Implementation Guide v153

7/25/2019 Implementation Guide v153

1/57

Zen Cart Documentation

Implementation Guide

for Zen Cart Version 1.5.3

Document Implementation Guide

Author Zen CartTeam

Document Reision Document Re 1.!."

Document Reision Date # $ul% &'1#

Content copyright2014 Zen Cart Development Team. All rights reserved.

All company and/or product names may be trade names trademar!s and/or

registered trademar!s o" the respective o#ners #ith #hich they are associated.

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age 1


2/57

Table of Contents

1. Introduction........................................................................................................................................#

&. Installation Re(uirements...................................................................................................................#

&.1 )efore *tartin+, As- ourself These /uestions0..............................................................................#

&.1.1 Do ou ae A Domain2.........................................................................................................#&.1.& Am I sin+ A 4ireless et6or-2............................................................................................#

&.1.3 Are ou sin+ a 7ersonal 8ire6all on our Computers2........................................................#

&.1.# Do ou ae A Good Te9t :ditor 7ro+ram2...........................................................................#&.1.5 Do ou ae Access To our 4e;hostin+ Control 7anel to Create a Do ou ae Relia;le 8T7?*8T7 *oft6are2..........................................................................5

&.& Domain ame Re(uirements...........................................................................................................>&.3 *erer ard6are Re(uirements.......................................................................................................>

&.# *erer *oft6are Re(uirements........................................................................................................"

&.5 @ther Installation Re(uirements......................................................................................................

3. @;tainin+ the Current Zen Cart Release.........................................................................................!

3.1 Verif%in+ inte+rit% usin+ ash Be%s................................................................................................!3.& 7atches.............................................................................................................................................!

3.3 pdates?p+rades............................................................................................................................!

3.# otification of e6 Releases?pdates............................................................................................!

#. npac-in+ and ploadin+ the Application *oft6are 8iles..............................................................1'

#.1 Tools Re(uired...............................................................................................................................1'

#.& nippin+?npac-in+....................................................................................................................1'#.3 4here Do I pload To2.................................................................................................................1'

#.# Adanced .1." *tep > *tore *etup..................................................................................................................&&>.1. *tep " Administrator Account *etup......................................................................................&5

>.1.! p+rade Alert otification.....................................................................................................&>



3/57

>.1.1' *tep ! *etup 8inished...........................................................................................................&>

>.& sin+ cEinstall to do The Data;ase p+rade *tep of a *ite p+rade..........................................&">.&.1 Introduction............................................................................................................................&"

>.&.& *tep 1 4elcome *creen..........................................................................................................&"

>.&.3 *tep & =icense Confirmation..................................................................................................&

>.&.# *tep 3 *%stem Inspection.......................................................................................................&!>.&.5 *tep # Versionp+rade Chec-;o9es.....................................................................................3'

>.&.> *tep 5 Data;asep+rade *tep 8inished................................................................................31

". 7ostInstallation Actions...................................................................................................................3&

".1 Chan+in+ The Admin Director% ame for *ecurit% F)%@;scurit%............................................3&

".& :na;lin+ **= in %our Admin.........................................................................................................3&

".3 *ettin+ Director% and 8ile 7ermissions.........................................................................................3&".# Remoin+ the Installation Director%.............................................................................................33

".5 )loc-ed Administration Access.....................................................................................................33

".> Remoin+ nnecessar% Directories..............................................................................................33

. Accessin+ the Administration 7anel and Confi+urin+ Administratie sers and 7ass6ords..........3#

.1 Introduction....................................................................................................................................3#.& Administratie ser Access and 7AD** re(uirements................................................................35

.3 sers..............................................................................................................................................3>

.# 7rofiles...........................................................................................................................................3>

.5 Admin Actiit% =o+s......................................................................................................................3.5.1 Dail% =o+ Reie6 H Important Thin+s To


4/57

1#.& Cr%pto+raphic Be%s and Be% . Appendices.....................................................................................................................................5#

1>.1 .& 7ass6ord *ecurit% in Zen Cart.................................................................................................5#1>.3 4ireless F4i8i et6or-s...........................................................................................................55

1". Implementation Guide Chan+elo+..................................................................................................5>

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age +


5/57

1. Introduction

This Implementation Guide is meant to help %ou not onl% 6ith important su;Lects related to installin+

or up+radin+ the Zen Cart application ;ut also to understand the issues related to securel%

implementin+ Zen Cart in a manner that is 7AD** compliant.

PA-DSSIt is a re(uirement of the 7AD** that %ou follo6 the instructions in this Implementation Guide 6hen

installin+ or up+radin+ %our Zen Cart application.

Note also, that this guide is written for the v1.5.4 release of Zen Cart unless other6ise noted.

2. Installation Requirements

2.1 Before Starting, Ask Yourself These Questions:

2.1.1 Do You Have A Domain?

If o, stop and refer to section &.& for information a;out re+isterin+ a domain for %our 6e;site.

ou need a domain name to host %our 6e;store on a 6e;serer.

2.1.2 Am I Usin A !ireless "et#or$?

If %ou are usin+ a 6ireless net6or- to access %our online store, it


6/57

2.1.- Do You Have Access To Your !ebostin Control &anel to Create a/03 Database and User?

):8@R: @ 7R@C::D T@ I*TA==ATI@, ma-e sure %ou hae access to a


7/57

%our serer. The% ma% 6or- for indiidual files, ;ut are seldom relia;le 6hen uploadin+ lar+e num;ers

of files such as a fresh install of Zen Cart, since the% 6ill often timeout 6ithout sho6in+ an% error, andleae %ou 6ith a dama+ed set of files 6hich operate unpredicta;l%. Incomplete uploads are the most

common cause of pro;lems on ne6 sites.

2.2 Domain Name Requirementsou 6ill need a re+istered domain name, connected to %our 6e;hostin+ account at %our 6e;hostin+

compan%. If %ou need to re+ister a domain name, see the Re+ister A Domain ameJ section on this6e; pa+e0 http0??666.encart.com? serices

Temporar% use of merel% an I7 address ma% 6or- durin+ initial installation, ;ut to actuall% run %our

shop 6ill re(uire use of a domain name. If %our domain is ;randne6 and is pendin+ initial setup ;%

%our hostin+ compan%, a temporar% domain name ma% ;e supplied to %ou so %ou can +et started6ithout 6aitin+.

Chan+in+ the domainname in Zen Cart after initial setup 6ill re(uire manual editin+ of %our

confi+ure.php files. An article on ma-in+ such chan+es can ;e found at http0??tutorials.encart.com

2. Ser!er "ar#$are Requirements

Zen Cart itself does not re(uireJ an% particular hard6are, as lon+ as the hard6are %ou use for %ourhostin+ serice supports the soft6are re(uirements that follo6.

o6eer, %ou should ;e a6are that some hard6are confi+urations such as inade(uate serer RA


8/57

2.% Ser!er Soft$are Requirements

Technicall% spea-in+, Zen Cart 6ill 6or- 6ith the follo6in+ iniure(uirements.

77 ersion PQ 5.&.1' up to 5.>.9 F@T:0 ;etter securit% after 77 5.3."

.9

Apache ersion P &.'

o6eer, for 7AD** compliance, %ou must use the latest sta2le versions of 77,


9/57

%'S73

As of the @EZ:R@EDAT: and @EZ:R@EIEDAT: modes are deprecated, and as of


10/57

%. 6btainin te Current 7en Cart 8elease

The current release is o;taina;le ia *ource8or+e0 https0??sourcefor+e.net?proLects?encart?filesThe release is proided as a .ip file.

.1 )erif*ing integrit* using "ash +e*s

ash -e%s are a 6a% of chec-in+ the alidit% of a ip file. 4e proide ;oth


11/57

). Un(ac$in and U(loadin te A((lication oft#are 'iles

%.1 Tools Require#

)efore %ou can unpac- and upload the files to %our serer, %ou 6ill need t6o important tools0

An +un9i utilit', such as "ip, 4inZip, unRar, )etterZip, etc.


12/57

-. &re8Installation Actions

&.1 Ne$ (nstallations

)efore runnin+ the Zen Cart installer %ou 6ill need to address the follo6in+.

1 %'S73 Data2ase:nsure that %ou hae created an empt%


13/57

> :nsure that the director% I*TA==EDIR:CT@R?lo+s is 6ritea;le. This director% needs to ;e

6ritea;le, as the Zen Cart application ma% need to store some important files here Fie0 namel%77 error lo+s and de;u+ output.

" :nsure that the director% I*TA==EDIR:CT@R?ima+es is 6ritea;le. The ima+es director%

needs to ;e 6ritea;le to allo6 for the uploadin+ of product and other ima+es that %ou 6ill use in

%our store. our admin ;ac-end 6ill ;e used for uploadin+ product?cate+or% ima+es here.

:nsure that the director% I*TA==EDIR:CT@R?pu; is 6ritea;le. The pu; director% needs to;e 6ritea;le to allo6 for the do6nloadin+ of an% irtual products that %ou sell, e+.


14/57

4. Runnin te !eb89ased Installer

5.1 Ne$ (nstalls

4.1.1 Introduction

To run the Zen Cart installation 6iard, %ou 6ill need to use %our ;ro6ser to access the 6e; serer6here %ou installed Zen Cart. The installation 6iard is accessed from the folder ?cEinstall.

*o if %ou hae set %our 6e; serer up to ;e accessed as http0??666.


15/57

4.1.2 te( 1 !elcome creen

The 4elcome *creen proides some ;rief information re+ardin+ the Zen Cart7roLect. To proceed,

clic- on the Continue ;utton.



16/57

4.1.% te( 2 3icense Confirmation

The Zen Cart application is released usin+ the G General 7u;lic =icense. To use the application,

%ou must ac-no6led+e %our a+reement to this. 7lease read the license thorou+hl% ;efore acceptin+ the

license terms and continuin+.



17/57

4.1.) te( % 0stem Ins(ection

The *%stem Inspection pa+e chec-s that arious re(uired 6e; serer components e9ist, and permissions

are set correctl% for the Zen Cart application to function correctl%. ou should reie6 all items on

this pa+e and ta-e an% necessar% actions to correct pro;lems hi+hli+hted here, ;efore continuin+.



18/57

If %ou alread% hae a Zen Cart store set up in this data;ase, %ou ma% also see an p+radeJ ;utton here.

If %ou clic- InstallJ here, %ou 6ill erase an% Zen Cart data alread% in that data;ase. 8or instructionson doin+ up+rades, see the chapter on up+radin+, later in this +uide.

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age 1)


19/57

4.1.- te( ) Database etu(

5.1.&.1 Data6ase 7hara-ter Set07ollation

8irst choose the charset?collation for %our Data;ase connection. ormall% %ou should Lust leae this atthe default settin+ of utf, ho6eer some lan+ua+es ma% need this to ;e set differentl%.

5.1.&.2 Data6ase "ost

The data;ase host settin+ is specific to %our hostin+ serice. @n a sharedhostin+ account this is often

lo$alhost, ;ut for a secure 7CI confi+uration %ou ma% need to set it to a specific I7 address or named

serer address. our hostin+ proider proides these details. *ee section &.1.5 for D


20/57

5.1.&.& Store (#entifier 8Ta6le refi9

This is t%picall% left ;lan-. ou ma% enter a prefi9 for the ta;les created and used ;% Zen Cart. This

should onl% ;e necessar% if %ou need to share the data;ase 6ith another application that %ou hae

installed on %our 6e; serer.

5.1.&.5 SQ; 7a-he 4etho#

Zen Cartcan cache the results of some */= (ueries. This can help to reduce load on the Data;aseserer and speed up the application.

5.1.&.< Session0SQ; 7a-he Dire-tor*

This is the path to the director% that 6ould ;e used to sae session and */= cachin+ information.

Generall% %ou 6onKt need to chan+e this unless the settin+ that is chosen?autoselected causes pro;lems.

An adanced store confi+uration mi+ht consider moin+ this cacheJ folder location outside the6e; rootJ. This can ;e done postinstallation. There are +uides for such adanced confi+uration

aaila;le at http0??tutorials.encart.com

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age 1(
https://httpd.apache.org/docs/current/mod/core.html#DocumentRoothttps://httpd.apache.org/docs/current/mod/core.html#DocumentRoothttp://tutorials.zen-cart.com/https://httpd.apache.org/docs/current/mod/core.html#DocumentRoothttp://tutorials.zen-cart.com/


21/57

4.1.4 te( - 0stem etu(

5.1.5.1 h*si-al ath To =en 7art>

This is the location of the Zen Cart application files on the hard drie of %our serer. >enerall' the

s'ste will auto-dete$t this, and %ou should onl% chan+e it if the autodetection has not chosen the

correct path.

5.1.5.2 R; to *our =en 7art> store

This is the R= that 6ill ;e used to access %our store. A+ain, auto-dete$tion should have $hosen the

$orre$t settingand %ou should onl% chan+e it if it is incorrect.

5.1.5. "TTS Domain

Generall% %our TT7* domain 6ill ;e the same as %our normal TT7 domain. o6eer some hosts

use a separate special domain for TT7*. Chec- 6ith %our hostin+ proider if %ou are unsure.

5.1.5.% "TTS Ser!er R;

The R= that 6ill ;e used to access the TT7* domain for %our 6e; site. If %ou hae %our domain in

the root of %our 6e; serer, this 6ill ;e the same as %our TT7* domain a;oe. o6eer %ou ma%hae %our 6e; site in a director%, such as https0??666.


22/57

5.1.5.& ?na6le SS;

This determines 6hether Zen Cart 6ill use **=?TT7* for the catalo+ Fstorefront side of %our store toautomaticall% encr%pt communications on pa+es 6hich collect sensitie data.

If %ou donKt hae an **= certificate ena;led in %our hostin+ serice %et, select o. ou can ena;le it

later manuall% ;% follo6in+ this tutorial0 http0??666.encart.com?content.php25>ho6doiena;lessl

9TB: To use Zen Cart$ relies completely on you supplying valid https:// EsF %" your sitedoesnGt have #or!ing yet then your Zen Cart$ store #ill be bro!en until you get or disable it.

5.1.5.5 ?na6le SS; in A#min Area

4hether to use **=?TT7* for the admin side of %our store. *ame principles as a;oe.

PA-DSS

To compl% 6ith 7AD** %ou %?S!ena;le **= here for ;oth the Admin and *torefront.

4hen ena;led here, Zen Cart 6ill automaticall% actiate **= on storefront pa+es 6hich need itFie0 chec-out, m% account, lo+in, etc as lon+ as the option is ena;led here.

Additionall%, ;uiltin pa%ment modules 6hich are capa;le of acceptin+ credit cards directl% on %our

site 6ill @T function if %ou do not hae **= capa;ilit% aaila;le and ena;led in Zen Cart$.

http://www.zen-cart.com/content.php?56-how-do-i-enable-ssl-in-zen-carthttp://www.zen-cart.com/content.php?56-how-do-i-enable-ssl-in-zen-cart


23/57

4.1.: te( 4 tore etu(

The follo6in+ settin+s are re(uested here, ;ut can ;e chan+ed later ;% lo++in+ in to %our administration

panel of the Zen CartApplication.

Clic- the more in"o...J lin-s onscreen for more detailed information.

59ote: This section #ill not sho# up in v1..0 and ne#er versions o" Zen Cart$ since this in"ormation

#ill be collected on "irst login to the Admin instead.8

Store Nae

:nter the name of %our *tore here.

Store wner

:nter the name of the *tore o6ner here. This 6ill ;e displa%ed as the name of 6hom to contact

re+ardin+ pro;lems 6ith a purchase or 6ith accessin+ %our site.

Store wner "ail

:nter the email address for contactin+ the storeo6ner here. This is displa%ed in emails and is used forsendin+ Contact s messa+es from %our store.

Store Countr'

:nter the Countr% of the store here. This is used for determinin+ ta9 and shippin+ and other

+eo+raphicall% dependent operations.

Store Zone

:nter the Zone?*tate of the store here. A+ain, used for ta9 and shippin+ and related actiities.

Store Address

:nter the address of the store here. This is displa%ed on the Contact s screen 6hen ena;led, and on

printa;le documents.

Default 3anguage

:nter the default lan+ua+e for the store here. If the lan+ua+e %ou 6ant is not in the list, %ou ma% need to

do6nload additional lan+ua+e pac-Fs from the Zen Cart plu+ins li;rar% at0http0??666.encart.com?do6nloads.php2doQcatUidQ>

Default Curren$'

:nter the default currenc% for the store here. If the currenc% %ou re(uire is not listed, %ou can set up

additional currencies after the application has ;een installed.

http://www.zen-cart.com/downloads.php?do=cat&id=6http://www.zen-cart.com/downloads.php?do=cat&id=6


24/57

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age 2+


25/57

5.1.


26/57

4.1.; te( : Administrator Account etu(

[email protected] A#ministrators ser name

This is the user name used to initiall% access the Applications administration panel. This user has access

to all of the functionalit% of the Administration panel. ou can set up additional users 6ith restrictedpermissions once the application has ;een installed.

[email protected] T?4'RARY A#ministrators ass$or#

The pass6ord must ;e at least " characters lon+ and contain a mi9 of ;oth letters and num;ers.

!his is ust a !"%P8A8< assword whi$h ust 2e $hanged uon first login to 'our adin

area.

PA-DSS

ou most li-el% accessed this installation 6ithout usin+ **= as such there is an e9tremel% small

possi;ilit% that someone could hae intercepted %our admin username?pass6ord.

%ae sure that 'ou ena2le SS3 for 'our adin age.

&hen 'ou $hange the SS3 status of 'our adin age, 'our adin assword will e)ire and

'ou*ll need to sele$t a new assword. This helps ensure that if someone has stolen %our pass6ordoer an unsecured connection the%Kll ;e una;le to use that pass6ord an% lon+er.

5.1.@. A#ministrators ?mail

This is the email address of the initial Administrator, and ma% ;e used for sendin+ pass6ord resets ortestin+ out+oin+ email ne6sletters etc.



27/57

4.1.< U(rade Alert "otification

If %ou leae this ;o9 chec-ed, then eer% time %ou lo+in to %our admin ;ac-end, it 6ill chec- to see

6hether a ne6 ersion is aaila;le. This information 6ill sho6 discreetl% in the upperri+htcorner ofthe screen.

The onl% reason to unchec- this ;o9 is if %ouKre re+ularl% accessin+ the site from a serer For runnin+ it

offline on %our local 7C that has no internet connection. In such cases the up+radechec- ma% result in

a ;rief timeout 6hile 6aitin+ for an up+rade datain(uir% response. If thatKs happenin+ for %ou, %ou canturn off this settin+ after installation ;% lo++in+ into %our Admin and +oin+ to Confi+urationP


28/57

5.2 Usin >cinstall to do Te Database U(radete( of a ite U(rade

4.2.1 Introduction

p+radin+ consists of ;oth manuall% updatin+ the 77 files on %our site, as 6ell as up+radin+ the

data;ase structure to 6or- 6ith the ne6 re(uirements of the ne6 ersion. IT I* @T :@G T@

*I


29/57

4.2.% te( 2 3icense Confirmation

The Zen Cart application is released usin+ the G General 7u;lic =icense. To use the application,

%ou must ac-no6led+e %our a+reement to this. 7lease read the license thorou+hl% ;efore acceptin+ the

license terms and continuin+.



30/57

4.2.) te( % 0stem Ins(ection

ou 6ill see some 6arnin+s. 7lease read them. )e sure %ou hae a data;ase ;ac-up ;efore proceedin+.

!o erfor a data2ase-ugrade, $li$ the Data2ase ?grade 2utton. Do that.

The p+rade Cf+ 8ilesJ option is for adanced use onl%.The other ;uttons are e9plained in the Installation section of this +uide. ote the 6arnin+s on screen.

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age 2(


31/57

4.2.- te( ) @ersion8U(rade Cec$bo+es

o6 %ou are presented 6ith a list of ersionup+rade steps that cEinstall is capa;le of up+radin+ for

%ou. The s%stem 6ill preinspect %our data;ase and prechec- the chec-;o9es for the ersion steps6hich need up+rades performed in %our data;ase. In a normal up+rade, %ou simpl% need to leae the

chec-;o9es asis, and scroll to the ;ottom of the pa+e and fill in %our Admin username and pass6ord

and clic- pdate Data;ase o6 to authorie the up+rade.

Chec-in+ or unchec-in+ additional ;o9es is an adanced trou;leshootin+ actiit% 6hich 6ould onl% ;e

releant in the eent of a serious pro;lem re(uirin+ oerridin+ of normal operation. As for help on the*upport 8orum if the ersion detection doesnKt automaticall% 6or- as e9pected.

The ReChec- ;utton is here to allo6 the pa+e to reinspect if the refresh doesnKt happen automaticall%

after clic-in+ p+rade Data;ase o6.

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age +0


32/57

4.2.4 te( - Database8U(rade te( 'inised

R:


33/57

:. &ost8Installation Actions

ho6doiena;lesslinencart


34/57


35/57

;. Accessin te Administration &anel and ConfiurinAdministrative Users and &ass#ords

@.1 (ntro#u-tion

Zen Cart includes a s%stem for mana+in+ multiple admin users and restrictin+ the access of thoseusers to onl% certain functions of the Administration s%stem.

Initiall% onl% one user is created FThe user?pass6ord %ou created durin+ installation. This user is

assi+ned a K*uperuserK profile, and has access to all administration functionalit%. Additional profiles can

;e created to offer lesser permissions to specific administratie users. This is e9plained further in thefollo6in+ sections.

PA-DSS

*ince %ou 6ill pro;a;l% hae performed the installation 6ithout usin+ **=, there is a Fsmall

possi;ilit% that a someone mi+ht hae intercepted %our admin username?pass6ord.

f 'ou don*t have SS3 ena2led on 'our site 'et, 'ou need to do that N& see se$tion .; of this

guideB, and then $hange 'our adin assword.



36/57

@.2 A#ministrati!e ser A--ess an# ACDSS requirements

)efore moin+ on to ho6 Admin users are mana+ed, there are some fundamental chan+es that hae

;een made in this area startin+ 6ith Zen Cart$1.5.' in order for the application to meet 7AD**

re(uirements.


37/57

@. sers

ou can easil% mana+e the users 6ho are allo6ed access to the administration s%stem usin+ the

Admin Access ;anagement H Admin Esersmenu entr%.

8rom this screen %ou 6ill ;e a;le to add, delete and chan+e the details of Admin users.

NOE! "or P#I $%% compliance& every person with administrative access must have their ownuni'ue user I$ and password& and should never re-use the same I$(password on more than one

system)

Clic-in+ the edit ;utton 6ill allo6 %ou to chan+e the Admin ser name, Admin ser email address andthe profile assi+ned to that user Falthou+h %ou cannot chan+e the profile assi+ned to the initial Admin

ser.

Clic-in+ the reset p6dJ ;utton allo6s %ou to chan+e the pass6ord assi+ned to the user.

NOE! he system only accepts uni'ue usernames& thus no two users can have the same uni'ueuserid at any given time)

@.% rofiles

7rofiles descri;e 6hich functions in the administration s%stem a user can access. Initiall% onl% one

profile is aaila;le, the K*uperuserK profile, 6hich +ies access to all the administration s%stem.

o6eer it is also possi;le to create profiles, so that different users onl% hae access to a su;set of theadministration s%stem.

8or e9ample, %ou ma% hae users that onl% need to run reports, or users 6hose responsi;ilit% it is to add

products?cate+ories, and those users should not hae access to an% other administration s%stemfunctions. NOE! "or P#I-$%% and PA-$%% compliance& only persons re'uiring access to payment

details should be allowed to see them)

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age +


38/57

This can ;e achieed ;% creatin+ specific profiles, and then assi+nin+ those profiles to users.

ou can access the Admin 7rofiles mana+ement pa+e usin+ the

Admin Access ;anagement H Admin *ro"iles menu entr%.

To add a ne6 profile, clic- on the Kadd profileK ;utton .

ou 6ill then +et a screen similar to the follo6in+0

ou can then choose a name for the profile, and select 6hich administration s%stem functions thatprofile has access to.

The :dit ;utton 6ill ;rin+ up a similar screen, ho6eer in this case %ou 6ill ;e a;le to chan+e the

current functionalit% +ranted to all users associated 6ith that profile.

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age +)


39/57

@.& A#min A-ti!it* ;ogs

The Admin Actiit% =o+ stores important information 6hich mi+ht e9pose malicious actiit% ;ein+

conducted ;% admin users F6hether -no6n or un-no6n in the ;ac-end of %our store.

The s%stem lo+s this data0

The date and time of the access

The admin id of the user ma-in+ the access Fuser identification

The pa+e in the administration s%stem that is ;ein+ accessed F6hich infers t%pe of eent

The parameters related to the pa+e ;ein+ accessed F6hich infers identification of affected data

and ostensi;l% the success or failure of the attempted action

The I7 address Fori+ination of the admin user performin+ the eent

An% suspectJ actiit% that should ;e reie6ed, such as malicious 7@*T data

Chan+es made to pa%ment?shippin+ modules and admin users

There are no ;uiltin settin+s to alter this functionalit%.

Tamperin+ 6ith this lo++in+ functionalit% or disa;lin+ the lo+s or chan+in+ the lo++in+ code 6ill resultin noncompliance 6ith 7CI D**.

The actiit% lo+ is held in the data;ase, and oer time can ;ecome er% lar+e. ou can mana+e %our

actiit% lo+ ia0Admin Access ;anagement H Admin Activity logs

t is iortant to review these logs regularl', even dail', to onitor for ali$ious a$tivit' and

resond a$$ordingl'.

The follo6in+ sections discuss the reie6 and mana+ement of these lo+s.

;.-.1 Dail0 3o Revie# Im(ortant Tins To /onitorRe+ular reie6 of these lo+s 6ill help %ou aert pro;lems caused ;% people 6ho hae +ained

unauthoried access to %our admin ;ac-end, 6hether that ;e a hac-er, intruder, or een a dis+runtled

emplo%ee.

The fla++edJ items sho6n in the Reie6 screen are items 6hich 6arrant some attention. If a lo+ entr%is fla++ed, that means that some potentiall%harmful content has ;een entered into the admin pa+e

6hich 6as in use at the time of that lo+ entr%. Commonl%fla++ed items include scriptP ta+s 6here

someone could inLect malicious Laascript to tri++er or create O** or C*R8 ris-s on %our storeKs adminor storefront.

If %ou find an entr% thatKs ;een fla++ed, %ou should inspect the data that 6as su;mitted to ;e sure it 6as

intentional. If it 6as not intentional, %ou should ta-e correctie action to remoe the malicious orun6anted content, and also ta-e correctie action to deal 6ith 6homeer 6as lo++ed in and su;mittedthe content in the first place. 8ollo6 %our o6n internal policies for dealin+ 6ith such ;reaches.

PA-DSS

7lease ote0 It is a re(uirement of 7AD** that %ou reie6 these lo+s re+ularl% to detect unauthoriedactiit% and ta-e correctie action to deal 6ith an% anomalies discoered therein.



40/57

The follo6in+ section tal-s ;riefl% a;out ho6 the Admin Actiit% =o+ ie6er screen 6or-s.

;.-.2 Revie# or ,+(ort 3os

4ithin this section %ou can choose to e9port or reie6 the admin actiit% lo+s.

To reie6 the data, ensure that :9port as T


41/57

;.-.% &ure 3o Histor0 action

PA-DSS

7lease ote0 It is a re(uirement of 7AD** that these lo+s are -ept for a minimum of 1& months.

4hile 6e proide methods to safel% ;ac-up these lo+s, and to remoe them, store mana+ers are

ultimatel% responsi;le for ensurin+ that the% can reproduce these lo+s in the eent of a 7CI audit.

Clic-in+ on the reset ;utton in the 7ur+e =o+ istor%J section of the screen 6ill ta-e %ou to a ne6

pa+e 6ith the follo6in+ instructions0

7lease ensure that %ou read and understand the 6arnin+ te9t on this pa+e 2eforepur+in+ the actiit%

lo+.

In either case %ou can also choose the name of the file produced.

;.-.) &A8D 3oin Tecnical Details

PA-DSS standards re:uire that we state what inforation is logged. So to $larif' the 2ulleted list

fro se$tion E.5.F earlier, the following is logged#

W Indiidual access to cardholder data Fdespite that current ersions of Zen Cart neer store such dataW Actions ta-en ;% an% indiidual 6ith administratie priile+esW Access to application audit trails mana+ed ;% or 6ithin the application

W Initialiation of application audit lo+s

W Inalid lo+ical access attempts

W se of the pa%ment applicationKs identification and authentication mechanismsW Creation and deletion of s%stemleel o;Lects 6ithin or ;% the application

W ser identification

W T%pe of eentW Date and time stamp

W *uccess or failure indication

W @ri+ination of eentW Affected data, s%stem component, or resource



42/57

;.-.- Centrali>ed 3oin

=o++in+ can ;e e9tended ;% incorporatin+ plu+ins to allo6 additional e9ternal centralied lo++in+

serices to ;e incorporated.

8ollo6in+ is an e9ample plu+in, consistin+ of t6o 77 files, named 6ith the e9pectation of usin+ the

+ra%lo+ lo++in+ serice. Actual +ra%lo+ A7I codin+ and credentials must ;e added to ma-e itfunctional.

a ?adminfoldername?includes?autoEloaders?confi+.admin.+ra%lo+.php


43/57

ationB AddonsB and &luins

The Zen Cart communit% has a ast assortment of aaila;le addons?plu+ins contri;uted ;% third

parties, most often other store o6ners, 6ho hae 6ritten customied code to e9tend the capa;ilit% of

Zen Cart to do additional thin+s ;e%ond the core frame6or- that is Zen Cart itself.


44/57

1=. ,nain %rd8&art0 Consultants or &rorammers

As mentioned in the preious section, if %ou donKt hae the s-ills to customie pro+rammin+ 77 code

%ourself and 6ish to hire someone, thereKs a ast help6anted communit% aaila;le as 6ell. ou can

access some help6anted resources ;% follo6in+ this lin-0 http0??666.encart.com?help6anted

PA-DSSote0 It is a re(uirement of 7AD** that 3rdparties are onl% +ranted access to specific components

trul% re(uired to complete the 6or- re(uested, and that the% use that access in a secure manner, andthat the% destro% all copies of all information o;tained once said access is no lon+er re(uired.

4e recommend that %ou onl% en+a+e persons 6ho demonstrate an understandin+ of 7CI D** and 6illa+ree in 6ritin+ that the 6or- the% perform for %ou 6ill ;e compliant 6ith 7CI D** re(uirements. To

maintain 7CI D** compliance, an% codin+ chan+es made to authentication or credit card or securit%

confi+urations needs to ;e properl% erified as ;ein+ at least as ri+orous as 7CI D** re(uirements.

*ome ;est practicesJ %ou should consider 6hen en+a+in+ a consultant are found in follo6in+ sections.

1F.1 e6store GA#minH0Ba-ken# a--ess

If %ou need to +ie someone access to %our storeKs admin panel, create a dedicated uni(ue admin useraccountNp6d for that person, and +rant them access to @= the features the% 6ill need to complete

the tas-s assi+ned to them, and remoe that account 6hen the% are finished. *ee section for details. If

%our admin uses &8actor Authentication Fsee section 1'.5 then A== persons hain+ access must use it.

PC-DSS re:uires that an'one a$$essing the Adin ileent and use reote a$$ess se$urit'

features. And should never use the sae DHassword on ore than one siteI alwa's uni:ue.

1F.2 ET A--ess

8T7 and *8T7 Accounts

*NOE! P#I-$%% re'uires the use of %ecure "P& not plain unencrypted "P+If %ou en+a+e someone to do 6or- on %our 6e;site that re(uires them to hae direct access

to the files on %our 6e;serer, that 6ill most li-el% re(uire that the% hae 8T7 access.ou should :V:R +ie them %our master 8T7 pass6ord. ou should A=4A* create a

ne6 userNpass6ord for them usin+ %our hostin+ compan%Ks control panel.

If possi;le, %ou should restrict their access to onl% their I7 address, so it canKt ;e a;used.

ou should A=4A* delete their 8T7 user as soon as their 6or- is completed. It isdan+erous to leae unmonitored accounts actie in the hands of persons not in %our direct

superision and emplo%ment. *imilar 6isdom should ;e applied to emplo%ees as 6ell.

*ecure Access H se *8T7, not 8T7

:V:R@: Fincludin+ %ou accessin+ %our 6e;serer should ;e usin+ *8T7 to connect.

If the% use re+ular unencr%pted 8T7 mode, then %our customer data and 6e;site securit%could ;e compromised. *ee section # of this +uide for more information a;out *8T7.

PC-DSS and PA-DSS re:uire the use of Se$ure /!P, not unen$r'ted /!P.

1F. e6hosting A--ounts 7ontrol anel a--ess

It is unusual for a 3rdpart% to need access to %our entire hostin+ accountKs control panel. If %ou must

+ie them access, %ou must chan+e the pass6ord to %our hostin+ account 6hen the% are finished.

Zen Cart$ Development Team %mplementation &uide ' rev 1.(.) *age 4+
http://www.zen-cart.com/helpwantedhttp://www.zen-cart.com/helpwanted


45/57

1F.% Se-ure use of -ustomer #ata6ase an# $e6site files

If %ou, or a third part%, need to ma-e or use a cop% of %our storeKs data;ase, either to prepare a

sta+in+?testin+ area, or to de;u+ a pro;lem, it is er% important that the names of eer%one 6ho hasaccess to this data are recorded, that the% not share the data 6ith an%one else, and that the data is

securel% deleted 6hen no lon+er needed. *ecure :rasure is ;est handled ;% a soft6are tool that 6ill

securel% o;literate the datafiles on %our 7C and an%place 6here %ouKe stored it. Tools for this can ;e

found ;% numerous online endors.

A+reement to handle data in this 6a% should form an inte+ral part of %our contract 6ith 6homeer is

+ranted access to this information.

1F.& T$oCEa-tor Authenti-ation

T6o8actor Authentication is the use of a thirdpart% authoriation mechanism to erif% %our identit%

6hen lo++in+ in. This is commonl% implemented ia the need to enter more than Lust a username andpass6ord, specificall% not Lust somethin+ %ou -no6J, ;ut also somethin+ %ou haeJ. *ee this

6i-ipedia article for more e9planation0 T6oEfactorEauthentication

Zen Cart$allo6s for the use of F;ut doesnKt directl% implement an% specific t6ofactor authentication

as a means to further enhance the securit% of accessin+ %our s%stem. If %ou hae en+a+ed the use of athirdpart% t6ofactor authentication serice, %ou can inte+rate it 6ith Zen Cart$in one of t6o 6a%s0

a 8ollo6 the instructions of %our t6ofactor authentication solution for addin+ the re(uired

directies to %our ?renamedadmin?.htaccess file. This 6ill re(uire the to-en authentication to

ta-e place ;efore ;ein+ allo6ed to enter %our Zen Cart$admin username and pass6ord.

; Add a custom 77 script to hoo- into %our t6ofactor authentication solution ;% definin+ aconstant named ZCEAD


46/57

11. Removin 6ld "on8&CI8Com(liant Data

If %our store has used an% pa%ment modules that hae stored full credit card data or c num;ers, %ou

must delete all such historical data from %our data;ase and %our ;ac-ups.

PC Colian$e#


47/57

i. The ph%sical files on the serer 6hich stored %our storeKs


48/57

12. "et#or$ Diaram

otes0

In some hostin+ confi+urations, the 4e; *erer and Data;ase *erer ma% reside on the same ph%sical serer.

It is recommended that no 6ireless ;ased s%stems should ;e connected to the 4e;?Data;ase *erer

enironment. 4here such 6ireless e(uipment is connected then the application user or their hostin+ proider

should0

Install perimeter fire6alls ;et6een an% 6ireless net6or-s and s%stems that store, process, or transmit

cardholder data and that 7erimeter fire6alls must den% or control all traffic from the 6ireless

enironment into the cardholder data enironment.

Chan+e default encr%ption -e%s

Chan+e default *


49/57

1%. Dataflo# Diaram



50/57

1). "otes about &A8D Com(liance

1%.1 7ar#hol#er Data

a. *tora+e

@utofthe;o9, Zen Cart does not store cardholder data, and is crippled from ;ein+ a;le to storeentire card num;ers F7A ;% irtue of data;ase field len+ths ;ein+ too short to store a complete card

num;er.

Thus, Zen Cart does not displa% the complete 7A if an% partial 7A information is -no6n F6ouldnot ;e -no6n if pa%ment 6as hosted?processed e9ternall% onl% the first #> and last # di+its are sho6n,

and isi;le on the Admin indiidual orderJ pa+e and durin+ chec-out durin+ pa%mentconfirmation.

These settin+s are not confi+ura;le.

To maintain 7CI D** compliance, an% codin+ chan+es made to handlin+ or stora+e of cardholder data6ould need to ;e erified as proidin+ handlin+ or stora+e methods that are at least as ri+orous as 7CI

D** re(uirements.

;. *


51/57

1%. roto-ols, Ser!i-es, De/en#ent Soft$are an# "ar#$are

The serices and protocols and soft6are components used ;% Zen Cart are listed ;elo6.

/8 D"!A3S of se$ifi$ version re:uireents of ea$h, see se$tions ;.G, ;.4.

To install and confi+ure an% of them, see the releant documentation proided ;% their o6n authors.

A7AC: and 77

Zen Cart is a 77 application 6hich responds to re(uests directed to 77 ia a 6e;serer

serice runnin+ on %our serer. Alternate 6e;serer en+ines could ;e used ;ut are out of scope.


52/57

1-. Additional Requirements for &A8D Com(liance

1&.1 7onsequen-es of altering the s*stem to store -ar#hol#er #ata

@utofthe;o9, Zen Cart does not store an% cardholder data, and is crippled from ;ein+ a;le to store

entire card num;ers ;% irtue of data;ase field len+ths ;ein+ too short to store a complete card num;er.

!hat said, if 'ou or an'one with a$$ess to 'our site $hanges the data2ase either 2' dire$tl' editing

it or 2' installing a lugin whi$h alters it to store $ardholder data, 'ou are invalidating the PA-

DSS $olian$e and all su$h $hanges would need to 2e verified as ileenting $oliant

ro$edures that are at least as rigorous as PC DSS re:uireents..


53/57

ensure that cr%pto+raphic -e% material and?or cr%pto+rams from prior ersions of the

application must ;e rendered irretriea;le. *uch irretriea;ilit% is a;solutel% necessar% for 7CI

D** compliance

proide step;%step procedures to reencr%pt historic data 6ith ne6 cr%pto+raphic methods

and?or -e%s

1&.2 Default A--ounts

7CI compliance re(uires that %our sererKs default accounts Fincludin+ ;ut not limited to0 the m%s(lrootJ user, %our sererKs rootJ or AdministratorJ, etc need to hae secure authentication

controls Fsecure comple9 pass6ords, een if the account is not used. 8or each of the defaultJ

accounts, set a secure pass6ord. Then ideall% those accounts should ;e disa;led or not usedFie0 donKt lo+in to %our serer usin+ rootJ instead, disa;le rootJ access and create another user

6ith root priile+es and a er% secure comple9 pass6ord, and use that user for all serer lo+in.

%'S73

8or e9ample, %our


54/57

1&. Strong Authenti-ation 7ontrols

Reiteratin+ the note in *ection 5.10 it is re(uired that %ou use stron+ pass6ords for accounts on

dependent su;s%stems such as


55/57

14. A((endices

15.1 4*SQ; Root ass$or# Reset

As e9plained preiousl%, for 7CI Compliance, %ou must @T allo6 UPDATE mysql.user SET Password=PASSWORD('MyNewPass')

-> WERE User='root'!mysql> "#US PR$%$#E&ES!

+he"#USstate/ent tells the server to reload the grant ta&les into /e/ory so that it notices the password change.7ou should now &e a&le to connect to the MySQL server as rootusing the new password. Stop the server, then restart it nor/ally 0withoutthe--skip-grant-tables and--skip-networking options1.

5opyright 8 99(, 2!:, ;racle and

7ass6ords for ;oth customers and administrators are an important su;Lect. Zen Cart does not storeunencr%pted pass6ords, and as such can neer reeal a userKs pass6ord to that user or to a third part%.

7ass6ords are one6a% encr%pted ;% +eneratin+ a 1&;it salted ;cr%pt F;lo6fish hash 6here ;cr%pt is

aaila;le, or alternatiel% 6ith a *A&5> hash usin+ a salt of e(ual len+th.

7rior ersions of Zen Cart implement a salted


56/57

15. ireless iEi Net$orks

If %ou are usin+ a 6ireless net6or- to access %our online store, it


57/57

1:. Im(lementation *uide Canelo

Date Version Chan+es from preious ersion

1'th@ct. &'1'

&&ndApril &'11

11th

1."

1."d

1."f1."+

1.

1.!

1.!.11.!.&

1.!.3

1.!.#1.!.5

1.!.>

1.!."

Documents

Implementation Guide v153