Protection of sensitive information

At Early Impact we are very committed to doing all we can to protect the privacy of your customers' information, as well as the security of your store. To this extent, we have equipped ProductCart with features aimed at minimizing the chances of unauthorized access to any confidential information, as well as with features that ensure that sensitive information is properly managed when stored in the system database.

We have also partners with companies such as McAfee to make sure that ProductCart successfully passes all tests performed by a security audit system such as McAfee Secure.

Here is a list of features and system behaviors related to the security of sensitive information.

• Password-protected administration
  ProductCart's Control Panel is password protected. Only authorized users have access to your store's administration area. Please refer to the Security Recommendations listed in the previous section of this User Guide to minimize the chances of unauthorized access to the Control Panel.
• Password-protected customer account area
  Customers can view information about previous orders, edit their billing or shipping addresses, etc. only after logging into their account area. Credit card information is never shown, even after they have logged in.
• Encryption of sensitive data
  All passwords, credit card numbers, Authorize.Net login ID and transaction key, are saved to the ProductCart database in an encrypted format. Data is encrypted using the ProductCart License Key, which is not stored in the store database. In ProductCart 4 and above the encryption key can be changed regularly to comply with PCI regulations (which call for the encryption key to be changed at least once a year).
• Second layer of protection on sensitive data
  All account names and passwords for any payment gateway used by the store are not shown to the store administrator once they have been saved to the database. In other words, the store administrator cannot view through the ProductCart Control Panel the use name (or login ID) and password (or transaction key) associated with a payment gateway when modifying the payment gateway’s settings in the Control Panel.
• Storing of credit card information Credit card information is not saved to the store database except for when it is required for the proper functioning of the store. Regardless of whether or not credit card information is stored in the database, this information is never included in any e-mail correspondence (e.g. order notification and/or confirmation e-mails). More on how ProductCart handles credit card information.
• Purging of credit card information
  ProductCart v2.6 and above allow merchants to remove credit card information that was stored in the system database in one of the three scenarios mentioned above. This feature allows the store administrator to delete sensitive information that is no longer needed (e.g. orders have been processed and cannot be returned).
• Validation of uploaded file types
  All shopping cart pages that allow for the upload of files to the system include code that validate for unsafe file types. For example, this applies to scenarios such as a customer uploading a graphic associated with a previously saved order, the administrator uploading a product image or importing a product database, etc. Only harmless files are allowed to be uploaded to the system. NOTE: a security vulnerability was found in August of 2011: make sure to review the information provided and patch your ProductCart installation.
• SQL injection prevention ProductCart features a number of features aimed at minimize the chances of a SQL injection attack on stores using a SQL database. This includes effective form field validation to check user input for malicious code. In fact, ProductCart successfully passes all security tests that are part of a service such as HackerSafe, many of which are focused on determining whether the application is properly protected against SQL Injection attacks.

If any vulnerability is found in ProductCart:

1. A patch is developed as soon as possible
2. Information on the vulnerability is posted on the ProductCart Support Center
3. ProductCart users are notified via email (make sure to sign up for our product updates), Twitter, and the Early Impact blog.

See the PCI compliance section.