|
Install Xpayments on development site?
Is there any reason not to go ahead and install Xpayments on my development site and then move the whole "shootin' match" when I'm ready to publish it?
Thanks. |
Re: Install Xpayments on development site?
No, there is no reason. You should install and test first before going live
|
Re: Install Xpayments on development site?
Can a test store connect to xpayments if xpayments installed in the root folder as follows,
root folder/xpayments root folder/testsite/ or would it be better to do it as follows, root folder/testsite/xpayments root folder/testsite/ and then move the whole shooting match? |
Re: Install Xpayments on development site?
You can connect up to 10 store to one X-Payments install, no matter where these stores are or if they are life or not
|
Re: Install Xpayments on development site?
QT recommends that X-Payments be installed on a separate server, or, under a separate hosting account on the same server. If you have your own VPS or dedicated server, you can create another hosting account, put it there, and connect it to up to 10 stores. In this case, you would connect your development store to X-Payments, then move it to your live location when ready, or, copy it and create a new connection to X-Payments if you wish to keep your development in place. But X-Payments would stay where it is.
See the bottom part of this post, after the ======: http://forum.x-cart.com/showpost.php?p=336735&postcount=135 --- |
Re: Install Xpayments on development site?
Quote:
Unreal! This just keeps getting more and more complicated. Its getting to the point with Xcart that only programmers and developers can install/upgrade and maintain it. I've spent countless hours over the last week weighing up the options of upgrading from v4.1.x to v4.5.x and so far what I've came up with is its going to cost a lot of time, money and stress to upgrade to v4.5.x only to find that your site runs 4 times slower than the old site because of all the code bloat in 4.5.x Then, after all of that you find out v5 is released! Its disheartning I'm telling you and has really made me seriously consider an alternative cart. There is just no reason a person should have to be a programmer to use a shopping cart software. I don't mind learning a program, but they keep changing the goal post. Well thats my rant, its been a long week, did make me feel a little better ranting tho I must say! |
Re: Install Xpayments on development site?
It's my understanding that an SSL certificate is required to run Xpayments.
Do I need to have this in place prior to installing Xpayments or can I wait? I only need the SSL cert. for my domain and not for Xpayments also, correct? Thanks. Deadline's a coming.... |
Re: Install Xpayments on development site?
@Photo - It is a bit confusing. Installing on a separate server or a separate hosting account on the same server would seem to be advisable and safest. I think it is implied that this only applies to a shared server. If you have a dedicated server, I think you might be able to install it using the options that you listed - but best to seek advise from QT.
It would be instructive to hear from people who paid QT for installation. If you are on a shared server, did they tell you it must be in a separate hosting account or server, or did they install in a sub-directory? That would tell you definitively if it is okay to do it that way. But from their X-Payments FAQ and from the post I referenced, I think it must be in a separate account or server. You should be able to have a separate account that uses a sub domain of your main domain, so the url will still be branded. I agree that X-Payments is a difficult installation - especially if you have to install the connector for previous versions. It might be worth it to pay QT or other developer. With experience - they should be able to do it more quickly and easily. @Ammoyer - if you install X-Payments under its own account or separate server, it will require its own SSL. It will be difficult to test it without the SSL installed. I am not sure why you would want to delay that part until later. --- |
Re: Install Xpayments on development site?
One thing to all of this - do not rely on QT to tell you what they think about this. Ask your bank. QT is not the one responsible or liable if your bank thinks you should have it on separate server and you don't, or vice versa. You are responsible. Your bank will not accept - well you know what QT told me this and that. QT has no authority to tell you what's right or wrong about this, QT can recommend, but your bank opinion is what matters.
|
Re: Install Xpayments on development site?
I am not a QSA and also not a merchant, so I might need to be corrected ...
I don't think QT is absolved of answering questions like this about the proper installation of the software, which they probably have included in their own certification process. I think they have spent a lot of money for PA-DSS certification and the >$1k X-Payments price includes the installation instructions approved by their own QSA. We must be able to depend on QT's installation instructions and their own PA-DSS certification. Aren't their installation instructions part of what has been certified? I think they answer the question in their X-Payments FAQ and in the post I referenced about installing on a separate server or hosting account on a shared server. Only if I wanted to not follow those directions would I think to get my own QSA approval and/or approval from the bank's compliance officer. Most compliance officers that I have dealt with, which is a very small sample, do not get into that kind of detail with the software that is on the PCI-DSS approved list on the PCI Security Standards website. (I don't think small businesses hire their own QSA - they rely on the PCI-DSS certification process of the vendor and self certification?) For software that is on the approved list on the PCI Security Standards website - all they seem to need to know is that we have properly installed it following the vendor's directions, so we can self-certify with SAQ-C. The vendor (QT) is the one that certified it, so they should be able to tell us the right way to install it and remain compliant with what their QSA certified. That is why it would be important for QT to have all these good questions answered in their installation instructions and FAQ, and not depend on each of us to get certification to that amount of detail. If you can tell the compliance officer that you are using PA-DSS certified software, demonstrate it is on the approved list, and that you have followed the vendor's installation instructions, that would seem to be enough. (You can find the X-Payments software on the web site approval list under Creative Development, LLC.) But the more assurance you have from that person in writing, the better off you are if there ever are issues. I've just not seen bank compliance officers, in my limited experience, who understand that level of detail and answer those kinds of questions. It is only when using something not clearly on the list, like DPM, that I've had to get the compliance officer more involved - to make sure they approve it for SAQ-A (can't use any other SAQ because it is not approved). If I wanted to deviate from the installation instructions, I would expect that would also require re-certification, or at least, some kind of approval. --- |
Re: Install Xpayments on development site?
The thing is I don't think this is up to the developer of the application to say if it needs to be installed on a separate server or not. Yes the developer have to provide you with installation instructions and make sure the application is certified, etc. but how the developer can control or require where the installation will be? It is up to the PCI-DSS requirements to state and control this.
http://forum.x-cart.com/showthread.php?t=63462&highlight=separate+server Like you said - I am not a QSA - same applies to QT. They can state their opinion or interpretation, as well as their SAQ opinion or interpretation but as we all read a lot on this forum their SAQ was giving them advices and requirements with which many here disagreed of the way they interpreted it. I still think that your bank is the one to say how you are compliant. It is another question if the compliance officer knows what all this means or not. They may approve you and later if there is a breach blame everything on you for not following the requirements even if they approve the compliance This is a very thin ice a lot of merchants walk on. And it is a very dark territory |
Re: Install Xpayments on development site?
I +1 to Steve's advice about "contact your bank/merchant account provider".
With regards to where to install X-Payments - a separate server or separate VPS hosting account is recommended but if your bank/merchant account/QSA approves using the same hosting space with your main cart - well, you have someone to point at after all. Technically X-Payments can be installed anywhere and you don't have to hire our techs to do that, btw. But with new X-Payments license ($1189) we include installation and configuration plus a free 1yr Instant SSL certificate so you get it live and running within days after purchase. I forgot at mention "1 month free support after installation". http://www.qtmsoft.com/xpayments.html |
Re: Install Xpayments on development site?
Thanks, Ambal. for confirmation that for people using shared hosting accounts, X-Payments should be installed under a separate hosting account or separate server .
Have you considered adding this recommendation to the on-line installation instructions and README that comes with the distribution? I did not see the separate server or hosting account advise from QT until April this year in the forum. I did not notice it in the FAQ until recently - but it may have been there all along. It is an important point - and it also could help increase the demand for you to make available hosting for X-Payments. It seems that it would be a good idea for you and/or other recommended hosting providers to set up a VPS or dedicated server with only accounts with X-Payments available. They could all default to be subdomains of a domain you acquire, for example, myusername.secure-x-payments.com. You could even offer the ability for people to set up cname or a-record at their own registrar to use secure.mydomain.com so they could keep their own URL branding. An individual could acquire this at a cost much less than their own dedicate or VPS account. I do agree with your frequent advise that small businesses seeking to keep their costs very low need to adapt to the PCI requirements perhaps by using hosted payment processing. But I do find many people trying to hang on to hosting their own payment page. Some do have your generously offered free X-Payments license from last year. And - if you come up with a hosted X-Payments solution that is much less expensive than getting their own VPS - it could become popular? For new people, the X-Payments cost is daunting - so maybe we will be lucky and your experience of providing a hosted X-Payments for the existing users can demonstrate that you can offer an entire X-Payments hosting package at a low enough cost. --- |
Re: Install Xpayments on development site?
> for confirmation that for people using shared hosting accounts,
I phrased myself badly. I didn't mean shared hosting. Separate VIRTUAL server/jail environment on a server is minimal requirement. With regards to X-Payments Hosted - this is what we are going to launch in near future. Just need to finalize something here to be able to announce it. |
Re: Install Xpayments on development site?
Thanks, Ambal -
The recommendations are a bit confusing. Below are the three statements from QT I have found to try and understand what is an installation requirement to adhere to based on your QSA review and PA-DSS approval, as well as what are recommendations by QT. Would it be possible for QT to make a clear statement in the installation instructions or at least in the FAQ?: Now in the FAQ: Quote:
In the forum, by Sergey Fomin in April Quote:
Quote:
If I combine all those, I take it to mean: - X-Payments may be installed on a dedicated server in the same directory structure as an X-cart instance - QT does not recommend installing X-Payments on a shared hosting server - On a VPS where an X-Cart instance is installed, X-Payments may be installed under a separate hosting account on the same VPS. A unique VPS only for X-Payments is not required in this instance. - If a host is willing to create X-Payments specific hosting - a VPS or dedicated server could be dedicated to accounts each running an X-Payments instance, and no other software. A unique VPS only for X-Payments is not required in this instance. If it were possible to put a clear direction in an official place like the Installation Instructions and README in the distribution, or a semi official place like the FAQ - it would help a lot to clear up confusion. Of course, you could add the disclaimer about checking with one's own QSA. It would be helpful to know the recommendations of your own QSA, or the installation conditions under which you were granted approval. --- |
Re: Install Xpayments on development site?
Bump - to questions in post 15.
Thanks. --- |
Re: Install Xpayments on development site?
gb2world, sorry for not answering earlier. I was busy with something else (e.g. organized separate forum for X-Payments). I am trying to get final advise on this from our PA-QSA. Once I have it, I'll post here.
|
Re: Install Xpayments on development site?
So finally got consulted on this:
1) A separate shared hosting account can be used for X-Payments if the hosting is 100% PCI-DSS certified. But it is not the best decision as meeting PCI compliance on a shared hosting is much harder and at the same time much easier to break. 2) VPS/dedicated server is the recommended option for hosting X-Payments as it is **much** easier to meet and maintain compliance with PCI-DSS requirements than on a shared hosting. Perhaps someone from hosting companies can step in here and comment. |
| All times are GMT -8. The time now is 12:43 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.