Re: Summary So Far: X-Cart & PCI-DSS / PA-DSS compliance
 

This is possible with some gateways. Again, USAePay and Network Merchants both will allow this. Both support a customer database/vault that can have card numbers stored as part of the checkout process. As I mentioned before, the payment form can be served from your server and post to the gateway servers taking your server out of scope for PCI compliance. Both gateways will allow you to add a "save this card for future use" checkbox to the payment form. Both gateways have a reporting/query API that allows you to find out what cards a customer has stored, the card type (VISA, MC, etc.) and the last 4 digits of the card number so you can present that to the customer to choose from. Both allow you to submit transactions using a token identifying the payment method instead of a credit card number.

The downside is that most gateways charge and extra monthly fee and per transaction charges for using their customer database/vault. I haven't priced USAePay but Network Merchants typically runs $10/month and $0.05 or $0.06 per vault transaction.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Hi Ralph, if you don't mind me asking this (also hope it is part of the thread scope): I use Quantum Gateway and they have this http://www.quantumgateway.com/developer.php (look at the Integration APIs/In Line Frame APIs), this is the documentation - http://www.quantumgateway.com/files/ILF_API.pdf. Is this what you are talking about? In your experience how customizable this is - will it look on the site as it is not part of the site (talking about position of elements, organization....)? I got a quote from QT for integration and just want to know if it's worth paying them to write the module.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

The real question is can a merchant who is SAQ C (which I suspect is the vast majority here) continue to use older versions of xcart or any version of Litecommerce, and if so under what circumstances (third party gateway, off site processing or direct on site processing)

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I guess that this company can solve the PCI problem for xcart users in the USA

http://www.cresecure.com/

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

This is something I'd definitely consider for my stores... assuming that I'm able to keep the one page checkout and it doesn't interfere too much with the checkout process.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

well they have not developed it yet! they say "coming soon" but I note that xcart is at the top of their list.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Isn't this what x-payments is going to do basically.

Hope it is ready soon.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

It is almsot the same what X-Payments does:
http://www.cresecure.com/pages.php?CDpath=4

The only difference is that with X-Payments the payment form is on a merchant's website, not on our servers

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Hi Xplorer,

I am wondering if you have a list of payment gateways that x-payments will work for, allowing for integration of a one page checkout?
e.g. will worldpay or asiapay etc. allow for a one page checkout on the merchants server, using x-payments?

Which payment gateways will x-payment actually work for?

Thanks again, Asiaplay

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

This is similar to what I am doing but not the same. Instead of hosting the payment page on your server like I do with this solution Quantum hosts the payment page but it is loaded in an iframe on your checkout page. This can be done with most gateway hosted payment pages but Quantum has developed a specific API for doing it this way. They've added some better security over the typical hosted page and a session keep-alive to prevent timeouts during checkout. I don't have a Quantum account to play with to fully understand how integrated it can look but is sounds like it should end up pretty transparent. As long as the Quantum page can be stripped down to just the entry fields for the card information the iframe will look just like any other part of your page. I'd ask Quantum for a demo site or another customers site to look at before you pony up for it.

I find hosting the payment form on my server and posting to the gateway cleaner. The iframe approach adds some overhead and some people have an aversion to iframing things on a page.