As PCI compliance is more rigorously enforced, there are some PCI issues becoming apparent with Zen Cart.

PCI requires that sensitive credit card info is sent over an unencrypted connection. PCI regards this as a level 3 issue, so its quite serious.

By default, Zen Cart will load cart pages securely with HTTPS but this isnt enforced and you can simply remove the 's' and the page still loads in insecure mode. PCI doesn't like this.

We have a fix for this, thanks to Zen Cart Marketing which has worked for our standard Zen Cart checkout or Cartage checkouts.

In the folder includes/modules/pages, modify the file header_php.php in each of the following folders.

• /account/
• /account_edit/
• /account_history/
• /account_password/
• /checkout_payment/
• /checkout_payment_address/
• /checkout_process/
• /checkout_shipping/
• /checkout_shipping_address/
• /create_account/
• /customers_authorization/
• /login/

In each of these header_php.php you will find the following (or similar) at the top:

// This should be first line of the script:
$zco_notifier->notify……………………….

On the very next line you can add the following.

//Edit require SSL
if($_SERVER['SERVER_PORT'] != '443') { header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); }

As always, make a backup before trying this and test lots before using on your live site