From Shopp Documentation

The standard includes 12 requirements for maintaining a secure operation:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

Shopp & PCI Compliance

Shopp helps merchants meet the requirements of the PCI DSS by design. Shopp 1.1 regularly passes the McAfee SECURE Scan for PCI compliance. (See the McAfee SECURE certification on shopplugin.net located at the bottom-left of the site.)

It should be noted, however, that many of the requirements are outside the scope of what Shopp can take care of. As a point of reference, here is a cross-reference of what Shopp does (or does not do) to meet the requirements of the DSS:

• Requirement 1: Outside of Shopp's capability. Firewall configuration is part of the hosting environment.
• Requirement 2: Outside of Shopp's capability. This is a policy decision under the responsibility of the merchant and staff of the merchant.
• Requirement 3: Shopp assists with this requirement by never storing full card and cardholder data. Specifically, Shopp only stores the last 4 digits of the card's PAN (Primary Account Number), the card expiration date and the card holder's name. By design Shopp does not even have the capability to store more than 4 digits of the PAN, and does not have the capability to store CVV or CVV2 numbers.
• Requirement 4: Shopp assists with this requirement. Setup of the website to encrypt data is a responsibility of the merchant. For payment systems that use a checkout form on the merchant website, Shopp requires the webserver to use secure connections both from customer to website and from website to payment system.
• Requirement 5: Outside of Shopp's capability. This is a responsibility of the team that manages the hosting environment.
• Requirement 6: Outside of Shopp's capability. It is the responsibility of network and hosting system technicians to use secure hardware and software and keep them updated
• Requirement 7: Shopp assists with this requirement by using the WordPress account system for administrative access. It then becomes the responsibility of the website owner to keep access confidential.
• Requirement 8: Outside of Shopp's capability. This is a hosting system responsibility.
• Requirement 9: Outside of Shopp's capability. This is a responsibility of the hosting facility, but is ultimately a responsibility of the website owner to ensure the hosting facility employs trusted individuals.
• Requirement 10: Outside of Shopp's capability. This is a responsibility of the hosting environment to log access attempts.
• Requirement 11: Outside of Shopp's capability. This is a responsibility of the website owner.
• Requirement 12: Outside of Shopp's capability. This is a responsibility of the website owner.