X-Cart forums - View Single Post - X-Cart and PCI DSS / PA-DSS compliance

geckoday · #62 11-18-2009, 06:52 AM

Quote:

Originally Posted by xplorer

First of all, X-Payments will require a dedicated server. It is not because of its performance, it is due to the PCI DSS requirements. I believe that no stores hosted on shared servers will ever be verified as PCI DSS compliant. The only exception are stores that don't collect credit cards via the store website

Boy, someone sold you a bill of goods. You must have hired an extremely overzealous QSA. If you look at the PCI-DSS 1.2 Requirements and Security Assessment Procedures document you will see there is an Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers that makes it quite clear that shared hosting is allowable under PCI-DSS. It does require that processes run under the merchants user ID, so a shared host using mod_php could not be used, but a host using suphp should be fine. It is up to the merchant to validate that the host meets the requirements of Appendix A.

Quote:

Originally Posted by xplorer

Also, if you host X-Payments with other web applications on the same server, the server will require a special configuration because PCI DSS dictates a payment application (X-Payments) to be isolated from other applications (your website, X-Cart, forums and other web applications). It can be done either on the hardware level (different hardware servers) or on the software level (firewalls and jail systems).

Wow, again. This simply isn't true. Ask your QSA to point you to the specific PCI-DSS requirement that dictates this. Take a look at your competition who are already PA-DSS certified -- they don't have this requirement because it doesn't exist.

If this kind of stuff is going to make it into your PA-DSS required implementation guide you are going to put yourselves at a significant disadvantage in the market place. Forcing merchants onto multiple dedicated servers/VPS, X-Cart on one and X-Payments on another, will send your old and new customers to competitive shopping carts that have done the job right and don't impose silly "PCI requirements" that don't exist.