Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Hi guys!

If the changes to X-Cart 4.0 are not very complex, we will release a patch for it as well. Most likely it will be so.

I will let you know when have more details on the architecture of the payment module.

Thanks!

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Just joining the conversation now, but do you really mean 4.0 or 4.x? Seems like it should be 4.x to me

Thanks

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

This question was specific to 4.0, but if you look at the top of this thread you'll see it mentions the other 4.x branches.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Mr. Petrov, I applaud you for listening to your users and making the decision to give us 4.x'ers a simple, cost-effective upgrade path into PA-DSS compliance without having to recreate the entire site with v.5. Thanks!

I assume Authorize.net will be supported in this upcoming module?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I would assume so, as well. I don't know the popularity of other modules, but I believe authorize.net is one of the top ones.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I have just found this thread and I am very confused. Is there a simple way of defining who this applies to?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Yes, Authorize.Net is one of the popular payment systems and it is in the list.


As far as I know if your website neither stores nor collects credit card numbers, it is not a subject for PCI DSS rules. Since it depends on the payment gateway and the integration method you use, please clarify this point with your payment services provider.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I have gotten mixed messages from the credit card industry about how your cart will be treated if it "neither stores nor collects credit card information". My sense is that different merchant service providers are trying to figure this out too.

The answer I've been given that made the most sense to me is based on the intent of the whole PCI/PA-DSS compliance thrust. The idea is to identify holes in the credit card processing system where ill intentioned people can gain access to someone else's credit card information and then close the holes. The self-assessment questionnaire is most effective as a way to make site owners aware of the issues. It doesn't provide any real protection. The way a merchant service provider will know whether the the merchant's site doesn't store credit cards is by audit (admittedly the current process is still pretty leaky.) I believe most merchant service providers will require the software audit now (or in the near future) as the industry internalizes PCI-DSS compliance.

The only loophole I could imagine post-July 2010 is that if your site passes PCI-DSS compliance and the audit validates you never see or store credit card information you might be able to avoid the PA-DSS compliance. We'll see what tomorrow brings.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I agree that you should be okay if you allow all the credit card info to be handled by your merchant service provider and your shopping cart never sees this information. However, I believe it is the case that cart owners will need to prove this to their merchant service provider. Based on less than rock solid definitiveness, my sense is that ultimately each cart will need to pass the software audit in addition to the self assessment questionnaire. If your volume is high enough you will also need to pass the on-site audit.

There are 2 main benefits of allowing the merchant service provider to handle the entire credit card info trail. We avoid the devastating cost of lost credit card information and, if we're lucky, we might avoid the PA-DSS compliance requirement...TBD

Mark