24/7 Support: 800.608.6482

Get Started

Reference Guide

PA-DSS Checklist

PA-DSS stands for "Payment Application Data Security Standard". This tab lists the features that Miva Merchant is required to provide to comply with the PCI (Payment Card Industry) security standards. Please note that this is not a complete checklist for PCI compliance. For example, PCI has requirements for hardware firewalls that Miva Merchant software cannot test for and does not provide. The checklist on this page only contains the PCI requirements that Miva Merchant is responsible for under PA-DSS.

To view the Miva Merchant AOV (Attestation of Validation): https://www.miva.com/pdf/PA-DSS-Implementation-Guide_v1.0.pdf

In order to maintain your PCI –DSS compliance, you must use Miva Merchant 5.5 Production Release 7 (fully patched), or later, AND follow the Miva Merchant PA-DSS Product Installation Guide when you configure your Miva Merchant online store. You can download the PA-DSS Product Installation Guide here: https://www.miva.com/pdf/PA-DSS-Implementation-Guide_v1.0.pdf

Larger merchants may be required by their merchant account provider to pass a PCI audit that is performed by a Qualified Security Assessor who is PCI certified.

Miva Empresa Version v5.31 or Newer

If you need to upgrade Miva Merchant Empresa you will need to contact your Miva Merchant hosting provider. You can download the latest release of Miva Merchant Empresa here. If you have no experience installing or configuring Miva Merchant Empresa please contact your host or Miva Merchant support. Miva Merchant support also offers an Empresa upgrade service for $249.00. Miva Merchant Empresa Upgrade Service.

Miva Empresa Debug Logging Disabled

Miva Merchant Empresa has a logging feature to aid in troubleshooting. When active this test will fail. You will need to contact your hosting provider or Miva Merchant support for guidance in deactivating logging for Miva Merchant Empresa.

Primary Database Using MySQL

If you're using MivaSQL you will need to have your database converted. Our conversion tool is located here. If you do not have access to a MySQL control panel and/or database please contact your Miva Merchant host to get access to create a database of have them create one for you. You will need the database name and the username/password used to access the database. This user must have ALL privileges granted to it. Miva Merchant support offers a migration service for this for $149. To purchase the migration click here

Primary Database not Located on Web Server

This test will not pass if you're using MivaSQL. The MySQL database must reside on a server that is separate from the web server. You will need to contact your Miva Merchant hosting provider about setting up a MySQL database on a separate server.

Primary Database Password Encrypted

If your database password is not encrypted you will need to step through the Encryption Key Migration Wizard and choose to Leave Private Keys in their Current Location. This will not move anything but it will encrypt the password. Encryption Key Migration Wizard

Primary Database Activity Logging Disabled

If logging is enabled please contact your Miva Merchant hosting provider or Miva Merchant support to get it deactivated.

Private Keys Stored in Secondary Database

Your private keys are the keys for your order encryption. To be compliant your private keys must be stored in a database that is separate from your main database. It also must be located on a server that is separate from the server that your primary database is on (see #7). Step through the Encryption Key Migration Wizard to move it to a second MySQL database or use MivaSQL. If you pass #3 you can use MivaSQL for this database which will store the private keys in your configured mivadata folder located on the web server. Encryption Key Migration Wizard

Private Key Database on Different Server Than Primary Database

Step through the Encryption Key Migration Wizard to move it to a second MySQL database or use MivaSQL. If you pass #3 you can use MivaSQL for this database which will store the private keys in your configured mivadata folder located on the web server.

Private Key Database Password Encrypted.

If you're using MySQL for your private key database your database password must be encrypted. If you're failing this test please step through the Encryption Key Migration Wizard and choose to Leave Private Keys in their Current Location. This will encrypt the password.

Private Key Database Activity Logging Disabled

If logging is enabled please contact your Miva Merchant hosting provider or Miva Merchant support to get it deactivated.

All User Passwords Strongly Encrypted

This test is in regards to your Miva Merchant administration user accounts. If your passwords have been created since the update to Production Release 8 this test will pass. If it fails you must have all administration users change their password.

Force Password Change After 90 Days or Less

You configure this by clicking on the Password Settings tab w/in Domain Settings.

Password Minimum Length 7 Characters or Greater

Configured in Password Settings

Passwords Require at Least one Letter and one Number or Punctuation Character

Configured in Password Settings

Users May Not Reuse Their Last 4 or More Passwords

Configured in Password Settings

Administrative Sessions Expire After 15 Minutes or Less of Inactivity

Configured in the Timeouts tab w/in Domain Settings.

Administrative Users Locked out After 6 or Fewer Invalid Login Attempts

Configured in the Timeouts tab w/in Domain Settings.

Administrative Users Invalid Login Lockout Interval 30 Minutes or Greater

Configured in the Timeouts tab w/in Domain Settings.>/p>

Production Upgrade Stream

Configured in the Upgrade Settings tab w/in Domain Settings. Choose the Production Stream from the drop down list if you're failing this test.

Order Encryption Enabled For all Stores

Order Encryption must be enabled for all of your stores. Click on Order Encryption w/in your admin interface to configure.

Current Order Encryption Key Less Than 1 Year Old For all Stores

If your pass phrase is older than 1 year you will need to change it. Please be aware that any order under the old pass phrase will require you to enter the old pass phrase to access and payment data.

Current Order Encryption Key Created Post-Upgrade For all Stores

If your passphrase is not older than one year but was created before upgrading to Production Release 7 you will need to create a new one. Please be aware that any order under the old pass phrase will require you to enter the old pass phrase to access and payment data.

More PCI/PA-DSS information including our PA-DSS Implementation Guide.

PA-DSS Implementation Guide

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

Miva believes that all online businesses should have access to a scalable ecommerce platform that can meet their unique business requirements. Miva offers PCI compliant ecommerce, hosting, and custom website design and development solutions. Miva customers have processed over $100 billion in online sales since 1997.

Copyright © 2016 Miva, Inc - All Rights Reserved   Privacy Policy | Store Policy

Links
Contact Us
Receive Tips & Updates

Copyright © 2017 Miva, Inc - All Rights Reserved

Back To The Top