X-Cart forums - X-Cart and PCI DSS / PA-DSS compliance

X-Cart forums (https://forum.x-cart.com/index.php)

- News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)

- - X-Cart and PCI DSS / PA-DSS compliance (https://forum.x-cart.com/showthread.php?t=46073)

Re: X-Cart and PCI-DSS / PA-DSS compliance

We get scanned daily and are PCI compliant, and I fill in the SAQ-D every quarter and send it off you our processor. We would also be charged the $20 a month if we didn't send the stuff to them.

We accept FAX credit card information, so we need to fill in the SAQ-D because we have access to the credit card numbers.

I will wait and see if our processor checks on the cart we are using. X-payments doesn't sound like a good solution for us, unless we make some significant changes to it, or the way we extract data for our other systems.

Steve

Re: X-Cart and PCI-DSS / PA-DSS compliance

I changed processors because they were going to charge a 20.00 a month no compliant fee. They also required a membership at a scan company of there choice that was 700.00 a year, did not matter if you had the scan report or not, you had to use theirs.

Re: X-Cart and PCI-DSS / PA-DSS compliance

As for changes to x-payments, they said the code will be encoded, so I do not think we will be able to alter the code

Re: X-Cart and PCI-DSS / PA-DSS compliance

Why is RBS-World-pay gateway absent from this list?

As you know, we have spent a lot of time and money developing our site using X-Cart, based on the fact it supported a payment gateway we could use here in Asia...
i.e. without world-pay support we have wasted our time it seems...

Before I hit the roof and start getting really hacked off... please explain ASAP, what our options are going to be? - thanks, Asiaplay

Quote:

Originally Posted by xplorer

Hi!

1. Most likely we will release 4.4

2. X-Payments release is not tied to 4.4. Its release date depends on results of beta testing (will launch soon) and on results of PA-DSS certification

3. We plan to support the following payment methods in X-Payments v1.0:

ANZ eGate - Virtual Payment Client (merchant hosted)
Authorize.Net - Advanced Integration Method
Beanstream - Process Transaction API
Global Gateway - Direct model
BluePay
Caledon - Real-time interface
DIBS - API integration
DirectOne - Direct interface
ECHOnline
ePDQ - MPI XML
eProcessing Network - Transparent Database Engine
eSec - Web Direct Model
eSelect - DirectPost
eWay - Realtime Payments XML
GoEmerchant - XML Gateway API
HSBC Secure ePayments - API integration
Innovative Gateway - PHP Connection
iTransact - XML connection method
Global Gateway - API (North America)
Global Gateway - API (EMEA)
Netbilling gateway - Direct Mode 3.1
Netregistry eCommerce Gateway - HTTPS method
Ogone e-Commerce - DirectLink integration
PayPal - Website Payments Pro
PayPal - Website Payments Pro Payflow Edition
PayPal - Payflow Pro
WebXpress - XML method
Sage Pay - Direct protocol
PSIGate - XML API
Quantum Gateway - Transparent QGWdatabase Engine
SecurePay - Non-recurring Interface
SkipJack
USA ePay - CGI Transaction Gateway API
Virtual Merchant - Merchant Provided Form
CyberSource - SOAP Toolkit API
Manual credit card processing

4. X-Payments v1.0 requires the payment form to be displayed by X-Payments (on your domain) and doesn't allow the payment form to be integrated into a checkout page displayed by a shopping cart system. We will check (when will be certifying X-Payments by a PA-QSA) whether it is not against PCI DSS, and perhaps future X-Payments versions will support this feature.

Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:

Originally Posted by Asiaplay

A quote from PA-DSS standard:

Quote:

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties

With the RBS Worldpay's gateway integrated with X-Cart 4.x (I mean Hosted Payment Page - HTML Redirect API) customers enter credit card data on a Worldpay's server, and neither your server nor X-Cart stores, processes or transmits cardholder data. So, from the standard's point of view, your X-Cart is just another web application installed on your server. As far as I know PCI DSS standard doesn't require all web applications to be certified as PA-DSS compliant. So, you don't need X-Payments in order to be PCI DSS compliant. Just make sure that all CC functions are disabled in your X-Cart. I believe it would be better if you clarify it with your acquirer. And I would appreciate if you let us know their response on this matter.

Re: X-Cart and PCI-DSS / PA-DSS compliance

Dear Xplorer,

Ok - thanks... I will discuss this with more with RBS Worldpay then ;)

I guess we will have to get PCI Compliance Vulnerability Scanning done quarterly and complete the self assessment document anyway - there seems no way around this part since our site is modified heavily... so even if X-Cart was PA DSS validated (which I understand it isn't and never will be), it seems we can not avoid that cost anyway...

Cheers, Asiaplay

Re: X-Cart and PCI-DSS / PA-DSS compliance

I have just spoken to Sagepay who tell me that because we use vspform it is they who have to be pci compliant and not our site.

However because I also take payments via the phone I have to have a 'certificate'.

Looking more into this but if this is correct then that's really good news as am currently looking for an alternative shopping cart in fear that x-cart will not be ready in time.

Re: X-Cart and PCI-DSS / PA-DSS compliance

So, after reading through this thread, am I correct that a valid option to anyone using x-cart that wants to be compliant and avoid the PA-DSS software requirements, is to integrate a compliant 3rd party payment gateway using an iframe?

If this is true, wouldn't it be a good idea for someone to start cranking out iframe integration modules for the various 3rd party gateways?

...or am I missing something with all of this?

A related question: With all of the iframe injection issues that have gone around, even if the above is true, would there be possible problems in relying on an iframe for this purpose?

Thanks

Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:

Originally Posted by wolff

I don't trust iframes as far as I can throw them. They are evil when it comes to SEO and as you say, iframe injection is a real & serious worry. I point blank refuse to use them anywhere.

Re: X-Cart and PCI-DSS / PA-DSS compliance

USAEpay appear to have a configurable page that is hosted on their secure server, and can be made to look like it is still on your site. Haven't tried it yet, but it may be a solution.

The only possible drawback is that xcart may not support this method.

Steve