Try our new AI assistant by clicking the chat icon in the lower right corner.


PA-DSS Checklist

PA-DSS, or, Payment Application Data Security Standard, is the set of requirements intended to help software vendors develop secure payment applications for credit card transactions.

In this tab is a lengthy list of features the Miva admin is required to provide to comply with the PCI (Payment Card Industry) security standards. This is not, however, a complete list of all PCI compliance standards.

Miva Empresa Version v5.37 or Newer

If you need to upgrade Miva Empresa you will need to contact your Miva admin hosting provider.

Miva Empresa Debug Logging Disabled

Miva Empresa has a logging feature to aid in troubleshooting. When active this test will fail. You will need to contact your hosting provider or Miva support for guidance in deactivating logging for Miva Empresa.

Primary Database Using MySQL

If you're using MivaSQL you will need to have your database converted. If you do not have access to a MySQL control panel and/or database please contact your Miva host to get access to create a database of have them create one for you. You will need the database name and the username/password used to access the database. This user must have ALL privileges granted to it.

Primary Database not Located on Web Server

This test will not pass if you're using MivaSQL. The MySQL database must reside on a server that is separate from the web server. You will need to contact your Miva hosting provider about setting up a MySQL database on a separate server.

Primary Database Password Encrypted

If your database password is not encrypted you will need to step through the Encryption Key Migration Wizard and choose to Leave Private Keys in their Current Location. This will not move anything but it will encrypt the password. The link to the wizard is located at the bottom of the PA-DSS Checklist page.

Primary Database Activity Logging Disabled

If logging is enabled please contact your Miva hosting provider or Miva support to get it deactivated.

Private Keys Stored in Secondary Database

Your private keys are the keys for your order encryption. To be compliant your private keys must be stored in a database that is separate from your main database. It also must be located on a server that is separate from the server that your primary database is on. Step through the Encryption Key Migration Wizard to move it to a second MySQL database or use MivaSQL. If you pass #3 you can use MivaSQL for this database which will store the private keys in your configured mivadata folder located on the web server.

Private Key Database on Different Server Than Primary Database

Step through the Encryption Key Migration Wizard to move it to a second MySQL database or use MivaSQL. If you pass #3 you can use MivaSQL for this database which will store the private keys in your configured mivadata folder located on the web server.

Private Key Database Password Encrypted

If you're using MySQL for your private key database your database password must be encrypted. If you're failing this test please step through the Encryption Key Migration Wizard and choose to Leave Private Keys in their Current Location. This will encrypt the password.

Private Key Database Activity Logging Disabled

If logging is enabled please contact your Miva hosting provider or Miva support to get it deactivated.

All User Passwords Strongly Encrypted

This test is in regards to your Miva administration user accounts. If it fails you must have all administration users change their password.

Force Password Change After 90 Days or Less

You configure this by clicking on the Password Settings tab in Domain Settings.

Password Minimum Length 7 Characters or Greater

Configured in Password Settings.

Passwords Require at Least one Letter and one Number or Punctuation Character

Configured in Password Settings.

Users May Not Reuse Their Last 4 or More Passwords

Configured in Password Settings.

Administrative Sessions Expire After 15 Minutes or Less of Inactivity

Configured in the Timeouts tab in Domain Settings.

Administrative Users Locked out After 6 or Fewer Invalid Login Attempts

Configured in the Timeouts tab in Domain Settings.

.

Administrative Users Invalid Login Lockout Interval 30 Minutes or Greater

Configured in the Timeouts tab in Domain Settings.

Production Upgrade Stream

Configured in the Upgrade Settings tab in Domain Settings. Choose the Production Stream from the dropdown list if you're failing this test.

Order Encryption Enabled For all Stores

Order Encryption must be enabled for all of your stores. Click on Order Encryption in the admin interface to configure.

Current Order Encryption Key Less Than 1 Year Old For all Stores

If your passphrase is older than 1 year you will need to change it. Please be aware that any order under the old passphrase will require you to enter the old pass phrase to access order and payment data.

Current Order Encryption Key Created Post-Upgrade For all Stores

If your passphrase is not older than one year but was created before upgrading to Production Release 7 you will need to create a new one. Please be aware that any order under the old passphrase will require you to enter the old passphrase to access order and payment data.

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

This website uses cookies to identify visitors, track visitors to our website, store login session information and to remember your user preferences. By continuing to use this site you agree to our use of cookies. Learn More.

This website uses cookies. By continuing to use this site you agree to our use of cookies. Learn More.

Accept

Copyright © 1997 – 2021 Miva©, Miva Merchant©, MivaPay©, MivaCon© Miva, Inc. All Rights Reserved.