouwillbeabletoadd,deleteandchangethedetailsofAdminusers.NOTE:ForPCIDSScompliance,everypersonwithadministrativeaccessmusthavetheirown


uniqueuserIDandpassword,andshouldneverre-usethesameID+passwordonmorethanonesystem.

ClickingtheeditbuttonwillallowyoutochangetheAdminUsername,AdminUseremailaddressandtheprofileassignedtothatuser(althoughyoucannotchangetheprofileassignedtotheinitialAdminUser).

Clickingthe“resetpwd”buttonallowsyoutochangethepasswordassignedtotheuser.NOTE:Thesystemonlyacceptsuniqueusernames,thusnotwouserscanhavethesameuniqueuseridatanygiventime.

8.5 Profiles Profilesdescribewhichfunctionsintheadministrationsystemausercanaccess.Initiallyonlyoneprofileisavailable,the'Superuser'profile,whichgivesaccesstoalltheadministrationsystem.

Howeveritisalsopossibletocreateprofiles,sothatdifferentusersonlyhaveaccesstoasubsetoftheadministrationsystem.Forexample,youmayhaveusersthatonlyneedtorunreports,oruserswhoseresponsibilityitistoaddproducts/categories,andthoseusersshouldnothaveaccesstoanyotheradministrationsystemfunctions.NOTE:ForPCI-DSSandPA-DSScompliance,onlypersonsrequiringaccesstopaymentdetailsshouldbeallowedtoseethem.Thiscanbeachievedbycreatingspecificprofiles,andthenassigningthoseprofilestousers.YoucanaccesstheAdminProfilesmanagementpageusingtheAdminAccessManagement→AdminProfilesmenuentry.


Toaddanewprofile,clickonthe'addprofile'button.Youwillthengetascreensimilartothefollowing,whereyoucanenteranamefortheprofile,andselectwhichadministrationsystemfunctionsthatprofilehasaccessto.

TheEditbuttonwillbringupasimilarscreen,howeverinthiscaseyouwillbeabletochangethecurrentfunctionalitygrantedtoallusersassociatedwiththatprofile.

8.6 Admin Activity Logs TheAdminActivityLogstoresimportantinformationwhichmightexposemaliciousactivitybeingconductedbyadminusers(whetherknownorunknown)inthebackendofyourstore.Thesystemlogsthisdata:

• Thedateandtimeoftheaccess• Theadminidoftheusermakingtheaccess(useridentification)• Thepageintheadministrationsystemthatisbeingaccessed(whichinferstypeofevent)• Theparametersrelatedtothepagebeingaccessed(whichinfersidentificationofaffected

dataandostensiblythesuccessorfailureoftheattemptedaction)


• TheIPaddress(origination)oftheadminuserperformingtheevent• Any“suspect”activitythatshouldbereviewed,suchasmaliciousPOSTdata• Changesmadetopayment/shippingmodulesandadminusers

Therearenobuilt-insettingstoalterthisfunctionality.Itisinstalledandenabledbydefault.Tamperingwiththisloggingfunctionalityordisablingthelogsorchangingtheloggingcodewillresultinnon-compliancewithPCIDSS.Theactivitylogisheldinthedatabase,andovertimecanbecomeverylarge.Youcanmanageyouractivitylogvia:AdminAccessManagement→AdminActivitylogsItisimportanttoreviewtheselogsregularly,evendaily,tomonitorformaliciousactivityandrespondaccordingly.Thefollowingsectionsdiscussthereviewandmanagementoftheselogs.

8.6.1 Daily Log Review – Important Things To Monitor

PA-DSSPleaseNote:ItisarequirementofPA-DSSthatyoureviewtheselogsregularlytodetectunauthorizedactivityandtakecorrectiveactiontodealwithanyanomaliesdiscoveredtherein.Regularreviewoftheselogswillhelpyouavertproblemscausedbypeoplewhohavegainedunauthorizedaccesstoyouradminbackend,whetherthatbeahacker,intruder,orevenadisgruntledemployee.The“logmessage”columnexplainswhatsituationoccurred.Sometimesthisissimplyinformational,butsometimesitwilltellyousomethingmoresignificant,suchas“Failedloginattemptforbaduser123”,or“Account[poor_speller]lockedoutduetotoomanyinvalidsignonattempts”,or“Paymentmodule[authorizenet]removedby{gooduser2}”.Inaddition,the“flagged”itemsshownintheReviewscreenareitemswhichwarrantsomeattention.Ifalogentryisflagged,thatmeansthatsomepotentially-harmfulcontenthasbeenenteredintotheadminpagewhichwasinuseatthetimeofthatlogentry.Commonly-flaggeditemsinclude<script>tagswheresomeonecouldinjectmaliciousjavascripttotriggerorcreateXSSorCSRFrisksonyourstore'sadminorstorefront.Ifyoufindanentrythat'sbeenflagged,youshouldinspectthedatathatwassubmitted(ie:seethe“postdata”column)tobesureitwasintentional.Ifitwasnotintentionalorauthorized,youshouldtakecorrectiveactiontoremovethemaliciousorunwantedcontent,andalsotakecorrectiveactiontodealwithwhomeverwasloggedinandsubmittedthecontentinthefirstplace.Followyourowninternalpoliciesfordealingwithsuchbreaches.Additionally,aseveritylevelisindicatedforeachentry.Theselevelshaveasimilarratingasestablishedbythesyslogstandardasmaintainedinthecomputer/technologyindustry.Thelevelswhichapplytoyourstoreare:

• WARNING–criticaleventswhichshouldberevieweddaily,asthesedenoteremovalofimportantsettingsoradministrativeuserprivileges,orotherseriousevents.


• NOTICE–importanteventswhichshouldbemonitoredregularly(atleastweekly)toreviewwhetheradisgruntledemployeeorawebsiteintruderhasattemptedtoinsertmaliciouscontentintoyoursiteproductdescriptions,orinstallnewmodules,etc.

• INFO–generallistofallactivity(everyclick)donebyanyadministrativeuser.Usefulforpost-mortemassessmentofaproblemifoneweretooccur.

ThefollowingsectiontalksbrieflyabouthowtheAdminActivityLogviewerscreenworks.

8.6.2 Review or Export Logs Withinthissectionyoucanchoosetoexportorreviewtheadminactivitylogs.Animageofthescreenisshownonthefollowingpage.Firstselectwhichdatayouwanttoprocess,accordingtoseveritylevel,usingthepulldownmenuprovided.SelectthedesiredExportformat:-Toseethedataon-screen,simplyleavethesettingsetto“ExportasHTML”.NOTE:Thismayonlyshowthelatest50entries.Forafulldetailedreportoftheentirelog,usetheCSVoptionbelow:-Ifyouwanttoexport/savethelogsthenthispulldownmustbesetto'ExporttoCSV'IfyouaresavingtoaCSVfile,youcanchoosetoeitherdownloadtheexportedfiletoyourlocalcomputerimmediatelyorsavethefiletoyourwebserverandviewitviaFTPatalaterdate.Ineithercaseyoucanalsochoosethenameofthefileproduced.Tosaveittoyourwebserver,tickthecheckboxmarked'SaveFileonserver'.NOTE:Forthistoworkyoumustmakesurethewebserverisconfiguredsothatthefolderspecifiedby“Destination”iswritablebythewebserver(formostlinuxserversthiswouldbeforthewww-datauser).Youcanseeasampleofthescreeninthefigurebelow:


8.6.3

8.6.4 Purge Log History action

PA-DSSPleaseNote:ItisarequirementofPA-DSSthattheselogsarekeptforaminimumof12months.Whileweprovidemethodstosafelybackuptheselogs,andtoremovethem,storemanagersareultimatelyresponsibleforensuringthattheycanreproducetheselogsintheeventofaPCIaudit.


Clickingontheresetbuttoninthe“PurgeLogHistory”sectionofthescreenwilltakeyoutoanewpagewiththefollowinginstructions:

Pleaseensurethatyouread,understand,andheedthewarningtextbeforepurgingtheactivitylog!Attheveryleast,savetheloghistorybeforeexporting!

8.6.5 PA-DSS Logging – Technical Details

PA-DSSstandardsrequirethatwestatewhatinformationislogged.Sotoclarifythebulletedlistfromsection8.5.0earlier,thefollowingislogged:•Individualaccesstocardholderdata(givencurrentversionsofZenCartneverstoresuchdata,thereisnothingtologforthisparticularitem)•Actionstakenbyanyindividualwithadministrativeprivileges•Accesstoapplicationaudittrailsmanagedbyorwithintheapplication•Initializationofapplicationauditlogs•Invalidlogicalaccessattempts(failedlogins,showstheusernameattemptedduringthefailure)•Useofthepaymentapplication'sidentificationandauthenticationmechanisms•Creationanddeletionofsystem-levelobjectswithinorbytheapplication•Useridentification•Typeofevent•Dateandtimestamp•Successorfailureindication•Originationofevent•Affecteddata,systemcomponent,orresource

8.6.6 Centralized Logging Loggingcanbeextendedbyincorporatingpluginstoallowadditionalexternalcentralizedloggingservicestobeincorporated.Followingisanexampleplugin,consistingoftwoPHPfiles,namedwiththeexpectationofusingthegraylogloggingservice.ActualgraylogAPIcodinglogicandsecuritycredentialsmustbeaddedtomakeitfunctional.a)/admin-foldername/includes/auto_loaders/config.admin.graylog.php


<?php $autoLoadConfig[1][] = array('autoType'=>'class', 'loadFile'=>'class.admin.graylog.php', 'classPath'=>DIR_WS_CLASSES); $autoLoadConfig[40][] = array('autoType'=>'classInstantiate', 'className'=>'graylogObserver', 'objectName'=>'graylogObserver');

b)/admin-foldername/includes/classes/class.admin.graylog.php<?php /** * @package plugins * @copyright Copyright 2003-2013 Zen Cart Development Team * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0 * * Designed for v1.5.2 * * initially designed with expectation that this file is placed into /admin/includes/classes/ folder, * and corresponding config.admin.graylog.php file into admin/includes/auto_loaders folder * */ class graylogObserver extends base { function __construct() { global $zco_notifier; $zco_notifier->attach($this, array('NOTIFY_ADMIN_ACTIVITY_LOG_ADD_RECORD')); } function updateNotifyAdminActivityLogAddRecord(&$class, $eventID, $paramsArray = array()) { // insert relevant calls to graylog API here, passing the data from $paramsArray as arguments } }


9. Code Customization, Addons, and Plugins TheZenCart®communityhasavastassortmentofavailableaddons/pluginscontributedbythird-parties,mostoftenotherstoreowners,whohavewrittencustomizedcodetoextendthecapabilityofZenCart®todoadditionalthingsbeyondthecoreframeworkthatisZenCart®itself.Manyhavesimplyputtogetherthecustomizationstheymadefortheirstoreandsharedthembackasasignificantwayofparticipatingandexpandingtheever-growingcommunitythathasgrownuparoundtheZenCart®product.Youcanfindaddonstosuitalmostanyspecialneedyoumighthave.Andifyoucan'tfindsomethingexactlysuitingyourneeds,youcaneithercustomizethecodeyourselforperhapshiresomeonetodothecustomizationforyou.Youareinvitedtoshareyourcustomizationsbacktothecommunityforotherswhofollowalongafteryoutofreelyenjoyusingontheirownstores,justasyouhavebenefittedfromsimilaractionsbyothers.Ifyoudon'thavetheskillstocustomizeprogrammingPHPcodeyourselfandwishtohiresomeone,there'savasthelp-wantedcommunityavailableaswell.Youcanaccesssomehelp-wantedresourcesbyfollowingthislink:http://www.zen-cart.com/helpwanted

PA-DSSNOTE:TheZenCart®PA-DSScertificationappliesonlytotheofficialreleasedcodeprovidedbyZenVentures,LLCAnycustomizationsyou,ora3rd-party,maketothecode,whetherbyalteringadmin-providedconfigurationswitches,addingaddons/plugins,makingcodecustomizations,etcmayrenderthePA-DSScertificationvoidforyoursite.Itisuptoyoutoensurethatalladdons,plugins,customizations,andchangedswitchsettings,arePCIcompliantaccordingtothePCISecurityStandards.Ifyouhavespecificquestionsaboutwhetherachangeyou'vemadetoyoursiteisPCI-Compliant,contactyourPCIScanningvendorforassistanceandguidanceandappropriateauditing.


10. Engaging 3rd-Party Consultants or Programmers Asmentionedintheprevioussection,ifyoudon'thavetheskillstocustomizeprogrammingPHPcodeyourselfandwishtohiresomeone,there'savasthelp-wantedcommunityavailableaswell.Youcanaccesssomehelp-wantedresourcesbyfollowingthislink:http://www.zen-cart.com/helpwanted

PA-DSSNote:ItisarequirementofPA-DSSthat3rd-partiesareonlygrantedaccesstospecificcomponentstrulyrequiredtocompletetheworkrequested,andthattheyusethataccessinasecuremanner,andthattheydestroyallcopiesofallinformationobtainedoncesaidaccessisnolongerrequired.WerecommendthatyouonlyengagepersonswhodemonstrateanunderstandingofPCIDSSandwillagreeinwritingthattheworktheyperformforyouwillbecompliantwithPCIDSSrequirements.TomaintainPCIDSScompliance,anycodingchangesmadetoauthenticationorcreditcardorsecurityconfigurationsneedstobeproperlyverifiedasbeingatleastasrigorousasPCIDSSrequirements.Some“bestpractices”youshouldconsiderwhenengagingaconsultantarefoundinfollowingsections.

10.1 Webstore “Admin”/Backend access Ifyouneedtogivesomeoneaccesstoyourstore'sadminpanel,createadedicateduniqueadminuseraccount+pwdforthatperson(don'tletthemuseagenericusernamesuchastheircompanyname),andgrantthemaccesstoONLYthefeaturestheywillneedtocompletethetasksassignedtothem,andremovethataccountwhentheyarefinished.Seesection8fordetails.Ifyouradminuses2-FactorAuthentication(seesection10.5)thenALLpersonshavingaccessmustuseit.PCI-DSSrequiresthatanyoneaccessingtheAdminimplementanduseremoteaccesssecurityfeatures.AndshouldneverusethesameID+passwordonmorethanonesite;alwaysunique.

10.2 FTP Access

• FTPandSFTPAccounts(NOTE:PCI-DSSrequirestheuseofSecureFTP,notplainunencryptedFTP)Ifyouengagesomeonetodoworkonyourwebsitethatrequiresthemtohavedirectaccesstothefilesonyourwebserver,thatwillmostlikelyrequirethattheyhaveFTPaccess.YoushouldNEVERgivethemyourmasterFTPpassword.YoushouldALWAYScreateanewuser+passwordforthemusingyourhostingcompany'scontrolpanel.Ifpossible,youshouldrestricttheiraccesstoonlytheirIPaddress,soitcan'tbeabused.YoushouldALWAYSdeletetheirFTPuserassoonastheirworkiscompleted.Itisdangeroustoleaveunmonitoredaccountsactiveinthehandsofpersonsnotinyourdirectsupervisionandemployment.Similarwisdomshouldbeappliedtoemployeesaswell.

• SecureAccess–UseSFTP,notFTP


EVERYONE(includingyou!)accessingyourwebservershouldbeusingSFTPtoconnect.IftheyuseregularunencryptedFTPmode,thenyourcustomerdataandwebsitesecuritycouldbecompromised.Seesections2and4ofthisguideformoreinformationaboutSFTP.PCI-DSSandPA-DSSrequiretheuseofSecureFTP,notunencryptedFTP.

10.3 Webhosting Account's Control Panel access Itisunusualfora3rd-partytoneedaccesstoyourentirehostingaccount'scontrolpanel.Ifyoumustgivethemaccess,youmustchangethepasswordtoyourhostingaccountwhentheyarefinished.

10.4 Secure use of customer database and website files Ifyou,orathirdparty,needtomakeoruseacopyofyourstore'sdatabase,eithertoprepareastaging/testingarea,ortodebugaproblem,itisveryimportantthatthenamesofeveryonewhohasaccesstothisdataarerecorded,thattheynotsharethedatawithanyoneelse,andthatthedataissecurelydeletedwhennolongerneeded.SecureErasureisbesthandledbyasoftwaretoolthatwillsecurelyobliteratethedatafilesonyourPCandanyplacewhereyou'vestoredit.Toolsforthiscanbefoundbynumerousonlinevendors.Agreementtohandledatainthiswayshouldformanintegralpartofyourcontractwithwhomeverisgrantedaccesstothisinformation.

10.5 Two-Factor Authentication Two-FactorAuthenticationistheuseofathird-partyauthorizationmechanismtoverifyyouridentitywhenloggingin.Thisiscommonlyimplementedviatheneedtoentermorethanjustausernameandpassword,specificallynotjustsomethingyou“know”,butalsosomethingyou“have”.Seethiswikipediaarticleformoreexplanation:Two_factor_authenticationZenCart®allowsfortheuseof(butdoesn'tdirectlyimplementanyspecific)two-factorauthenticationasameanstofurtherenhancethesecurityofaccessingyoursystem.Ifyouhaveengagedtheuseofathird-partytwo-factorauthenticationservice,youcanintegrateitwithZenCart®inoneoftwoways:

a) Followtheinstructionsofyourtwo-factorauthenticationsolutionforaddingtherequireddirectivestoyour/renamed-admin/.htaccessfile.ThiswillrequirethetokenauthenticationtotakeplacebeforebeingallowedtoenteryourZenCart®adminusernameandpassword.

b) AddacustomPHPscripttohookintoyourtwo-factorauthenticationsolutionbydefiningaconstantnamedZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICEwithavaluematchingthenameofthePHPfunctionwhichwilltriggerit.ZenCart®willfirstauthenticateyouusingyourZenCart®adminusernameandpassword,andthenpassyouontoyourtwo-factorauthenticationsolutionforsubsequenttokenvalidation.(ItwillpassanarraycontainingtheZCadminuserIDnumber,username,andemailaddress,whichthetwo-factorauthenticationsystemmayoptionallyuse.AbooleanTRUEresponseisexpectedifloginisapproved.Anythingelsewilltriggerafailure.)


Thecustomcodeforthecustomfunctionwhichtriggersyourtwo-factorauthenticationsolutionshouldbeplacedinthe/renamed-admin/includes/functions/extra_functions/folder.TheconstantmentionedaboveshouldbedefinedinaseparatePHPfilelocatedinyour/renamed-admin/includes/extra_datafiles/folder.Anyadditionalclasseswhichyourcustomfunctionsneedtoinstantiateshouldbeplacedinyour/renamed-admin/includes/classes/vendors/folder.Thisfoldermayneedtobecreatedfirst.

IfyourequireTwo-FactorAuthenticationforotherremoteaccessactivitiessuchasVPNorFTP,youwillneedtoconfigurethoserespectiveapplications/utilitiestouseitasperthedocumentationprovidedbythoseutilities,muchlikeyouwouldconfigureyourFTPprogramtoknowwhichserver,username,password,etctouseforaccessingyourwebserver.NOTE:ThePCI3specificationrequiresthatalladminloginsmustusetwo-factorauthentication.


11. Removing Old Non-PCI-Compliant Data Ifyourstorehasusedanypaymentmodulesthathavestoredfullcreditcarddataorcvvnumbers,youmustdeleteallsuchhistoricaldatafromyourdatabaseandyourbackups.

PCICompliance:YoumustNOTbeusinganypaymentmodulethatstorescompletecreditcardnumbersorcvvnumbersinyourdatabase,noronewhichemailscompletecreditcardnumbersorcvvnumberstothestoreowneroranyoneelse.ZenCarthasNOTstoredcreditcardnumberssincev1.3.9a,releasedin2010.However,ifyouaddedpluginstoaddthatfunctionality,orifyouhadusedapriorversion,youwillneedtotakestepstoclearoutanycreditcarddatawhichyouhadstoredinyourstore.YOUMUSTDOTHISforPCIcompliance.

11.1 Removing Old Credit Card Data From Database Records Whenviewinganorderinyourstore'sAdmin->Customers->Orders->Editscreen,ifafullcardnumberorcvvnumberisfound,a“Delete”linkwillshow,andclickingwillreplacethatdatawithblanks.Toperformthecleanupdatabase-wideusingphpMyAdmin,youmayrunthefollowingSQLquery:

update zen_orders set cc_number = NULL, cc_cvv = NULL where cc_number != ''; optimize table zen_orders;

(Youmayneedtoremoveorsubstitutethe“zen_”prefixonthosetwotablenamesforthequerytoworkonyoursite.ChecktheDB_PREFIXsettinginyourconfigure.phpfiletodeterminewhatprefixyouneedtouse.IfDB_PREFIXisblank,thenremove“zen_”intheexamplesabove.)

Afteryou'vedonethis,youneedtoalsosecurelydeletethephysicaldatafromtheserver.Seebelow.

11.2 Suggested Procedure For Secure Erasure of Old CHD data IfyourstorehasusedanymethodsofstoringfullcreditcardnumbersorCVVnumbers,thePCIDSSrequiresthatyoutakespecificmeasurestosecurelydeletealldatathatcouldbeusedtoreconstructhistoricaldatabaserecordsorlogscontainingcreditcard/cvvdetails.Thefollowingstepsoutlineanapproachonecoulduseforpurgingthatdatasecurely.Thesestepsrequirethatyouhaveadministratorsysadminaccesstoyourserver.Thusitmaybenecessarytoengageyourhostingcompany'sserveradministratortocompleteseveralofthesesteps.

a) Usethedeletionmethodsmentionedinsection11.1abovetoremovethecreditcard/cvvdatafromthedatabasetablerecords.

b) TakethestoreDownForMaintenancec) MakeacompleteMySQLbackupofyourstore'sdatabasetables.Thiswillbeusedtorestorethedata

afterthedeletion.Testyourbackuptoensurethatitisreliable,andmakeextracopiesforsafety.

d) UsingyourMySQLconsole,orhostingcontrolpaneltools,deleteyourstore'sdatabaseanddbuser.

e) SERVERADMIN:ShutdownMySQLf) SERVERADMIN:Useanindustry-acceptedPCICompliantsecure-deletiontool(suchassfillwhich

comesbuilt-intomoststandardLinuxdistributionsorcanbefoundintheTHC:SecureDeleteToolkit)to


deleteallsensitivedatausinganerasuresettingstrongenoughtopreventforensicrecovery.Deleteallsensitivedataincludingatleast:

i. Thephysicalfilesontheserverwhichstoredyourstore'sMySQLdatabaseandMySQLlogfiles

ii. Freediskspace(“slack”space).Removealltracesofthedatafromthefreespace(“deletedfiles”).

iii. Allbackupcopiesofthedatabasetablesstoredonanymedia,includingremoteorphysicalserverharddiskbackupimages,backups(exports/dumps)youhadstoredonyourPCorCDs/DVDsorthumbdrives.

iv. AlldebuglogfilesassociatedwithanypaymentmodulesthatrecordedCC/CVVnumbersinflatfiles.

g) SERVERADMIN:StartupMySQL

h) Recreateyourstore'sMySQLdatabase,username,password,andimportyourdatabasefromthebackupyoumadeinstep(c)earlier.Testyourstorefornormaloperation.


12. Network Diagram

Notes:

• Insomehostingconfigurations,theWebServerandDatabaseServermayresideonthesamephysicalserver.

• ItisrecommendedthatnowirelessbasedsystemsshouldbeconnectedtotheWeb/DatabaseServerenvironment.Wheresuchwirelessequipmentisconnectedthentheapplicationuserortheirhostingprovidershould:

• Installperimeterfirewallsbetweenanywirelessnetworksandsystemsthatstore,process,ortransmitcardholderdataandthatPerimeterfirewallsmustdenyorcontrolalltrafficfromthewirelessenvironmentintothecardholderdataenvironment.

• Changedefaultencryptionkeys

• ChangedefaultSNMPcommunitystrings

• Changedefaultpasswordsforaccesspoints

• Updatefirmwaretosupportstrongencryptionforauthenticationanddatatransmission

• Enablestrongencryption(WPA2orsimilar)

• Changeotherdefaultvaluesasapplicable

• Useindustrybestpracticestoimplementstrongencryptionforauthenticationandtransmission


13. Dataflow Diagram


14. Notes about PA-DSS Compliance

14.1 Cardholder Data a.StorageOut-of-the-box,ZenCart®doesnotstorecardholderdata,andiscrippledfrombeingabletostoreentirecardnumbers(PAN)byvirtueofdatabasefieldlengthsbeingtooshorttostoreacompletecardnumber.Thus,ZenCart®doesnotdisplaythecompletePAN;ifanypartialPANinformationisknown(wouldnotbeknownifpaymentwashosted/processedexternally)onlythefirst4-6andlast4digitsareshown,andvisibleontheAdminindividual“order”pageandduringcheckoutduringpayment-confirmation.Thesesettingsarenotconfigurable.TomaintainPCIDSScompliance,anycodingchangesmadetohandlingorstorageofcardholderdatawouldneedtobeverifiedasprovidinghandlingorstoragemethodsthatareatleastasrigorousasPCIDSSrequirements.b.SMSorMessagingSystemsWhileZenCart®doesnotgiveyouanycompletecardholderdatatocopy/paste,weremindyouthatitisunwiseandunsafetopasscreditcarddataviaanymessagingtechnologies.Justdon'tdoit.c.SessionsFurther,ZenCart®doesnotstorecardholderdatainsessions.Asastatelessapplication,ZenCart®doesnotretainanyofthesubmittedcardholderinformationbetweenclicksonthepages.Forexample,ifacustomerusesamodulewhichcollectspaymentdirectlyonaZenCart®site,theprovidedcreditcarddata(ie:thecardnumberandCVVandexpirydate)arebrieflystoredinmemoryvariables.Afteritfinishesprocessingwhateverstepsthatpageexecutes,whetherthat'sforauthorizationoranythingelse,thosevariablesareremovedfrommemory(internalmemorypointersaredestroyedfortheobjectsandvariableswhichhavegoneoutofscopebyvirtueofcodecompletion)bythegarbage-collectionproceduresinternaltoPHP.

14.2 Cryptographic Keys and Key Management Cryptographickeysarenotrequiredbecausecardholderdataisnotstored.Seeexplanationabove.ZenCart®hasneverusedorimplementedcryptographickeysaspartofthecorecodeout-of-the-box.Thustherearenorequirementstomanagesecuredeletionorretirementofhistoricalcryptographickeys.Ifyouhaveeveraddedaplugin/moduletoaddcryptographickeys,itisyourresponsibilitytosecurelyprotectandretireandotherwisemanagethosekeysinaccordancewithPCIDSSrequirements,anddemonstratesuchaspartofyourownself-assessmentorcertificationprocess.


14.3 Protocols, Services, Dependent Software and Hardware TheservicesandprotocolsandsoftwarecomponentsusedbyZenCart®arelistedbelow.FORDETAILSofspecificversionrequirementsofeach,seesections2.3,2.4.Toinstallandconfigureanyofthem,seetherelevantdocumentationprovidedbytheirownauthors.

• APACHEandPHPZenCart®isaPHPapplicationwhichrespondstorequestsdirectedtoPHPviaawebserverservicerunningonyourserver.Alternatewebserverenginescouldbeusedbutareoutofscope.

• MySQLZenCart®followsyourconfigurationinstructionstocontactandconnecttotheMySQLservicerunningontheserveryouspecifyinyourconfiguration,usingthemysqliAPIinPHP.IfyouchoosetohostyourMySQLdatabaseonaseparateserver,youwillneedtoopenport3306inyourservers'firewalls(orwhateveralternateportyoumightreconfigureMySQLtouseviamy.cnfconfigurationfilesettings)toallowthedatabasecommunication.HostingyourdatabaseonaseparateserverisnotnecessarytorunZenCart,nortobePCICompliant.

• HTTPandHTTPSHTTPandHTTPSareusedtocommunicatebetweencustomerbrowsersandthewebserver,andfromthewebservertoany3rd-partyservices.

• CURLandfsockopenSomeexternalcommunicationto3rdpartyservicesisconductedviaPHPlibcurl(cURL)orthePHPfsockopen()client.

• TLS/SSLInthebrowser,HTTPSisusedwhereneededtoprotectsensitivedataifthestoreownerhasconfiguredZenCart®touseit.InthebackgroundTLSisused(versionautonegotiatedviaCURL)toprotectsensitivedatawhentransmittedtoconfiguredexternalservices,providedthehostingwebserveroffersit.AssuchOpenSSLisneededforsuchexternalcommunications.

• RESTAPIsZenCart®v1.xdoesnotcurrentlyserveaRESTAPI,butdoescommunicatewith3rd-partyAPIs,whethertheybeRESTorSOAP,etc.

• HardwareZenCart®hasnospecifichardwarerequirementsuniquetotheservicesitprovides.Itcanrunonvirtuallyanyserverwhichcanruntheaboverequiredsoftware.

14.4 Settings sensitive to PCI compliance IfyouwantyoursitetobePCICompliant,youmustleavethefollowingfeaturessettotheirdefaults:


-Admin->Configuration->MyStore->PA-DSSAdminSessionTimeoutEnforced?–ShouldbeON(1)-Admin->Configuration->MyStore->PA-DSSStrongPasswordRulesEnforced?–ShouldbeON(1)-Admin->Configuration->Logging->LogDatabaseQueries–Shouldbeoff(false)


15. Additional Requirements for PA-DSS Compliance

15.1 Consequences of altering the system to store cardholder data Out-of-the-box,ZenCart®doesnotstoreanycardholderdata,andiscrippledfrombeingabletostoreentirecardnumbersbyvirtueofdatabasefieldlengthsbeingtooshorttostoreacompletecardnumber.Thatsaid,ifyouoranyonewithaccesstoyoursitechangesthedatabaseeitherbydirectlyeditingitorbyinstallingapluginwhichaltersittostorecardholderdata,youareinvalidatingthePA-DSScomplianceandallsuchchangeswouldneedtobeverifiedasimplementingcompliantproceduresthatareatleastasrigorousasPCIDSSrequirements..YouwillneedtoensurethatyouralterationscomplywiththePADSSspecifications,includingbutnotlimitedtothefollowing:a) Whencollectingmagneticstripedata,cardvalidationcodes,PINs,and/orPINblocksfor

troubleshootingpurposesbesurethatyou:•Collectthesedataonlywhenneededtosolveaspecificproblem•Storethesedataonlyinspecific,knownlocationswithlimitedaccess•Collectaslittleofthesedataasnecessarytosolvethespecificproblem•Encryptthesedatawhenstored•Securelydeletethesedataimmediatelyafteruse

b) Ifyouaddtheabilitytostorecardholderdata,thenitisyourresponsibilitytoensurethat

exceedingtheacceptableretentionperiodmustbesecurelydeleted,anditisyourresponsibilitytodemonstratethatyouhavestudiedandproventhatyouhavesecurelydeletedthedataincompliancewithPCIandPA-DSSrequirements.Youractivitiessurroundingsecuredeletionextendbeyondthescopeofthisdocumentandmustincludeallsubsystemsanddependencieswhichyouinvokewhenaddingtheabilitytostoresuchdata

c) YoumustnotalterthesoftwaretostorecardholderdataonInternet-accessiblesystems(ie:webserversanddatabaseserversmustnotbeonthesameserver,andthestorageservermustnotbeconnectedtotheinternet)

d) Ifyoualtertheapplicationtoallowand/orfacilitatethesendingofprimaryaccountnumbers

byend-usermessagingtechnologies,youmustrenderthePANunreadableand/orimplementstrongcryptography

e) Ifyouaddfunctionalitywhichmanagesencryptionkeys,forPCIcomplianceyoumustfurther

demonstratethatyou:• restrictaccesstokeystothefewestnumberofcustodiansnecessary• storekeyssecurelyinthefewestpossiblelocationsandforms• implementstep-by-stepprocedurestogenerate,distribute,protect,change,store,and

retire/replaceencryptionkeyswherecustomersorresellers/integratorsareinvolvedinthesekeymanagementactivities

• provideasampleKeyCustodianformforkeycustodianstoacknowledgethattheyunderstandandaccepttheirkey-custodianresponsibilities

• ensurethatcryptographickeymaterialand/orcryptogramsfrompriorversionsofthe


applicationmustberenderedirretrievable.SuchirretrievabilityisabsolutelynecessaryforPCIDSScompliance

• providestep-by-stepprocedurestore-encrypthistoricdatawithnewcryptographicmethodsand/orkeys

15.2 Default Accounts PCIcompliancerequiresthatyourserver'sdefaultaccounts(includingbutnotlimitedto:themysql“root”user,yourserver's“root”or“Administrator”,etc)needtohavesecureauthenticationcontrols(securecomplexpasswords),eveniftheaccountisnotused.Foreachofthe“default”accounts,setasecurepassword.Thenideallythoseaccountsshouldbedisabledornotused(ie:don'tlogintoyourserverusing“root”;instead,disable“root”accessandcreateanotheruserwithrootprivilegesandaverysecurecomplexpassword,andusethatuserforallserverlogin).MySQLForexample,yourMySQLdatabasemustnotuse“root”withoutasecurepassword.Inpracticethisdefaultaccountshouldnotbeusedatall.ForinstructionsonLinux,seetheAppendiceslaterinthisdocument,andforotherserverconfigurations,seetheMySQLdocumentationonline.ZenCartThereareno“default”accountsinZenCart.YoucreateyourownuniqueAdministratorLoginwhenrunningthezc_installsetupscript.However,ifyouchoosetoinstalldemodataanddonotcompletethefinalstageofzc_installtocreateanadminuser,thenthereWILLbeadefaultusernamed“Admin”withapasswordof“admin”.YOUMUSTCHANGEthatpasswordforPCIcompliance.Todothis,logintoyourAdminpanel,usingthat“Admin”userwithpassword“admin”,andclickthe“Account”linkinthetoprightcorner(nexttotheLogofflink)andclickthe“ResetPwd”button.Fillinthenewpasswordwithastrongsecurepassword(min7characters,withatleastonecapitalandonedigit)andclickUpdatetosavethenewpassword.Ifyoudon'tdothis,awarningmessagewillappearinyouradminconsoleuntilyoudo.OperatingSystemEveryoperatingsystemisdifferent.ForaLinuxserver,the“root”userexistsbydefault.Whoevermanagestheservermustbesuretosetanduseastrongpasswordforthisaccount.Orbetteryet,theyreallyshoulddisablerootloginaltogetherandusesecureSSHkeysand/ortwo-factorauthenticationtools.Securinganoperatingsystemisamuchlargertopicthanthisdocument.Consultthedocumentationforyouroperatingsystemforinstructionsonestablishingstrongsecurepasswordcontrolsforyourspecificsystem.OthersZenCarthasnootherspecificsystemdependencieswhichrequirepasswords.Butifyourservermakesuseofanyadditionalsoftwaretoolsforwhichapasswordiscreated,youmustALWAYSchangethosedefaultpasswordstousestrongsecurepasswords.Ifyoudon'tdothis,thenyou'releavingopenholesthathackerscouldpotentiallyuseasmaliciousattackvectorstodamageyourserverorstealconfidentialdata.


15.3 Strong Authentication Controls ReiteratingthenoteinSection5.1:itisrequiredthatyouusestrongpasswordsforaccountsondependentsubsystemssuchasMySQLusedtostoredatafortheapplication.Thatis:youmustcreateaMySQLuser(otherthan“root”oranyotherdefaultvalue)andassignastrongpasswordtothatuser,andthensupplythatusernameandpasswordtoZenCarttouse.And“root”shouldneverbeused–Seesections5.1and15.2.Inadditiontostrongpasswords,itisrecommendedthatyouinvoketwo-factorauthenticationforaccesstoyourZenCartAdminandtoyourserver'sconsole.

15.4 Secure Access a)FirewallIncaseitisnotself-evident,youshouldalwaysbeusingasecurelyconfiguredfirewallorpersonalfirewallproductonbothyourwebserverandanypersonalcomputerwithwhichyouaccessyourwebsite.b)Adminaccess(onecomponentof“non-consoleaccess”)Additionally,tofurtherreiteratepointsmadeinSections2.1,2.4and5.1,allnon-consoleaccess(thatis,anyaccesstoyourstore'sdataoradmintoolsotherthanfromthephysicalterminalscreenconnectedtothewebserveratthehostingcompany…sothatmeansALLaccessbyyou)totheAdminsectionmustbedoneoverHTTPSc)FTP,SFTP,RemoteAccess(anothercomponentof“non-consoleaccess”)Similartotheabovepoint,allremoteaccess(FTP,SFTP,allconnectionstothewebserverforalteringoraccessingthefileswhichrunyourstore)mustbedoneviasecurechannelssuchasSFTPorFTP-with-Implicit-TLS.


16. Appendices

16.1 MySQL Root Password Reset Asexplainedpreviously,forPCICompliance,youmustNOTallowMySQLtousethedefault(blank)passwordforthe“root”account.Tochangethe“root”password,followtheseinstructions:FromtheMySQLdocumentation:C.5.4.1. How to Reset the MySQL Root Password

If you have never set a root password for MySQL, the server does not require a password at all for connecting as root. However, this is insecure. For instructions on assigning passwords, see Section 2.10.2, “Securing the Initial MySQL Accounts”.If you know the root password, but want to change it, see Section 13.7.1.6, “SET PASSWORD Syntax”.If you set a root password previously, but have forgotten it, you can set a new password.C.5.4.1.3. Res et t ing the Root Pas sword: Gener ic Ins truct ions

The preceding sections provide password-resetting instructions for Windows and Unix systems. Alternatively, on any platform, you can set the new password using the mysql client (but this approach is less secure):1. Stop mysqld and restart it with the --skip-grant-tables option. This enables anyone to connect without a password and with all privileges. Because this is insecure, you might want to use --skip-grant-tables in conjunction with --skip-networking to prevent remote clients from connecting.2. Connect to the mysqld server with this command:shell> mysql 3. Issue the following statements in the mysql client. Replace the password with the password that you want to use.mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') -> WHERE User='root'; mysql> FLUSH PRIVILEGES; The FLUSH statement tells the server to reload the grant tables into memory so that it notices the password change.

You should now be able to connect to the MySQL server as root using the new password. Stop the server, then restart it normally (without the --skip-grant-tables and --skip-networking options).

Copyright © 1997, 2014, Oracle and/or its affiliates. All rights reserved.

16.2 Password Security in Zen Cart® Passwordsforbothcustomersandadministratorsareanimportantsubject.ZenCart®doesnotstoreunencryptedpasswords,andassuchcanneverrevealauser'spasswordtothatuserortoathirdparty.Passwordsareone-wayencryptedbygeneratinga128-bitsaltedbcrypt(blowfish)hashwherebcryptisavailable,oralternativelywithaSHA256hashusingasaltofequallength.PriorversionsofZenCart®implementasaltedMD5hashinaone-wayencryptionalgorithm.Oldpasswordsareautomaticallyupdatedtothenewencryptionmethodforgreatersecurity.ItisadvisabletousethelatestsupportedversionofPHPformaximumsecurity.TomaintainPCIDSScompliance,anycodingchangesmadetoauthenticationorpasswordcodeorconfigurationswouldneedtobeverifiedasprovidingauthenticationmethodsthatareatleastasrigorousasPCIDSSrequirements.

16.3 Wireless (WiFi) Networks Ifyouareusingawirelessnetworktoaccessyouronlinestore,itMUSTbeconfiguredsecurely.

• Yourwirelessroutershoulduseindustry-standardbest-practicesforstrongencryptionandtransmission,suchasthepopularIEEE802.11.ispecification.(Mostroutersalreadydothis,butyoushouldverifyit.)


• Thewirelessnetworkneedsapassword.• DONOTUSEthedefaultpasswordwrittenonalabelonthesideoftherouter,norone

listedinthemanualasthedefaultororiginalwirelesspassword.• Thewirelessnetworkmustuseastrongsecurecomplexpassword.Notsomethingeasily

guessed,andsomethingatleast7characterslong,withatleastonedigitandpreferablysomeuppercaselettersandsymbols.

• DONOTUSE“WEP”securitymode.UseWPA2withTKIPmodeifpossible.(AESislesssecure.)

• Changethedefaultadministrative“user”(oftencalled“admin”or“cusadmin”or“root”)anduseastrongcomplexpassword,notthesameasthewirelesspasswordabove.Minimum7characters,withatleastonedigitandpreferablysomeuppercaselettersandsymbols.

• SNMPcommunityfeaturesshouldbedisabled.OrtheSNMPcommunitynamesshouldbechanged;don'tleavethenamessetatdefaults.

• Securetherouterinaplacewheredisgruntledemployeesorunauthorizedpersonswillnotbeabletogainaccesstothephysicaldevice.Nobodyshouldbeabletoaccessthedevice'sresetbuttonwithoutauthorization,elsetheymightbeabletocompromiseyoursecurity.

Anytimeyou“reset”yourwifirouter(ie:typicallydonebypressingthelittle“pinhole”button)youwillneedtodoallthepasswordconfigurationonitagain.Anytimeyouremployeeschange(anyonewithknowledgeoforaccesstothepasswordsleaves),youwillneedtodoallthepasswordconfigurationagain,usingnewpasswords.Thesearecommonwirelesssecuritysettingsandpracticesthatshouldbeimplementedtoensurethesecurityofyouronlinebusiness.TheyarenotspecifictoZenCart®butneverthelessshouldbeimplementedforyourownsecurity.


17. Implementation Guide Changelog Date Version Changesfrompreviousversion10thOct.201022ndApril201111thMay201117May201124August201120Sept201126Sept20119Nov20118Aug201320Aug201322Oct20133Dec201320Feb201414Mar201420Apr20144July20144July201413Aug201414Nov201430Apr201515Mar2016Nov2018

1.41.51.61.71.7d1.7f1.7g1.81.91.9.11.9.21.9.31.9.41.9.51.9.61.9.71.9.81.9.8.21.9.8.31.9.8.41.9.8.51.9.8.6

Minorgrammaticalfixesandaddedsection7Addedsectionsregardingadminusers/profilesandPA-DSSregulationsrelatedtopasswords(section8etal)AddedSFTPguidanceandexplanationofunzip,FTP/SFTPAddedsectionaboutengaging3rd-partyservicesvsFTPetcAddeddiscussionaboutremovinghistoricalPAN/CVVdataAddnewsectionsforNetworkanddataflowdiagramsandnotationtoindicatethatcreditcardgatewaymoduleswillnotfunctionifHTTPSisnotenabled.Addedsectionexplaininghowtointegrateatwo-factorauthenticationsystemifrequiredinthemerchant'senvironmentAddedsectionexplaininghowtosecurelyeraseoldCHDAddedlinktoinstructionsforenablingSSLforentireadminAddedexplanationthattheinitialadminpasswordisonlytemporaryandmustbechangedonfirstlogin.Updateadmin-renameinstructions,andforupgrading(5.2)Addsectiononreviewingadminactivitylogs(8.5.1).PA-DSSRemediation,plusupdatingtrademarksymbolsAddedsection2.1,expandedsection4,andclarificationto5.1(2)Improvementstoconsistency.Updated“upgrade”sectiontext.UpdatedforPA-DSSv2requirements,andtoaddnew/logs/folder,StampZCv1.5.2.UpdatestoclarifywordingrelevanttoPA-DSSv2.0requirementsUpdatestocomplywithadditionalwordingrequiredbyPCIrules.AddedacopyofthegenericMySQLroot-passwordresetinstructions.UpdatestocomplywithfuturePA-DSSv3.0requirementsVersionupdateforZCv1.5.3MiscupdatesrequestedduringPA-DSSreviewVersionupdateforv1.5.4;updatedsectiononactivityloggingRemindertomaketheserverlog-exportfolderwritableAddedremindertoalwaysdownloadnewversionsviaHTTPSUpdated“SSL”referencesto“SSLforHTTPS”forclarity.VersionupdateforZC1.5.5,includingupdatedzc_installscreenshotsVersionupdateforZC1.5.6

implementation guide - zen-cart.com · ©zen cart® development team implementation guide – rev...

Documents