Re: X-Payments 1.0 beta5 announcement
 

Thanks Ryan, those were my thoughts as well but wanted to ask again... with all the info in here taking us in different directions all the time...

Re: X-Payments 1.0 beta5 announcement
 

Read this if you haven't already:

http://forum.x-cart.com/showthread.php?t=54408

Re: X-Payments 1.0 beta5 announcement
 

This is not correct. 2.2.1 is directed at the system component (web server, database server, mail server, etc.) level, not the application level. Its intent is to move components that don't need to be directly accessed from the internet off of servers that are directly accessed from the internet. If you are a merchant that must fill out SAQ D (most of us aren't unless you store credit card numbers) then 2.2.1 means you must run your web server software and database server software on separate servers and that the database server can't be accessed from the internet. If you meet the requirements to fill out SAQ C (mostly meaning you don't store credit card numbers) 2.2.1 doesn't even apply to you.

Besides, PA-DSS allows only the payment module portion of a software package to be certified. If you aren't allowed to run the non-certified core application alongside the certified payment module the payment module would be useless.

Re: X-Payments 1.0 beta5 announcement
 

It sounds like the client is talking about the Mastercard/Discover partial authorization mandate which Authorize.Net did get a one year extension on and not the PA-DSS mandate.

Re: X-Payments 1.0 beta5 announcement
 

If you payment processor isn't giving you a hard time I would continue as you are. If they are then let them know what Qualiteam is saying about when XPayments will be available and the additional time you'll need to implement it. Most payment processors will be happy with that and may want to check with Qualiteam before approving it.

Switching to a gateway hosted page won't mean no paperwork but it can change which SAQ you need to fill out, reducing your compliance requirements and making your life easier. It can also reduce your liability exposure.

If you process less than 20,000 VISA transactions and less than 20,000 Mastercard transaction annually (level 4 merchants) then its up to your payment processor to decide what is required for you to validate your compliance. So at level 4 you don't need to fill out and send in any compliance paperwork UNLESS your payment processor asks for it. I would encourage you to fill out the appropriate SAQ annually anyway and keep it on file as documentation in the event of a breach to keep your liability to a minimum.

If you process over 20,000 anuual VISA or Mastercard transactions then your payment processor should already be asking you for your annual SAQ as it is required by VISA / Mastercard and not a decision left up to the payment processor.

Re: X-Payments 1.0 beta5 announcement
 

I guess I should also add that this doesn't mean you don't need to worry about the security of other web applications you run on the same server with your payment application. You still must make sure you are applying vendor security patches promptly to all applications and not use known vulnerable applications, etc.

Re: X-Payments 1.0 beta5 announcement
 

Ralph, Ryan.... On the brink of my meeting today whether or not to Jump ship has me going in allot of directions. Last thing I want to do is leave, I hope i have established that.

Reading the posts today, especially from these 2 has me wondering if we do have more time here and all isn't going to come crashing down. My first site here is with authoriznet, which I have heard nothing from or sent any letters about compliance or otherwise. My other site, that goes thru First Data and all ive heard from them was a letter pimping out there choice of PCI scanners and that was early this year, nothing since.

So where are we at? Should I fear things being shut down? Should I bolt as fast as I can? I am in the same boat as everyone else here, confused, dazed and just trying to figure out what in the hell to do.

Thanks

Re: X-Payments 1.0 beta5 announcement
 

Authorize.Net is not your payment processor - they are just a gateway. Whoever sends you your merchant statement is your payment processor.

You should not fear being shut down and there is no reason to bolt. Its unlikely your payment processor will shut you off without giving you some time to comply - especially when your software vendor is making progress on compliance. Other issues you have while waiting for Qualiteam are:

1. Liability. You are now required by VISA to use a PA-DSS compliant payment application whether or not anyone is checking up on you. If you are breached and are not doing so your payment processor might pass some fines down your way. It might also increase your liability for breach clean-up costs (replacing cards, etc.). And VISA might impose restrictions like forcing you to hire a QSA (big bucks) to certify your PCI-DSS compliance for you to continue taking credit cards.

2. If you decide to shop around payment processors you may find you can't switch to a new processor because some are asking what software you are using and won't take you if its not PA-DSS certified.

Re: X-Payments 1.0 beta5 announcement
 

Thanks

Re: X-Payments 1.0 beta5 announcement
 

Thanks Ralph, that explains a lot. I wonder did QT ever hired you at least as an advisor. Probably mosty of this mess would have been avoided if they did