Re: X-Payments 1.0 beta5 announcement
 

It does not "have" to be on it's own server.
It would be best practice but I don't see why it would be required.

Re: X-Payments 1.0 beta5 announcement
 

This is a paragraph from the pdf that BSCE has in their email this month.

""PCI compliance requires that certified and non‐certified processes be run on different servers
(see SAQ‐D section 2.2.1). As a result, certified code (X‐Payments) cannot run on a machine that is also
running uncertified code (X‐Cart). X‐Payments must run on a separate server to be fully compliant.
Many companies cannot afford to have a second server that is dedicated to running software such as XPayments.
As a solution, BCS Engineering is providing X‐Payments software as a service on a PCIcompliant
system for a much lower cost than a second dedicated host. BCS Engineering’s Hosted XPayments
solution is also cheaper than a virtual host. Not all virtual hosts can be considered PCICompliant
and are not all equal. Very cheap virtual hosts can be considered, from a security standpoint,
to be equivalent to a shared hosting solution.""

I can attach the pdf if you need it.

Re: X-Payments 1.0 beta5 announcement
 

conflicting info all over the place.
Please see this:
http://forum.x-cart.com/showpost.php?p=273343&postcount=62

Re: X-Payments 1.0 beta5 announcement
 

I remember reading that post before, I am just trying to sort this all out like every one else is.

Re: X-Payments 1.0 beta5 announcement
 

Ralph knows his stuff - if he says something is true, you are probably pretty safe to assume it is.

Re: X-Payments 1.0 beta5 announcement
 

+1 Ralph does have the knowledge!

Re: X-Payments 1.0 beta5 announcement
 

Some payment gateways require compliance at different deadlines. I am collecting this information for payment gateways supported by X-Payments and will have it published at http://forum.x-cart.com/showthread.php?t=54408

If you know something about deadlines set by various payment gateways don't hesitate to post that information and proof links here or PM me.

Re: X-Payments 1.0 beta5 announcement
 

one client told me authorize.net customers may be getting 1 year extension. Many clients did not get anything from their payment gateways or merchant account providers about PCI.

By the way, SAQ‐D section 2.2.1 is probably applied to merchants who has to store credit card information, not just pass it for processing without saving to the database.

Re: X-Payments 1.0 beta5 announcement
 

So are we allowed to continue to use CC payments on site like nothing happened or we will get fined if not compliant? I for one never received any notice or request from the gateway or the merchant account about compliance. Tried to submit to them once and they told me "ok but we don;t need it. if we need it we'll ask you to provide it". So I guess my question is:
1. Can I still collect CC payments on site like before without being compliant until X-Payments officially is released? Or another solution is found.
2. What happens if I turn on payment gateway hosted payment page? Do I still have to file any compliance report?
3. Am I required to send any of the SAQ's even though noone asked for it?

Re: X-Payments 1.0 beta5 announcement
 

1. Keep going as you have - they aren't going to shut you down immediately - they have no way to prove that you aren't using a compliant cart
2. If you go to their hosted page, you can avoid the whole mess - this only applies to carts that handle CC data on site
3. I wouldn't give them anything until they ask for it