X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements (https://forum.x-cart.com/showthread.php?t=63061)

seyfin 03-23-2012 07:35 AM

Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements
 
Hello X-Carters,

We would like to inform you about major changes in upcoming X-Cart v 4.4.6 (to be released very soon, in a week or so):

1) Due to PCI-DSS requirements being enforced over last months we have to remove all background (aka "onsite" or "merchant hosted") credit card processing methods from core X-Cart package. See the list of removed methods below.

A merchant that need such credit card payment methods has to use a PA-DSS validated application like our X-Payments or go with "offsite" or "gateway hosted" methods.

2) No credit card data will be stored in X-Cart anymore (due to PCI-DSS requirements again).

3) USPS shipping calculator module will be completely revised and updated to meet the latest USPS APIs requirements.

4) Two new built-in skins.

You are welcome to ask any questions.

List of the credit card processing methods removed from X-Cart since v4.4.6 release:

* ANZ eGate - Merchant-Hosted (cc_anz_mh.php)
* AuthorizeNet - AIM (cc_authorizenet.php)
* Bean Stream (cc_bean.php)
* BluePay (cc_blue.php)
* Caledon (cc_caledon.php)
* CyberSource - SOAP Toolkit API (cc_csrc_soap.php)
* DIBS (cc_ideb.php)
* DirectOne - Direct Interface (cc_directone.php)
* ECHOnline (cc_echo.php)
* ePDQ - MPI XML (cc_epdq_xml.php)
* eProcessingNetwork - Transparent Database Engine (cc_eproc.php)
* eSec - Direct (cc_esec.php)
* eSec - ReDirect (cc_esecd.php)
* eSelect Plus - Direct Post (cc_eselect.php)
* eWAY Merchant Hosted Payment (cc_eway.php)
* First Data Global Gateway - LinkPoint (cc_linkpoint.php)
* GoEmerchant - EZ Payment Gateway Direct (cc_goem.php)
* GoEmerchant - XML Gateway API (cc_goem_xml.php)
* HeidelPay (cc_heidel.php)
* HSBC - XML API integration (cc_hsbc_xml.php)
* Innovative E-Commerce (cc_innec.php)
* iTransact (Process USA) - XML scheme (cc_processusa.php)
* Netbilling gateway - Direct (cc_netbilling.php)
* NetRegistry e-commerce (cc_nrecom.php)
* Ogone - Direct (cc_ogone.php)
* PayFlow - Pro (cc_payflow_pro.php)
* PayPal WPP Direct Payment (ps_paypal_pro_us.php and ps_paypal_pro_uk.php)
* PlugnPay - Remote Auth method (cc_plugnpaycom.php)
* PSiGate - XML Direct (cc_psigate_xml.php)
* RBS WorldPay - Global Gateway (cc_bibit.php)
* Sage Pay Go - Direct protocol (cc_protxdir.php)
* SecurePay - Non-Recurring Interface (cc_securepay.php)
* SkipJack (cc_skipjack.php)
* USA ePay (cc_usaepay.php)
* Virtual Merchant - Merchant Provided Form (cc_virtualmerchant.php)

============================================
FAQs (covering the major questions asked in this forum thread)
============================================

===
Q1:

If a store is not storing credit card information, why must it lose the ability to use Authorize.net AIM?

A1:

X-Cart is not PA-DSS verified application, unfortunately. So, in order to handle, process and transmit cardholder data THROUGH your cart (which X-Cart's Authorize.Net AIM payment module does), you need to use another PA-DSS verified software, even if you are not storing the CC info. Or you can still use Authorize.Net AIM in the following cases:

* via a PA-DSS verified application like X-Payments on top of X-Cart.
NOTE: The web-server environment which hosts X-Payments should be PCI-DSS compatible (you should ensure the hosting provider is PCI-DSS compatible).

* via PCI-DSS certified payment system like CRE Secure's Hosted Payment Page, thus outsourcing all cardholder data functions to third-party.

===
Q2:

I've got several sites that use AIM. What am I supposed to do now that all payment processor modules are being removed from X-Cart?

How do I upgrade them and still use authorize.net?

A2:

You can upgrade to 4.4.6, and use one of the possible solutions:

* Authorize.Net AIM via a PA-DSS verified application like X-Payments.
NOTE: The environment which hosts X-Payments should be PCI-DSS compatible.

* CRE Secure's Hosted Payment Page solution (PCI-DSS certified payment system) which support such payment gateways as Chase Paymentech, Authorize.net, PayPal Payflow PRO, PayPal Website Payments PRO, eProcessing Network, PayLeap, SkipJack, USAePay, FirstData.

* Authorize.Net SIM integrated into X-Cart.

===
Q3:

Does Qualiteam have any plans to release Authorize.Net DPM solution for X-Cart?

A3:

We are considering this option at the moment, but have not made a decision yet.

One of the reasons - different QSAs consider solutions like DPM differently, and it is not clear enough if the merchant using X-Cart + Auth.net DPM solution would need to go with completing:

* SAQ A - addressing requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.

- OR -

* SAQ C - addressing requirements applicable to merchants who process cardholder data via payment applications connected to the Internet, but who do not store cardholder data on any computer system.

We would recommend to consult with your QSA or merchant account provider directly regarding the matter.

NOTE:SAQ C, in contrast to SAQ A, requires merchants to use Payment Applications validated according to PABP/PA-DSS.

===
Q4:

Is X-Payments a PA-DSS validated payment application? And what about X-Cart?

A4:

X-Payments is a PA-DSS validated payment application, but X-Cart is not.

So, in order to meet PCI-DSS merchants should:

1) Outsource all cardholder data processing from X-Cart to an external PCI-DSS compatible system, for example:

* "offsite" or "gateway hosted" payment solutions like Authorize.Net SIM, 2Checkout, PayPal, Checkout by Amazon, SagePay Go (Form integration), etc.
* CRE Secure's Hosted Payment Page PCI-DSS certified payment system
* PCI-DSS compatible hosting + X-Payments PA-DSS validated payment application

= OR =

2) Have their X-Cart application validated according to PA-DSS + have the X-Cart's hosting to be PCI-DSS compatible.

In fact, having the X-Cart software PA-DSS certified and validated is much expensive than the X-Payments's price. Please also note, one X-Payments license allows you to connect up to 10 online stores.

===
Q5:

How many online stores X-Payments installation can be connected to?

A5:

One X-Payments license/installation can be connected up to 10 online stores.

====
To be continued...

totaltec 03-23-2012 08:10 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
Wow. The PCI Compliance issue is heating up. Sergey, do have any links or information about you comment that PCI compliance is now being "enforced"?
Thanks for keeping us informed.

seyfin 03-23-2012 08:48 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
> The PCI Compliance issue is heating up. Sergey, do have any
> links or information about you comment that PCI compliance
> is now being "enforced"?

http://usa.visa.com/download/merchants/payment_application_security_mandates_regions.pdf

Quote:

Phase 1: Newly boarded merchants that use payment application software must use PA-DSS compliant applications or be PCI-DSS compliant. Effective date 7/1/2010
Phase 2: Acquirers must ensure that merchants and agents use PA-DSS compliant payment applications. Effective date 7/1/2012


cflsystems 03-23-2012 08:48 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
This is major change. Hopefully it will not break anything in XC when 4.4.6 is released. Just a suggestion:

Include a big red text across the screen upon install or upgrade to 4.4.6 that will warn about these changes even if you have to make it with an "agree" checkbox so no one can miss it. Don't count on XC users to read the change log or the forum.

Of course make it look nice and presentable :)

I know some will find it annoying (me too at some point) but better safe than sorry

balinor 03-23-2012 10:01 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
It is indeed being enforced - I have had a number of people come to us who were being penalized $100+/month for non-compliance - and that is just the beginning. If you happen to get hacked and aren't compliant, you are in for a huge amount of liability.

Glad Qualiteam finally taking this matter seriously and not just throwing X-Payments at it. People need to stop storing CC info and using non-compliant carts - it is for the benefit of everyone.

Don't try to lie on your SAQ either, that's an even worse penalty :)

gb2world 03-23-2012 11:11 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
Hello Sergey -

I have an x-cart instance that uses Authorize.net AIM + DPM which has been approved by a compliance officer at the bank being used. Is there any way for you to investigate Authorize.net AIM + DPM and allow it as a method in 4.4.6 if it meets requirements? It seems that you could get an independent opinion from your auditor about the viability of this method and include it or not.

---

seyfin 03-23-2012 10:07 PM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
Quote:

Originally Posted by gb2world
Hello Sergey -

I have an x-cart instance that uses Authorize.net AIM + DPM which has been approved by a compliance officer at the bank being used. Is there any way for you to investigate Authorize.net AIM + DPM and allow it as a method in 4.4.6 if it meets requirements? It seems that you could get an independent opinion from your auditor about the viability of this method and include it or not.

---


Dear Gabriel,

Actually, Advanced Integration Method (AIM) and Direct Post Method (DPM) are two different solutions. Please do not mix up these terms.

Authorize.Net Direct Post Method (DPM) is considered to be a solution that supports you to be PCI Compliant, as all Credit Card handling is done directly through Authorize.net, and no Credit Card data is handled/stored/processed on the merchant (X-Cart) server.

Please check the links below to learn how AIM and PDM solutions work:

* http://developer.authorize.net/api/howitworks/dpm
* http://developer.authorize.net/api/howitworks/aim

gb2world 03-24-2012 01:37 PM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
Thanks Sergey. DPM and AIM seem to have enough commonality in their set up that when BCSE built their module to support DPM, they appear to have added it to the existing X-CART AIM module set up. We'll have to ask them the impact on their DPM mod with your removal of the support for the exiting AIM module.

Is there any plan at QT for future support of Authorize.net DPM and/or any other gateways who have a similar transparent redirect method, or will you be leaving that space to the 3rd party developers, and offer only x-payments for customers who require the payment page to remain at the shop's url?

---

ynotcreative 03-26-2012 03:30 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
I am sorry, but I don't get this. If a store is not storing credit card information, why must it lose the ability to use Authorizenet AIM? I can understand the denying of use to those storing for subscription payments or the like, but one-off transactions having to now use your $1000 x-payments is beyond possible for small stores. The other option use a butt-ugly payment processor like PayPal, which charges a lot per transaction does not offer any better solution.

Please tell me I am missing a better solution here.

balinor 03-26-2012 05:33 AM

Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
 
Quote:

If a store is not storing credit card information, why must it lose the ability to use Authorizenet AIM?

Because X-Cart is not PA-DSS compliant - and as of last year you need to use a PA-DSS certified cart in order to process transactions THROUGH your cart (which AIM does) even if you are not storing the CC info. You can still use AIM, you just need to use X-Payments on top of X-Cart.


All times are GMT -8. The time now is 10:23 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.