OverviewAt ProductCart we are very committed to doing all we can to protect the privacy of your customers' information, as well as the security of your store. To this extent, we have equipped ProductCart with features aimed at minimizing the chances of unauthorized access to any confidential information, as well as with features that ensure that sensitive information is properly managed when stored in the system database.
Here is a list of features and system behaviors related to the security of sensitive information.
- Password- protected administration- ProductCart's Control Panel is password protected. Only authorized users have access to your store's administration area. Please refer to the Security Recommendations listed in the previous section of this User Guide to minimize the chances of unauthorized access to the Control Panel.
- Password-protected customer account area- All passwords, credit card numbers, Authorize.Net login ID and transaction key, are saved to the ProductCart database in an encrypted format. Data is encrypted using the ProductCart License Key, which is not stored in the store database. In ProductCart 4 and above the encryption key can be changed regularly to comply with PCI regulations (which call for the encryption key to be changed at least once a year).
- Second layer of protection on sensitive data- All account names and passwords for any payment gateway used by the store are not shown to the store administrator once they have been saved to the database. In other words, the store administrator cannot view through the ProductCart Control Panel the use name (or login ID) and password (or transaction key) associated with a payment gateway when modifying the payment gateway’s settings in the Control Panel.
- Storing of credit card information- Credit card information is not saved to the store database except for when it is required for the proper functioning of the store. Regardless of whether or not credit card information is stored in the database, this information is never included in any e-mail correspondence (e.g. order notification and/or confirmation e-mails)
- Purging credit card information- ProductCart v2.6 and above allow merchants to remove credit card information that was stored in the system database in one of the three scenarios mentioned above. This feature allows the store administrator to delete sensitive information that is no longer needed (e.g. orders have been processed and cannot be returned).
- Validation of uploaded file types- All shopping cart pages that allow for the upload of files to the system include code that validate for unsafe file types. For example, this applies to scenarios such as a customer uploading a graphic associated with a previously saved order, the administrator uploading a product image or importing a product database, etc. Only harmless files are allowed to be uploaded to the system.
- SQL injection prevention- ProductCart features a number of features aimed at minimize the chances of a SQL injection attack on stores using a SQL database. This includes effective form field validation to check user input for malicious code.