PCI DSS Compliance and Sellerdeck with SellerdeckPay/ClearAccept

Published
21st May 2024

PCI DSS Compliance and Sellerdeck with SellerdeckPay/ClearAccept

What is PCI DSS?

PCI DSS is the Payment Card Industry Data Security Standard – https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud.

Why is PCI important to me now?

Previously Sellerdeck customers used payment processors such as Worldpay, Opayo (Sage) PayPal and others. The website customer upon reaching the end of the checkout was taken to the Payment Service Processors (PSP) website to enter their credit card details. No card details were entered on the Sellerdeck site and PCI compliance was not an issue for Sellerdeck users.

Sellerdeck is now only supporting Sellerdeck Pay Powered by ClearAccept and no longer supports other payment processors. While earlier versions of Sellerdeck (18.2.2 and before) support Worldpay and other PSPs this integration is no longer supported by Sellerdeck and therefore users are ‘on their own’ as it were if they use them. With Sellerdeck Pay by ClearAccept your website customer enters their card details in the last checkout page of the Sellerdeck website. This change means that the Sellerdeck Website and its hosting needs to be PCI compliant.

Prior to Sellerdeck version 18.2.3 Sellerdeck software is not PCI compliant and needs a number of modifications and other criteria to achieve PCI compliance. Sellerdeck 18..2.3 has some file modifications but you still need to address some files and other criteria.

Things to be done

Upgrade jQuery and other javascript files to the latest version: (https://community.sellerdeck.com/forum/knowledge-base/online-store-issues/557050-sellerdeck-site-fails-pci-dss-scan)
Address Cross-site Scripting (XSS) vulnerability
Add Security headers via the htaccess file on the sever.
Address email deliverability
PCI DSS Compliant Hosting

1 Upgrade jQuery and other javascript files to the latest version:

Go to https://code.jquery.com/jquery-3.5.1.js and to https://code.jquery.com/jquery-3.5.1.min.js and download these files into your site folder. Change the Reference in JavaScript Header Functions from:

<script type="text/javascript" src="jquery-1.11.1block if.min/block.jsblock if?DAYNO=ECDayno/block"></script>

<script type="text/javascript" src="jquery-3.5.1block if.min/block.jsblock if?DAYNO=ECDayno/block"></script>

Full and further instructions are at https://community.sellerdeck.com/forum/knowledge-base/online-store-issues/557050-sellerdeck-site-fails-pci-dss-scan

With the change to using JQuery 3.5.1 you may find that some third party javascript no longer functions or produces error messages such as: –

Uncaught TypeError: a.indexOf is not a function

or similar.

The solution to this would be to replace every instance of ‘jQuery.load()’ with ‘jQuery.on()’.

For example if the code was as follows:-

$(window).load(function(a) {

it would need to be replaced with:-

$(window).on("load",function(a) {

2 To address Cross-site Scripting (XSS) vulnerability a modified file is needed.

Sellerdeck have produced a modified Actinic.pm (which is version specific) which will fix the reported Cross-site Scripting (XSS) vulnerability relating to the referrer.

Actinic.pm version 18.2.2 is downloadable here – https://www.graphicz.solutions/pcidss/index.html

Actinic.pm version 18.2.3 is downloadable here – https://www.graphicz.solutions/pcidss/index.html

Open the site folder, make a copy of Actinic.pm for backup then unzip the downloaded file into the site folder replacing the one that is there. Close and reopen Sellerdeck and do Web, Refresh. (Do not do troubleshooting website purge and refresh as this will overwrite the edited file).

3 Add HTTP Headers required for PCI Scan Compliance to the .htaccess file on the server.

Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.

X-Content-Type-Options: This HTTP header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header.

Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

Content-Security-Policy: The HTTP Content-Security-Policy response header allows web servers to apply an additional layer of security to help prevent certain types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks

Add to your .htaccess file.

# Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always set X-Frame-Options "SAMEORIGIN"
	Header set Content-Security-Policy: "frame-ancestors 'none'"
	Header set X-Content-Type-Options "nosniff"
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
	Header set Referrer-Policy "strict-origin-when-cross-origin"
	Header always set Permissions-Policy "accelerometer=(self), camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self), usb=(self)"
</IfModule>

This is a correction from what I originally posted with thanks and acknowledgement to the Sellerdeck Community: https://community.sellerdeck.com/forum/setting-up-sellerdeck/payment-services-psp-setup-sellerdeck-payments-hsbc-paypal-etc/557174-pci-dss-4-0-htaccess – and particularly to user zgap111 Thank you!

4 Now is a good time to address email deliverability

Due to the default Sellerdeck scripts not adding a message ID to emails from Sellerdeck emails from the site can be undeliverable or sent to spam. An edited version of the SMTPLibrary,pm file in the site folder fixes that.

SMTPLibrary,pm version 18.2.2 is downloadable here – https://www.graphicz.solutions/pcidss/index.html

SMTPLibrary,pm version 18.2.3 is downloadable here – https://www.graphicz.solutions/pcidss/index.html

Open the site folder, make a copy of SMTPLibrary.pm for backup then unzip the downloaded file into the site folder replacing the one that is there. Close and reopen Sellerdeck and do Web, Refresh. (Do not do troubleshooting website purge and refresh as this will overwrite the edited file).

5 Finally you will need PCI DSS compliant hosting.

I can offer PCI compliant hosting. If you buy your own PCI compliant hosting (Brixly is good) you need to add perl modules in cPanel for each site to make Sellerdeck work. If the server does not have Card::Crypt + Net::SSL then Sellerdeck will use LWP::UserAgent module for secure connections to remote servers but this requires LWP::Protocol::https which is not always installed. Sellerdeck requires either Crypt::SSLeay + Net::SSL or LWP::UserAgent + LWP::Protocol::https to work with many supported PSPs. The LWP modules are preferred.

So, don’t worry if Crypt::SSLeay + Net::SSL are absent, just add LWP::UserAgent + LWP::Protocol::https in cPanel.

When LWP::UserAgent + LWP::Protocol::https are added site by site in cPanel, you will need to adjust the Path to Perl in Network setup so that it looks for cPanel modules. The path to perl should be: