Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Some QA people would say that you store the credit card number in the memory of your server as it is your server that serves up and processes the credit card form. Further they may say that x-cart is a payment application, and as such it is not a PA-DSS compliant software and thus on 1st July you must stop using it.

The crux of the problem is the opinion of the person who says you are PCI compliant. Clearly as it is your server that hosts the payment form, it is more vunerable to hackers than a form hosted on say Sage's server. Sooner or latter you will be asked to ensure that your server is PCI compliant (and shared servers CAN be PCI compliant).

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

It won't be a simple upgrade. However, since we will use the same css-based skin templates, I believe it won't require complete redesign either.



As far as I understand the standard, if credit card data ever touches your server (and it does with SagePay Direct: php scripts receive it from a customer's browser and send it to a SagePay's server), your server is in the PCI scope.

Although the SAQ-C form omits some requirements, I guess it still requires you to use a PA-DSS verified payment application (the one that transmits card data from a customer's browser to a gateway's server) on a PCI-DSS compliant server (there is a special section related to Shared Hosting in the standard). X-Payments will be a PA-DSS verified payment application that processes SagePay Direct payments in a PCI DSS compliant manner.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

That will make you PCI compliant without the X-Payments addon. Unfortunately, on top of PCI compliance VISA is mandating that all merchants use PA-DSS certified payment applications starting July 2010. X-Cart is not PA-DSS certified. X-Payments will be PA-DSS certified so you'll need to go to X-Payments at some point.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Cheers Ralph. :)

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Weird that they don't require a server scan. Card numbers pass through your server so its in PCI scope. I would run the quarterly server scans anyway as PCI clearly requires them in this case.

What you are seeing is a result of the fact that the card brands leave it up to the acquirer to decide what proof of PCI compliance is required from small merchants. So it will vary what hoops any particular merchant will need to jump through. We will probably see the same thing with the PA-DSS mandate. A few months back someone posted that they couldn't get a new merchant account because X-Cart isn't PA-DSS certified. But overall, I think some acquirers will enforce it and some won't especially early on. Over time most will enforce it.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Hmmm. I'm assuming ... more hoping ... that Streamline will turn around to us and sat "You have to get a Scan, bla bla bla moan moan moan..."

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I just wish we could get a working copy of x-payments to see what will be requires to integrate with our web sites. We are getting extremely close to the dead line, and no hint to what we are going to use.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Has anyone actually received a notice from their processor informing them that their cart needs to be certified and compliant?

I haven't received any notification so far.

Steve

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Someone has been denied a merchant account because X-Cart is not PA-DSS certified.

http://forum.x-cart.com/showpost.php?p=263045&postcount=5

This is because the VISA mandate phase kicked in last year that requires acquirers to only board new merchants who are PCI-DSS compliant or are using software that is PA-DSS compliant. Apparently, some acquirers are missing the "or" in that and are requiring PA-DSS compliance for new merchants. In July of this year the next phase of the mandate kicks in requiring acquirers to ensure their merchants are only using PA-DSS compliant applications. No "or PCI-DSS compliant" in the July mandate.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

While I haven't received any personally, I know someone that got a notice from his processor (I think Wells Fargo) that he will be billed an extra $20.00 a month for being "non-compliant" and charged at the "card not present" rate even if the card is swiped. He figures for all of the stress and hassle involved it is an acceptable cost of doing business.