PCI Compliance is a struggle for all merchants. The time, cost and knowledge needed is perhaps excessive when you factor in that no one is policing the rules. Having said that we have recently come across a really stupid pain in the ass new fail for scans from a few of the PCI scanning companies. The fail is simple.... Your Zen Cart contact form is now supposed to be protected under SSL.
So I argued this with the scanning company CSR on the phone, but the fact is, fail is fail and they are not budging.... even though they are using a GIGANTIC amount of imagination to interpret the PCI Standards. So yes it's completely asinine, it is NOT sensitive information and people using the form are not even necessarily customers who have or will checkout. In fact I suspect many are idiot spammers selling you PPC with their highly professional GMAIL business email =) .... But, even the stupid must be protected from nothing I suppose.
So, making your Zen Cart secure your contact page under SSL is a PIA.
The absolutely easiest thing to do is to secure the whole catalog front end under SSL. This is done by editing includes/configure.php and completing the following.
On lines 15 you will make the following edits.
On line 19 just verify that the value is true and not false.
Now this method while easy to accomplish has some pitfalls. Your urls will ALL change, some server's SSL config can be significantly slower and you'll have to properly secure all of your resources or face the "Broken Lock of Death". If you want to avoid these pitfalls, the task is a genuine, annoying PIA to complete.
Turning Your Contact Page to SSL the Hard Way
- First open up your admin and go to Tools >> Developers Tool Kit
- Now scroll down to the last field and enter zen_href_link(FILENAME_CONTACT_US and set it for PHP files only and Catalog only.
- This search is going to bring up all the link references for the contact us page, so we can hunt them all down and edit them like crazy people. I could just tell you where they are, but then you would miss template and override files.
For each of these instances you will change the code from
<a href="' . zen_href_link(FILENAME_CONTACT_US) . '">
<a href="' . zen_href_link(FILENAME_CONTACT_US, '', 'SSL') . '">
- No that the references are now trained to be SSL we have to change the actual form action to be SSL as well. In theory this is ALL that should be required, but the idiots at the scanning companies cannot teach their pet tool to recognize that the function itself is secured, so the page doesn't need to be.
In /public_html/includes/templates/your_template/templates/tpl_contact_us_default.php on line 17 locate the following.
<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send')); ?>
replace it with
<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send','SSL')); ?>
That's all, now you can rescan and have a beer, you earned it!