Home
Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
Compliance
The following section describes how you can leverage HCL Commerce features and functionality to help your site be compliant with different privacy and security standards.
HCL Commerce and the PCI Data Security Standard
The Payment Card Industry (PCI) Data Security Standard (DSS), developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, facilitates the global adoption of consistent data security measures.
Addressing the PCI Data Security Standard within HCL Commerce
The following topics deal with each of the detailed requirements that pertain to HCL Commerce. Some of the requirements are directly related to the HCL Commerce software package. Other requirements are unrelated, or indirectly relate to the HCL Commerce software package. For example, indirect requirements can affect your use of the operating system security features to secure HCL Commerce files.
Requirement 6: Develop and maintain secure systems and applications
As your business needs change, you or your business partners might customize your HCL Commerce site. As you do so, you must ensure that the customizations do not compromise your site security. Ensure that your developers understand the requirement to develop secure systems by referring to the PA-DSS and PCI-DSS.

Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
- Getting started
  HCL Commerce has different advantages for business users, administrators and developers. HCL Commerce targets each of these roles with a tailored set of offerings so that each of your users can get maximum benefit.
- Installing and deploying
  Learn how to install and deploy HCL Commerce development environments and HCL Commerce production environments.
- Migrating
  Before you migrate to HCL Commerce Version 9, review this information to help plan and execute your migration.
- Operating
  Topics in the Operating category highlight tasks that are typically performed by business users, customer support representatives, to complete their day-to-day tasks in the operation of the HCL Commerce site.
- Integrating
  Topics in the Integrating category highlight the tasks that are commonly performed for using HCL Commerce in combination with other products.
- Administering
  Topics in the Administering category highlight tasks that are typically performed by the Site Administrator, to support daily operations of the HCL Commerce site.
- Customizing
  The topics in the Customizing section describe tasks performed by an application developer to customize HCL Commerce.
- Tutorials
  HCL Commerce provides many tutorials to help you customize and understand your HCL Commerce instance and stores.
- Samples
  Topics in the Samples category highlight the various samples that are provided with HCL Commerce.
- Compliance
  The following section describes how you can leverage HCL Commerce features and functionality to help your site be compliant with different privacy and security standards.
  - GDPR and HCL Commerce
    HCL Commerce provides documentation and functions that your organization can use to help it on the journey to GDPR readiness. If your store operates within the European Union (EU), sells products or services to those people in the EU, or monitors the behavior of EU data subjects, your site likely needs to be GDPR compliant from May 25, 2018.
  - HCL Commerce and the PCI Data Security Standard
    The Payment Card Industry (PCI) Data Security Standard (DSS), developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, facilitates the global adoption of consistent data security measures.
    - Addressing the PCI Data Security Standard within HCL Commerce
      The following topics deal with each of the detailed requirements that pertain to HCL Commerce. Some of the requirements are directly related to the HCL Commerce software package. Other requirements are unrelated, or indirectly relate to the HCL Commerce software package. For example, indirect requirements can affect your use of the operating system security features to secure HCL Commerce files.
      - Requirement 1: Install and maintain a firewall configuration to protect cardholder data
        Many parts of requirement 1 such as your wireless network or router setup do not directly relate to HCL Commerce, but the requirements that relate to your site topology are extremely important. You must construct your HCL Commerce site so that you never store cardholder data on internet-accessible systems. Additionally, HCL Commerce sites should always use firewalls to separate themselves from the internet, internal networks, and any other system that is accessible to the internet. Refer directly to the PCI DSS for details on this requirement.
      - Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
        The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
      - Requirement 3: Protect stored cardholder data
        The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
      - Requirement 4: Encrypt transmission of cardholder data across open, public networks
        The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
      - Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
        Although antivirus software is outside the scope of HCL Commerce, protecting your servers and network from malicious software should always be a priority for a responsible network administrator. HCL Commerce is designed, developed and tested on systems running antivirus software.
      - Requirement 6: Develop and maintain secure systems and applications
        As your business needs change, you or your business partners might customize your HCL Commerce site. As you do so, you must ensure that the customizations do not compromise your site security. Ensure that your developers understand the requirement to develop secure systems by referring to the PA-DSS and PCI-DSS.
      - Requirement 7: Restrict access to cardholder data by business need to know
        The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
      - Requirement 8: Identify and authenticate access to system components
        The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
      - Requirement 9: Restrict physical access to cardholder data
        Requirement 9 deals with physical site security and is well beyond the scope of WebSphere Commerce. Refer directly to the PCI DSS for details on the requirement.
      - Requirement 10: Track and monitor all access to network resources and cardholder data
        The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
      - Requirement 11: Regularly test security systems and processes
        While beyond the scope of HCL Commerce, it is important to regularly test security systems and processes. Refer directly to the PCI DSS for details on testing requirements.
      - Requirement 12: Maintain a policy that addresses information security for all personnel
        This requirement is not directly related to HCL Commerce. Refer directly to the PCI DSS for requirements and details on how to develop your information security policies.
    - PCI Assessment Services for HCL Commerce
      There is more to navigating the PCI standard and the certification procedure than simply installing HCL Commerce and making the adjustments that are outlined in the preceding sections. There are significant portions of the standard that, although it applies to your site, do not apply to the software application. To assist you in completely addressing these parts of the standard, HCL has the expertise and resources to assist your site in becoming PCI compliant.
  - Security standards
    Some main security standards are: NIST SP 800-131A, FIPS 140-2 and PCI.
- Securing
  These topics describe the security features of HCL Commerce and how to configure these features.
- Performance
  Topics in the Performance section describe the means by which to plan, implement, test, and re-visit the optimization of HCL Commerce site performance.
- Troubleshooting
  Topics in the Troubleshooting section highlight common issues that are encountered with HCL Commerce, and how they can be addressed or mitigated.
- Reference
  Topics in the Reference section contain all of the HCL Commerce reference documentation.

Requirement 6: Develop and maintain secure systems and applications

As your business needs change, you or your business partners might customize your HCL Commerce site. As you do so, you must ensure that the customizations do not compromise your site security. Ensure that your developers understand the requirement to develop secure systems by referring to the PA-DSS and PCI-DSS.

Note:

HCL Commerce starter store error pages can be configured to contain exception details that can be viewed (for development debugging purposes) when you view the source.

The error pages that can print out stack traces are:

GenericSystemError.jsp
GenericApplicationError.jsp
GenericError.jsp

Ensure that your production store error pages do not show the exception details - only generic error information.

The GenericSystemError.jsp and GenericApplicationError.jsp pages do not show exception details by default. You do not need to update the production store pages to hide the exception details.
The GenericError.jsp page does not show exception details by default. You do not need to update the production store pages to hide the exception details.

Refer directly to the PCI DSS for details on this requirement.