X-Cart and PCI DSS / PA-DSS compliance
 

Hi folks,

I know that PCI DSS compliance is very important for many X-Cart users, so, I would like to announce our plans towards making X-Cart stores PCI-DSS compliant:

1. We release X-Cart 4.3
2. We develop a payment module for X-Cart 4.3 and X-Cart 5.0 and verify it by a PA-QSA; probably, the source code of the module will be encrypted with Zend/ionCube
3. X-Cart users disable its credit card processing functions (so, X-Cart becomes not a subject for PCI DSS) and install the PA-DSS verified payment module that handles all the credit card stuff; we will distribute the module among existing X-Cart users for free
4. The payment module will be implemented in such a way that allows its use with X-Cart 4.1.x and 4.2.x (with moderate customization of X-Cart source code).
5. Third-parties developing integration modules for payment gateways, not supported by the verified payment module out of the box, will have to complete a PA-DSS audit themselves (that costs dozens of thousands USD annually) if the chosen gateway integration method is a subject for PCI DSS rules.

Best regards,

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

How much of that section will be encrypted? We're in the process of writing an eBillMe (BillMeLater cousin) module into our cart to start accepting that form of payment. We also already have extensive modifications done to payment_cc and payment_ccend to have hooks into our system.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Very good news. Thanks for responding so quickly to this issue.

I vote for no Zend/Ioncube encryption. I bought X-Cart because I get 100% of the source and don't have to run encoded programs. Several years ago ionCube had incompatibilities with Zend and took many sites down that used encoding (other software, not X-Cart). I don't need those kind of headaches. I also need to be able to use the X-Cart code as a base if I choose to use a gateway not supported by X-Cart - that's part of the faster development leverage you get when you buy a product that gives you source code.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I agree 100% with this, last thing I want is to have to throw out all the code we've been working on to integrate eBillMe for our next refit

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Good news here....

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Because there's certificate involved in exactly how the process works, I'm sure SOME of it would have to be encoded just so that actions by users wouldn't circumvent the certification itself. The purpose of the certification is so that they can verify that it's secure and whatever, if it's opensource and anyone can access the code and modify it, then essentially EACH OF US would need to get re-certified that the process is still doing what it was originally designed to do.

At least, that's what I would think anyway?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

How nice. Now how about doing the same for Litecommerce. It is modular after all and so it should be possible.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Well as long as they do it that way I'm fine but if it hinders my ability to implement new payment methods (e.g. I shouldn't have to pay qualiteam to do it when our IT staff is more than capable of writing the code) then I will have a problem with it.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Will this be in addition to, or instead of making X-Cart 5.0 PA-DSS certified?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

The intent of PA-DSS is to facilitate/allow PCI-DSS compliance by merchants not to force/enforce it. Therefore PA-DSS does not require encoding the software so it can't be modified. PA-DSS only requires the vendor to develop their software in a PCI-DSS compliant manner. Any modifications would be custom development for that one merhcant and as such those modifications would not be subject to PA-DSS. Custom developed payment applications fall under the merchants PCI-DSS assessment. For most of us smaller merchants that means we would need to attest in our self assessment questionnaire that we followed PCI-DSS guidelines in developing our modifications and no outside verification would be required. That's the same thing that PA-DSS is doing for vendors - making sure they follow PCI-DSS guidelines in developing their software. PA-DSS requires that vendors get outside certification because their application will be used by many merchants and magnifies the impact of insecure development.

Another example of how PA-DSS only facilitates compliance and does not mean that a vendor must prevent you from shooting yourself in the foot and implementing their software in a non-PCI-DSS compliant manner. PA-DSS only requires that the vendors software *can* be implemented to be PCI-DSS compliant and the vendor has documented for the user how to implement it securely. IOW, its ok for the application to have the an option to store CVV numbers. But the documentation with the application has to tell the user that option must be turned off to be PCI-DSS compliant.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Thanks for the clear up on that Ralph. It'll be interesting to see how things turn out over the next few months. Any of the PCI Compliant software that we are running currently is all encoded once the merchant stuff takes over, which is why I assumed that things would need to be encoded also.

We'll wait and see what transpires here with X-Cart.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

sooo, how does this match up to the thread on 4.3 http://forum.x-cart.com/showthread.php?t=45398 where it lists the payment processors that will not be supported by 4.3?

is that approach now obsolete? replaced by the new payment module?

we were using vaultx - aka globalpoint aka paycorp, in Australia, for all our xcarts and credit card processing.

does that mean we can grab the existing code from 4.1.8 for vaultx and somehow link it to the new payment module?

or is it something that xcart can be asked to do?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

This doesn't affect payment gateways per-se, just x-cart's core cc processing logic.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Is there a list of payment gateways that will be supported by v5.0 anywhere? I've looked but can't find any.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I think Qualiteam is still making that decision.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I realize they can't have a "final" list of what payment processors will be supported, but as it stands right now, there are none. I would just like to know if there are any that will definitely be supported so I can make a decision as to what processor to go with now and not have to change later.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Just out of interest what is going to happen with older versions of x-cart i.e 4.0.x branch? is it going to be a case of if we want to be complaint then we will have no option but to upgrade (at a huge cost in the thousands because of all modifications) or is there going to be some way to have x-cart do customisations to make older branches compliant??

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

No, the message at the top of the thread says it will be a payment module compatible with 4.0.x. This is what we were pushing for, and it seems they will be accommodating us instead of making everyone upgrade to v5.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I couldn't see a mention of 4.0.x , only 4.1 onwards

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Perhaps they could clarify, I was under the impression it would be for 4.0 as well.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Hi guys!

If the changes to X-Cart 4.0 are not very complex, we will release a patch for it as well. Most likely it will be so.

I will let you know when have more details on the architecture of the payment module.

Thanks!

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Just joining the conversation now, but do you really mean 4.0 or 4.x? Seems like it should be 4.x to me

Thanks

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

This question was specific to 4.0, but if you look at the top of this thread you'll see it mentions the other 4.x branches.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Mr. Petrov, I applaud you for listening to your users and making the decision to give us 4.x'ers a simple, cost-effective upgrade path into PA-DSS compliance without having to recreate the entire site with v.5. Thanks!

I assume Authorize.net will be supported in this upcoming module?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I would assume so, as well. I don't know the popularity of other modules, but I believe authorize.net is one of the top ones.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I have just found this thread and I am very confused. Is there a simple way of defining who this applies to?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Yes, Authorize.Net is one of the popular payment systems and it is in the list.


As far as I know if your website neither stores nor collects credit card numbers, it is not a subject for PCI DSS rules. Since it depends on the payment gateway and the integration method you use, please clarify this point with your payment services provider.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I have gotten mixed messages from the credit card industry about how your cart will be treated if it "neither stores nor collects credit card information". My sense is that different merchant service providers are trying to figure this out too.

The answer I've been given that made the most sense to me is based on the intent of the whole PCI/PA-DSS compliance thrust. The idea is to identify holes in the credit card processing system where ill intentioned people can gain access to someone else's credit card information and then close the holes. The self-assessment questionnaire is most effective as a way to make site owners aware of the issues. It doesn't provide any real protection. The way a merchant service provider will know whether the the merchant's site doesn't store credit cards is by audit (admittedly the current process is still pretty leaky.) I believe most merchant service providers will require the software audit now (or in the near future) as the industry internalizes PCI-DSS compliance.

The only loophole I could imagine post-July 2010 is that if your site passes PCI-DSS compliance and the audit validates you never see or store credit card information you might be able to avoid the PA-DSS compliance. We'll see what tomorrow brings.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I agree that you should be okay if you allow all the credit card info to be handled by your merchant service provider and your shopping cart never sees this information. However, I believe it is the case that cart owners will need to prove this to their merchant service provider. Based on less than rock solid definitiveness, my sense is that ultimately each cart will need to pass the software audit in addition to the self assessment questionnaire. If your volume is high enough you will also need to pass the on-site audit.

There are 2 main benefits of allowing the merchant service provider to handle the entire credit card info trail. We avoid the devastating cost of lost credit card information and, if we're lucky, we might avoid the PA-DSS compliance requirement...TBD

Mark

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

We have been looking into this and what it appears like to me is that all versions of x-cart are not and can not be PCI-DSS compliant. The reason for this is that in x-cart you have the option to store credit card information, and this is a BIG no-no. Even if there is a "upgrade patch" it can be circumvented so that credit card information can still be stored.

For this reason, version 5 must not have the option to store credit card information and be developed in such a way that it never can store credit card information in order to be PCI-DSS compliant.

X-cart absolutely needs to make a "database upgrade patch" that works 100% correctly 100% of the time to convert older carts to version 5. Most people can handle re-designing their site if need be, but retaining their data is of the utmost importance.

Am I wrong about this?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Partly, according to my interpretation.

As far as I can tell, you can store credit card number and expiration date, but the three or four digit code (CVV2/CVC) code cannot be stored. But, this data must be encrypted where it is stored.

You can be secure and NOT pass PCI-DSS or insecure and pass it.

See https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf (Warning: PDF), Myth #9

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Yes, you are wrong about this. There is nothing in PCI-DSS or PA-DSS that prohibits the storage of credit card numbers. The PCI-DSS Requirements and Security Assessment Procedures document on page 4 has a table of what is acceptable to store and the requirements for storing it (e.g. encryption). Credit card number, cardholder name, and expiration date are listed as allowable to be stored with protection such as encryption. Even if it didn't allow storage, a system can be configurable as long as its configured to meet PCI-DSS requirements. For example, system can have configuration that allows it to store CVV codes (which is a BIG no-no). But as long as it is configured so that it doesn't all is OK with PCI-DSS.

Another thing to note is that PCI-DSS compliance is nothing that X-Cart can do - it is the merchant that must be PCI-DSS compliant as it includes many things with respect to the merchant environment such as anti-virus software, firewalls, etc. What Qualiteam can and is doing is splitting out the payment part of X-Cart and getting it certified as PA-DSS compliant. What PA-DSS compliance means is that it has passed testing showing that it can be implemented in a PCI-DSS compliant manner and includes instructions for the merchant to implement it in a PCI-DSS compliant manner. Its still up to the merchant to implement it properly. Qualiteam has said they will port the modified PA-DSS compliant payment module they are developing for version 5 back to the version 4 releases.

Although storing credit card numbers is allowed by PCI-DSS, I wouldn't recommend that small merchants do so. In fact, even the big boys are trying to eliminate the storage of credit card numbers. The PCI-DSS compliance hurdles needed for credit card number storage are just way too much for a small merchant and the liability in the event of a breach too great.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

What I was trying to say is that because x-cart "can be" configured to store CVV codes as well as other credit card information it doesn't pass.

Stone Edge Order Manager doesn't pass for the same reason,

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I understood that and its still wrong. Whether or not X-cart or Stone Edge can be configured to store anything has no bearing on passing PA-DSS or PCI-DSS. The fact that it can be configured not to store sensitive data and that the merchant configures it that way meets PA-DSS and PCI-DSS requirements.

PA-DSS only says that when implemented following the vendors documented PCI-DSS compliant configuration it can't store CVV codes. It doesn't say a thing about what can or can't be stored if you don't use the vendors documented configuration.

PCI-DSS only says the merchant can't store the CVV. It says nothing about the capability of the software the merchant is using to store it if one chooses to configure it that way. You just can't configure it that way and be compliant.

BTW, CVV is the only piece of data that X-Cart deals with that can't be stored under PA-DSS and PCI-DSS requirements. For Stone Edge it would be CVV and the mag stripe track data that can't be stored. Card number, expiration date and cardholder name are all acceptable to store as long as they are properly encrypted.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

I don't mean to be obtuse here but going by what you say I take it to mean that all a shopping cart vendor has to do is be able to configure their cart to not process or save any credit card information to be in PCI-DSS / PA-DSS compliance. What the buyer of the shopping cart software does after that shouldn't affect the software vendor's compliance, only the software buyer's compliance. Since x-cart does that now, why isn't it compliant?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Well, sort of.

There are really three different compliance issues we are talking about:

1. PA-DSS compliance
2. VISA PA-DSS mandate compliance
3. PCI-DSS compliance

X-Cart is not required to be compliant with anything if it is not used as the payment application - i.e. if it doesn't store, process or transmit credit card numbers. So if it is configured to use Authorize.Net SIM, Paypal Payflow Link or other gateway where the credit card numbers go directly from the customer browser to the gateway then there is no need for it to be compliant with PA-DSS, your web server doesn't have to be configured to be PCI-DSS compliant and you will be exempt from the VISA PA-DSS mandate since you won't be using a vendor supplied payment application. So although its not compliant with PA-DSS it can be used without violating PCI-DSS standards or the VISA PA-DSS mandate.

But this is not how most people use X-Cart and other shopping cart software. Most people want a more integrated checkout process where there is no jump out to a form on a payment gateway web site and then back to their site. So they are using Authorize.Net AIM, Paypal Payflow Pro or another gateway API where the credit card number is sent to the X-Cart software which behind the scenes sends it along to the payment gateway. When you configure X-Cart this way it becomes your payment application and now compliance is required on all three fronts. This requires X-Cart to be PA-DSS compliant, you must configure X-Cart according to whatever configuration standards Qualiteam documents as part of their PA-DSS certification and your web server must be configured to be PCI-DSS compliant. This will make you compliant with the VISA PA-DSS mandate.

This is why PA-DSS compliance is an issue for a majority of X-Cart users. Essentially, PA-DSS certification ensures the software:

• Includes features required for PCI-DSS compliance, like encrypting credit card numbers using a strong encryption algorithm with good key management, logging access to payment data, etc.
• Won't prevent you from configuring your server environment in a PCI-DSS compliant manner such as requiring all users to log on as root or administrator.
• Includes documentation on how the merchant must configure the software for PCI-DSS compliance.

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

What's the current status on the PA-DSS certified Authorize.net AIM payment module? Do you think it will be ready soon? You said in the thread that it should be ready in the next month or so?

Re: X-Cart and PCI-DSS / PA-DSS compliance
 

The PA-DSS compliant payment module has been moved out to January 2010. See http://www.x-cart.com/roadmap.html