Zen Cart® Documentation
Implementation Guide
for Zen Cart® Version 1.5.4
Document Implementation Guide
Author
Zen Cart® Team
Document Revision Document Rev 1.9.8.3
Document Revision Date 14 Nov 2014
Content copyright ©2014 Zen Cart Development Team. All rights reserved.
All company and/or product names may be trade names, trademarks and/or
registered trademarks of the respective owners with which they are associated.
©Zen Cart® Development Team Implementation Guide – rev 1.9.8.3 Page 1
Table of Contents
1. Introduction........................................................................................................................................4
2. Installation Requirements...................................................................................................................4
2.1 Before Starting, Ask Yourself These Questions:..............................................................................4
2.1.1 Do You Have A Domain?.........................................................................................................4
2.1.2 Am I Using A Wireless Network?............................................................................................4
2.1.3 Are You Using a Personal Firewall on Your Computers?........................................................4
2.1.4 Do You Have A Good Text Editor Program?...........................................................................4
2.1.5 Do You Have Access To Your Webhosting Control Panel to Create a MySQL Database and
User?.................................................................................................................................................5
2.1.6 Do You Have Reliable FTP/SFTP Software?..........................................................................5
2.2 Domain Name Requirements...........................................................................................................6
2.3 Server Hardware Requirements.......................................................................................................6
2.4 Server Software Requirements........................................................................................................7
2.5 Other Installation Requirements......................................................................................................8
3. Obtaining the Current Zen Cart® Release.........................................................................................9
3.1 Verifying integrity using Hash Keys................................................................................................9
3.2 Patches.............................................................................................................................................9
3.3 Updates/Upgrades............................................................................................................................9
3.4 Notification of New Releases/Updates............................................................................................9
4. Unpacking and Uploading the Application Software Files..............................................................10
4.1 Tools Required...............................................................................................................................10
4.2 Unzipping/Unpacking....................................................................................................................10
4.3 Where Do I Upload To?.................................................................................................................10
4.4 Advanced Method..........................................................................................................................10
5. Pre-Installation Actions....................................................................................................................11
5.1 New Installations...........................................................................................................................11
5.1.1 File/Folder Permissions..........................................................................................................11
5.2 Upgrades........................................................................................................................................12
6. Running the Web-Based Installer.....................................................................................................13
6.1 New Installs...................................................................................................................................13
6.1.1 Introduction............................................................................................................................13
6.1.2 Step 1 Welcome Screen..........................................................................................................14
6.1.3 Step 2 License Confirmation..................................................................................................15
6.1.4 Step 3 System Inspection.......................................................................................................16
6.1.5 Step 4 Database Setup............................................................................................................18
6.1.6 Step 5 System Setup...............................................................................................................20
6.1.7 Step 6 Store Setup..................................................................................................................22
6.1.8 Step 7 Administrator Account Setup......................................................................................25
6.1.9 Upgrade Alert Notification.....................................................................................................26
©Zen Cart® Development Team Implementation Guide – rev 1.9.8.3 Page 1
6.1.10 Step 9 Setup Finished...........................................................................................................26
6.2 Using zc_install to do The Database Upgrade Step of a Site Upgrade..........................................27
6.2.1 Introduction............................................................................................................................27
6.2.2 Step 1 Welcome Screen..........................................................................................................27
6.2.3 Step 2 License Confirmation..................................................................................................28
6.2.4 Step 3 System Inspection.......................................................................................................29
6.2.5 Step 4 Version-Upgrade Checkboxes.....................................................................................30
6.2.6 Step 5 Database-Upgrade Step Finished................................................................................31
7. Post-Installation Actions...................................................................................................................32
7.1 Changing The Admin Directory Name for Security (By-Obscurity)............................................32
7.2 Enabling SSL in your Admin.........................................................................................................32
7.3 Setting Directory and File Permissions.........................................................................................32
7.4 Removing the Installation Directory.............................................................................................33
7.5 Blocked Administration Access.....................................................................................................33
7.6 Removing Unnecessary Directories..............................................................................................33
8. Accessing the Administration Panel and Configuring Administrative Users and Passwords..........34
8.1 Introduction....................................................................................................................................34
8.2 Administrative User Access and PA-DSS requirements................................................................35
8.3 Users..............................................................................................................................................36
8.4 Profiles...........................................................................................................................................36
8.5 Admin Activity Logs......................................................................................................................38
8.5.1 Daily Log Review – Important Things To Monitor...............................................................38
8.5.2 Review or Export Logs..........................................................................................................39
8.5.3 Purge Log History action.......................................................................................................41
8.5.4 PA-DSS Logging – Technical Details....................................................................................41
8.5.5 Centralized Logging...............................................................................................................42
9. Code Customization, Addons, and Plugins......................................................................................43
10. Engaging 3rd-Party Consultants or Programmers..........................................................................44
10.1 Webstore “Admin”/Backend access............................................................................................44
10.2 FTP Access...................................................................................................................................44
10.3 Webhosting Account's Control Panel access...............................................................................44
10.4 Secure use of customer database and website files.....................................................................45
10.5 Two-Factor Authentication..........................................................................................................45
11. Removing Old Non-PCI-Compliant Data......................................................................................46
11.1 Removing Old Credit Card Data From Database Records..........................................................46
11.2 Suggested Procedure For Secure Erasure of Old CHD data........................................................46
12. Network Diagram...........................................................................................................................48
13. Dataflow Diagram..........................................................................................................................49
14. Notes about PA-DSS Compliance..................................................................................................50
14.1 Cardholder Data...........................................................................................................................50
©Zen Cart® Development Team Implementation Guide – rev 1.9.8.3 Page 2
14.2 Cryptographic Keys and Key Management.................................................................................50
14.3 Protocols, Services, Dependent Software and Hardware............................................................51
14.4 Settings sensitive to PCI compliance...........................................................................................51
15. Additional Requirements for PA-DSS Compliance........................................................................52
15.1 Consequences of altering the system to store cardholder data....................................................52
15.2 Default Accounts.........................................................................................................................53
15.3 Strong Authentication Controls...................................................................................................54
15.4 Secure Access..............................................................................................................................54
16. Appendices.....................................................................................................................................55
16.1 MySQL Root Password Reset.....................................................................................................55
16.2 Password Security in Zen Cart®.................................................................................................55
16.3 Wireless (WiFi) Networks...........................................................................................................56
17. Implementation Guide Changelog..................................................................................................57
©Zen Cart® Development Team Implementation Guide – rev 1.9.8.3 Page 3
1. Introduction
This Implementation Guide is meant to help you not only with important subjects related to installing
or upgrading the Zen Cart® application but also to understand the issues related to securely
implementing Zen Cart® in a manner that is PA-DSS compliant.
PA-DSS
It is a requirement of the PA-DSS that you follow the instructions in this Implementation Guide when
installing or upgrading your Zen Cart® application.
Note also, that this guide is written for the v1.5.4 release of Zen Cart®
unless otherwise noted.
2. Installation Requirements
2.1 Before Starting, Ask Yourself These Questions:
2.1.1 Do You Have A Domain?
If No, stop and refer to section 2.2 for information about registering a domain for your website.
You need a domain name to host your webstore on a webserver.
2.1.2 Am I Using A Wireless Network?
If you are using a wireless network to access your online store, it MUST be configured securely. That
means securing your wifi network with a strong complex password, and NOT using the one provided
by default when resetting it or unboxing it. See the Appendix of this manual for additional requirements
for properly securing your wireless network.
2.1.3 Are You Using a Personal Firewall on Your Computers?
For security, you should always use a personal firewall when accessing any online systems, especially
your own online store's administration area.
2.1.4 Do You Have A Good Text Editor Program?
If no, stop … you will need a good Text Editing application such as Sublime Text, Notepad++,
UltraEdit, B B edit, Kedit, or maybe a more advanced tool like Aptana Studio or Eclipse.
This text editor application will be used for modifying the files if you customize the Zen Cart®
software.
NOTE: Do NOT use cPanel for editing files, nor Microsoft Word or other software designed for
fancy writing … you want a nice clean text editor which doesn't add extra “junk” into the files.
©Zen Cart® Development Team Implementation Guide – rev 1.9.8.3 Page 4