|
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Is there any way to use it in earlier versions? 4.1.x? |
Re: X-Cart and PCI-DSS / PA-DSS compliance
There are three key areas for PCI DSS - storage, processing, and transmittal.
I don't recommend you store any card data. Period. There are many ways to get around this. If your virtual terminal won't let you do a refund without CVV, you need a new terminal or to change your controls. THE SERVER Among the largest processors, First Data is requiring EVERY merchant to pass a PCI Compliance SAQ. If you have an ecommerce site, your site/server will be scanned as part of that process. Tons of merchants process through what's called an "ISO" of First Data. That means a whole bunch of you either already have, or will have to pass that test this year via the third party company they hired, Security Metrics. You're supposed to do this on your own regardless of your processor, but too many people (50%) didn't so now it's mandatory with at least that processor. PAYMENT PROCESSING You need an SSL certificate on any system, and everyone has that part down. But the rest of it is where the problems come into play. There are really no short cuts. You either have a shopping cart that is certified compliant or not. Chase Paymentech and others have a stringent cart certification process that most developers have not completed yet. The hosted payment page is a viable alternative to all the issues and cart certification. I'm not familiar with x-payment. Magento users have a solution through CRE Secure. X-cart users can also use the solution. While X-cart is not a ready made module at this time, you can still use the custom integration. When you add up the cost of scanning and everything else, I'm betting this is a cost effective and quick solution. check out this page for how it works http://www.cresecure.com/pages.php?pID=7&CDpath=0 (I'm the "payment network" in the diagram; I have no vested interest in CRE other than it makes clients compliant.) I hope this helps those with immediate needs. |
Re: X-Cart and PCI-DSS / PA-DSS compliance
CRE Secure is really just another hosted payment page like Authorize.Net SIM or Paypal Payflow Link. To pay extra for CRE Secure when many gateways already have hosted payment page options at no cost to the merchant doesn't seem to be a cost effective solution. Yes, CRE Secure automatically scrapes your site design so you don't need to fiddle with configuring a hosted payment page to match your site. But to avoid a per transaction cost on every transaction and the cost of integration I would take the time to configure a hosted payment page at a gateway already supported by X-Cart.
|
Re: X-Cart and PCI-DSS / PA-DSS compliance
PCI info for those X-Cart users who use PayPal for your merchant account...
PayPal and PCI compliance (Website Payments Pro, Payflow Pro, or Virtual Terminal): https://www.paypal.com/pcicompliance PayPal helps (from the above link): PayPal has partnered with ScanAlert, a Visa and MasterCard-certified PCI vendor, to help our customers comply at no cost for the first year. Enroll online with ScanAlert at: https://www.scanalert.com/SignUp.sa?oc=9673. PCI Data Security Standards Payment Card Industry Data Security Standards (PCI DSS) – are a set of network security and business practice guidelines adopted by major credit card companies to help protect customers’ payment card information. This module reviews the 12 requirements all merchant websites must meet to comply with PCI DSS. We also explain how to validate compliance and how to implement and support PCI DSS when using a PayPal solution. Module: http://www2.eventsvc.com/paypaldev/event/0a654a52fd7a4c9db8ef81d3441f4c1d PCI Compliance for PayPal Developers (PDF): https://cms.paypal.com/cms_content/CA/en_US/files/developer/PP_PCI_Compliance_WhitePaper.pdf PCI DSS Compliance – Website Payments Standard: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing/merchant/PCIComplianceDSS-outside PDF: https://www.paypalobjects.com/WEBSCR-620-20100330-1/en_US/pdf/PP_WebsitePaymentsStandard_PCIComplianceDSS.pdf PCI Compliance Solutions: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/solutions_pci_compliance --- And from PCI Security Standards Council... PCI DSS New Self-Assessment Questionnaire (SAQ) Summary V1.2: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml Self-Assessment Questionnaire - Instructions and Guidelines v1.1 (PDF): https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf |
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf |
Re: X-Cart and PCI-DSS / PA-DSS compliance
This thread is making me dizzy, so please forgive my basic questions:
- I'm currently using 4.0.19 and TrustCommerce (a gateway that I see will not be supported in 4.3). I do not store customer credit card data in my store. Will I still be considered non PCI compliant when the new rules go into effect? - TrustCommerce is offering me a better discount rate if I sign a new 2-year contract with them. I've been satisfied with them, but should I not sign up for 2 more years, given that newer versions of X-Cart won't support them? Thanks for helping me understand how to proceed. |
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Compliant with the new VISA mandate to use PA-DSS certified applications - no. Quote:
|
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Could you please share some recommended "hosted payment pages"? |
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
We have been researching many and find these to be popular and also well configurable: -Authorize.net SIM -Payflow Link -CyberSource (Hosted) Cybersource looked pretty interesting as far as making the checkout look like your own site. Hope that helps! Carrie |
Re: X-Cart and PCI-DSS / PA-DSS compliance
For Canadians I recommend:
Elavon / Virtual Merchant Moneris / sSelectPlus Depending on the version of x-cart you have you may have to pay someone to backport the integration file for you like we did. This costs about $200. Elavon has better credit card rates but Moneris has more complex software so it just depends what your needs are. Also you can get better rates from Moneris but you have to negotiate hard. |
| All times are GMT -8. The time now is 08:24 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.