Do we need X-Payments?
 

I haven't worked with X-Payments yet. I have a client who wants to make sure his site is PCI compliant. He takes credit card numbers during checkout, but processes them manually. He wants to continue processing them manually. Does he need X-Payments to be PCI compliant? If not, is there anything he does need to do?

Thanks!

Re: Do we need X-Payments?
 

Unless he jumps through hoops and spends enormous amount of money I don't see how the site can be compliant if CC info is saved and processed manually. Basically it is illegal to do this nowdays no matter if X-Payments is used or not.

Re: Do we need X-Payments?
 

Yea, there is really no way to do that these days. A merchant is not supposed to ever see the CC data. One alternative would be to use a service like Authorize.net CIM which stores the CC data for you, allowing you to process it at will. But storing it on your own server, no matter how compliant the server is, is simply illegal.

Re: Do we need X-Payments?
 

OK, that makes sense. I am still pretty confused about X-Payments though. He is Canadian, so needs a Canadian merchant account. He would prefer customers to stay on his site, rather then enter their credit card info on the merchant site. And he definitely wants to be PCI compliant. As far as I can tell, he'd have to use Beanstream and X-Payments to be PCI compliant and accept credit cards directly on his site, is that right, or are there other options?

Re: Do we need X-Payments?
 

Correct.

Re: Do we need X-Payments?
 

I am a small business owner using X-Cart. I have had X-Payments installed but now, looking at liability, I think I am still liable unless I am PCI compliant, which means spending a lot of money and time on compliance scans of my site and also having my business premises in compliance (net works etc.)

I talked to someone who told me if I send my customers to PayPal or Stripe, or someplace like that, and they enter their payment information on “their” site, I don't have to deal with PCI compliance at all.

Any suggestions ot thoughts?
Thanks in advance

Re: Do we need X-Payments?
 

If you use PP Standard or payment gateway hosted page you don't have to be compliant for the site so X-Payments is not needed. I think you still have to do the quarterly scans. PCI compiance is not only how you collect payments but also how secure your site and software is - so software and hardware

Re: Do we need X-Payments?
 

We are looking at using Paypal Advanced, so we would still need X-Payments, correct?

Also, if X-Payments needs to be on it's own shared hosting account, does that mean we have to buy a whole new domain name just for X-Payments???

Re: Do we need X-Payments?
 

You might be able to set up a subdomain, like secure.mydomain.com, which uses its own hosting account. Your host should be able to help you. QT recommends a VPS or dedicated to do this properly.
http://forum.x-cart.com/showpost.php?p=342091&postcount=18

---

Re: Do we need X-Payments?
 

I also want to add that we are going to launch "X-Payments Hosted" service that will include both X-Payments (PA-DSS certified application for payment processing) and PCI-DSS compliant hosting environment at affordable monthly fee. You will be able to have your own domain or subdomain for your X-Payments Hosted account.

Subscribe for our announcement at
http://eepurl.com/kBo9v
https://www.facebook.com/xpayments
https://twitter.com/x_payments

Re: Do we need X-Payments?
 

Is X-Payments needed for Paypal Advanced?

Re: Do we need X-Payments?
 

> Is X-Payments needed for Paypal Advanced?

Yes, if you want to use PayPal Payments Pro or Payflow Pro

Re: Do we need X-Payments?
 

I want to use Paypal Advanced...not Payments Pro or Payflow Pro. Just Paypal Advanced. I don't see Paypal Advanced as an option in X-Payments.

Re: Do we need X-Payments?
 

Ok, now I'm confused... is X-Payments similar to Cardinal Commerce and 3-D Secure Transaction? Surely not?

Re: Do we need X-Payments?
 

> I want to use Paypal Advanced...not Payments Pro or Payflow Pro. Just Paypal
> Advanced. I don't see Paypal Advanced as an option in X-Payments.

Oh, I see. PayPal Payments Advanced. It is going to be a part of X-Cart 4.5.3 (it is in 4.5.2, but 4.5.3 is going to be certified by PayPal officially)

Re: Do we need X-Payments?
 

> is X-Payments similar to Cardinal Commerce and 3-D Secure Transaction? Surely
> not?

nope. Cardinal Commerce provides 3D Secure support for payment processors integrated with X-Payments. Using just Cardinal Commerce is not enough for PCI compliance. According to new VISA rules in order to be PCI compliance you have to use a PA-DSS certified software for credit card processing, e.g. X-Payments. Or you can use a payment gateway that requires you to send your web-site visitors off your site to its secure page for payment. I.e. outsource all credit card payment processing to a PCI compliance payment processor in a way where your site doesn't receive, store and transmit credit card details completely.

Re: Do we need X-Payments?
 

Yes, I am using 4.5.2 and I see it in the X-Cart admin. But it is not showing in X-Payments anywhere. Does Paypal Advanced not require X-Payments?

Re: Do we need X-Payments?
 

> Does Paypal Advanced not require X-Payments?

PayPal Payments Advanced is a built-in X-Cart feature since v4.5.3 (to be released very soon) and does not require X-Payments

Re: Do we need X-Payments?
 

X-Payments Hosted is available now:

http://s.x-cart.com/buy_xp_hosted

Re: Do we need X-Payments?
 

ambal,
Do you have plans for X-Payments to work with Authorize.net CIM? We really need CIM, so we can have the ability to bill customer's credit cards again, yet be PCI compliant.

Mike

Re: Do we need X-Payments?
 

Hi Mike, I just had BCSE build a CIM integration that works using an Iframe connected directly to Auth.net...might want to ask them about it.

Re: Do we need X-Payments?
 

Yes, we are planning this feature in X-Payments v1.1
I can't tell you about when it is going to be released because we should take in account validation of X-Payments by our PA-QSA and the PCI council and that can take some time.

Re: Do we need X-Payments?
 

Thanks for this, Alex. However - I don't believe you absolutely need to consider Authorize.net CIM as a solution within X-Payments only. Authorize.net CIM now offers a hosted solution or a lightbox or iframe for that first collection of the credit card information. (Previously - CIM was a problem because they did not have a hosted solution in their API for the credit card entry so it would need to be in X-Payments.) You can now actually implement Authorize.net CIM in X-CART or X-CART Next without using X-Payments. Now, you can actually add vault capabilities or a subscription/recurring module without requiring X-Payments.

From what Mike indicated - BCSE is using the iFrame part of the CIM API. It seems better to build this outside of X-Payments now that CIM API allows it. Perhaps you could coordinate with BCSE to build a module for X-Cart 4.x, and you could add Authorize.net CIM hosted to your XCART Next roadmap? Since it is hosted - you could even add it to Ecwid and have a subscription module there too.

---

Re: Do we need X-Payments?
 

> Perhaps you could coordinate with BCSE to build a module for X-Cart 4.x, and
> you could add Authorize.net CIM hosted to your XCART Next roadmap?

Folks, there is no need to wait till we add something to XCN roadmap. Just develop your plugin/add-on/module/whatever for XCN and submit to XCN Marketplace and you will earn $$ selling it.

Re: Do we need X-Payments?
 

So are you saying we can use Authorize.net CIM in X-Cart now? Currently we're using Authorize.net AIM to process our credit card transactions through X-Cart. I wasn't aware you could set up Authorize.net CIM through X-Cart right now. Please confirm if this is what you meant or if I am misunderstanding you :)

P.S. - Our store will be v.4.4.5

Re: Do we need X-Payments?
 

You are misunderstanding.

Alex says it is on the roadmap for a future X-Payments version. I was suggesting that modifying the road map to move it from X-Payments to X-Cart and X-Cart Next would make more sense. Alex is suggesting that developers consider doing it for X-Cart Next.

So - it is not available as an add-on module now. It could be available on X-Payments at some point. If you want it now, your best path is to contact BCSE - they have experience implementing it for X-Cart. Or, ask another developer.

Since you are using AIM now, that means you need to be using X-Payments. CIM does not require X-Payments. To add it to X-Payments will require re-certification of X-Payments, so Alex says it will take some time.

P.S. - Just implementing an interface to CIM is not all there is to it - but it does open the door for other possibilities - like a vault for rebills and refunds, or a subscription module. It is a good, affordable gateway solution to then enable this kind of functionality. I use it with another application for subscriptions, and it works very well.

---

Re: Do we need X-Payments?
 

OK, I feel like an idiot, but I am thoroughly confused about X-Payments. I wish to use the Quantum Gateway iFrame option. In the 4.5.2 Payment Methods section, this method is listed under CC processors, not under the methods that state they require X-Payments. Does this mean I don't need X-Payments to use the Quantum Gateway iFrame method? And is it PCI-DSS compliant without X-Payments? From what I've read about the latest X-Cart versions, I'm under the impression that X-Cart is no longer supporting any methods that aren't compliant.

If not, what about Quantum's other option that involves redirecting the customer to pay via CC? That shouldn't require X-Payments, right?

I don't particularly want to do the redirect, but I also don't want to go through all the trouble with X-Payments I see people are having. In addition, I don't want to double my hosting costs so I can have another account just to host X-Payments. My host (EWD) uses Quantum with redirect and, although the interface isn't particularly attractive, it seems to work OK when I use it to pay for services, etc. via CC.

What is my best option to avoid using X-Payments?

Re: Do we need X-Payments?
 

The only time you will need X-Payments is if you are using on-site CC payment method. iFrame or payment gateway hosted page do not require X-Payments. Quantum has both in standard XC included. If you want to use the transparent method with Quantum then you need X-Payments but for the iFrame and hosted page - you don't need it.

Re: Do we need X-Payments?
 

Thank you sooo much, Steve. I thought I could use the iFrame without X-Payments, but I saw several people discussing their problems with various iFrame methods and X-Payments. Plus I tried setting up the Quantum iFrame in my 4.5.2 store and it wouldn't work (I tried with both FLC and OPC), so that also got me to thinking I may need X-Payments.

4.5.2 seems to have a lot of bugs, though, so I'm hoping the issue will be resolved in the next version.

Thanks again for your reply. You've been very helpful as usual.:-)

Re: Do we need X-Payments?
 

> In addition, I don't want to double my hosting costs so I can have another account
> just to host X-Payments.

We are launching X-Payments Hosted that includes X-Payments and PCI compliant hosting in one package. It is not published at our web-site yet, but it can be purchased at http://s.x-cart.com/buy_xp_hosted

$49 per month to connect one store and have access to your own X-Payments admin back-end and everything is compliant.

Re: Do we need X-Payments?
 

We have the Authorize.net CIM module available for a while now if you are still interested in it. Many banks accept this as a way to take X-cart out of the scope of the harder PCI questionnaires. We haven't run into one yet that didn't accept this or our Authorize.net DPM solution as something viable for ease of PCI compliance.

http://www.bcsengineering.com/store/authorize.net-cim-module.html?MMCF_xfCIM

Carrie

Re: Do we need X-Payments?
 

On this same note about needing x-payments, I have a client with 2 websites:

1. Website No. 1 = x-cart gold v4.4.5 - client has this past week set up PayPal Pro/ Payflow and website has been checked and approved by an account manager at PayPal, and is now taking credit cards on the website. The client simply configured the payment settings himself after sorting out the PayPal pro account. Note he has not got x-payments (or its new version) in place.

I was under the impression that with any x-cart version, you need x-payments in place for taking cards on the website.

2. Website No. 2, created after website No. 1 and was using v4.5.3 but upgraded yesterday to 4.5.4 - client now wants to take cards on that site too, but finds he can't without purchasing and installing x-cart payments. Same PayPal person assured him he should be able to take cards on the No. 2 site without doing anything further. ie n o mention of x-payments by PayPal.

First question, why is website no. 1 functioning correctly and thus allowed to take payments on site without x-payment being installed?

The client thinks that the best and cheapest option, based on website no. 1 working fine and being approved by Paypal, is to now install x-cart 4.4.5 software to website No. 2 so he can circumvent having to get x-payments - is that possible?

Re: Do we need X-Payments?
 

If your payment processor is happy with the setup, than you are probably OK. It is up to the merchant services provider to enforce the PCI Compliance rules.

However if a breach occurs, and cardholder data is compromised, you may still be liable for fines.

It is not your problem really, it sounds like you have recommended the best options to your client, if they want to flirt with danger than it is their choice. I would simply do what the client asked, after warning them that it is not the best way. I have clients that still store card holder data directly on their server, and process cards offline! Unbelievable!

Re: Do we need X-Payments?
 

Thanks for that, it's hard to explain to the client why it is working on website no. 1 when really, it should neither a) be functioning (I presume??) and b) have been approved by PayPal.

There is no mention of any quarterly scans or anything else either. Bizarre.

I should emphasise he sorted out website no.1 himself over xmas, and was up and done before he contacted me to ask why it then wouldn't work with website no. 2 after doing the upgrade (which he thought would fix the issue). I have tried to explain what should happen, but hard to understand for him when website no. 1 is working just fine.

Re: Do we need X-Payments?
 

I guess there is a confusion from PayPal side. I'll contact them and make sure their reps understand the requirements. We do not want to participate in any mess created accidentally.

Re: Do we need X-Payments?
 

So can you confirm why an x-cart website using 4.4.5 works without x-payments being installed?

also can client roll back and reinstall 4.4.5 on the second website?

Re: Do we need X-Payments?
 

In 4.4.5 the methods were included. In 4.5.X there are no payment methods included that are non-compliant. I believe that is why the version incremented into the 4.5 branch, it was a significant change.

So it works in the older version, because the methods are there, new version they are missing. Sure you can always install an older version and run that, question is, do you really want to? Security concerns and improvements aside, you don't want to make a decision to get "stuck" in an old branch.

Re: Do we need X-Payments?
 

Okay that answers that question, and of course I have indeed already pointed out that it would be an old version, and would not have what any new versions do have, and that upgrades remove or add features as well as fixing any known bugs. So yes, he's warned about that but it would be his informed choice end of the day.

That said, i've just dug out an old copy of an x-payments licence.....I guess we could possibly use that and he won't have to get x-cart payments, is that correct? It's v1.05 so would that work on a 4.5.4 site ie if we don't roll back to an old version.

Re: Do we need X-Payments?
 

One thing many do not understand or do not want to understand - PCI-DSS forces everyone to use certified solution for collecting CC payments. XC is not certified payment application. Using XC only to collect and process CC payments makes the whole process non-compliant. It doesn't matter what some rep at PP said. You need to use certified application like X-Payments or take the payment process out of XC completely - no other way around.

At the end of the day the merchant is responsible if anything... And - if your client is fined $50000 one day because of this they will blame you, the developer, for allowing them to use non-compliant solution :) so maybe you need to put your foot down and not do what the client wants in that situation

@Mike
You should do your best to force these clients not to process CC that way - there is no excuse for doing that anymore.

Re: Do we need X-Payments?
 

We did the site a couple of months back and it is not for us to "allow the client" to do something to their website or not.

I am in no position to tell the client what to do, only inform him which I have done, as already stated above.

He has been told quite clearly about PCI DSS compliance and I will be reinforcing this tomorrow when I speak to him again, the possible nasty outcomes this could result in.

However and all that said, the client is sensible and will listen once I clarify what's been confirmed here today, which was why does it work when it shouldn't (after all, it does work and PayPal have said it's fine and approved it so PP Pro works too!) and then what he needs to do to put it right (get x-payments). It's not his fault - he's being told and seeing something to what should actually not be happening but understandably, he wants to know why. He said the PayPal guy was adamant is should work on both sites and \I did say there is a chance this guy was not experienced or up to date on all x-cart versions, x-payments, etc.

There is no risk of him pointing any finger of blame at me, that is for sure. All clients get warned of what they should or should not do.