Quote:
|
Originally Posted by JWait
We have been looking into this and what it appears like to me is that all versions of x-cart are not and can not be PCI-DSS compliant. The reason for this is that in x-cart you have the option to store credit card information, and this is a BIG no-no. Even if there is a "upgrade patch" it can be circumvented so that credit card information can still be stored.
For this reason, version 5 must not have the option to store credit card information and be developed in such a way that it never can store credit card information in order to be PCI-DSS compliant.
X-cart absolutely needs to make a "database upgrade patch" that works 100% correctly 100% of the time to convert older carts to version 5. Most people can handle re-designing their site if need be, but retaining their data is of the utmost importance.
Am I wrong about this?
|
Yes, you are wrong about this. There is nothing in PCI-DSS or PA-DSS that prohibits the storage of credit card numbers. The PCI-DSS Requirements and Security Assessment Procedures document on page 4 has a table of what is acceptable to store and the requirements for storing it (e.g. encryption). Credit card number, cardholder name, and expiration date are listed as allowable to be stored with protection such as encryption. Even if it didn't allow storage, a system can be configurable as long as its configured to meet PCI-DSS requirements. For example, system can have configuration that allows it to store CVV codes (which is a BIG no-no). But as long as it is configured so that it doesn't all is OK with PCI-DSS.
Another thing to note is that PCI-DSS compliance is nothing that X-Cart can do - it is the merchant that must be PCI-DSS compliant as it includes many things with respect to the merchant environment such as anti-virus software, firewalls, etc. What Qualiteam can and is doing is splitting out the payment part of X-Cart and getting it certified as PA-DSS compliant. What PA-DSS compliance means is that it has passed testing showing that it can be implemented in a PCI-DSS compliant manner and includes instructions for the merchant to implement it in a PCI-DSS compliant manner. Its still up to the merchant to implement it properly. Qualiteam has said they will port the modified PA-DSS compliant payment module they are developing for version 5 back to the version 4 releases.
Although storing credit card numbers is allowed by PCI-DSS, I wouldn't recommend that small merchants do so. In fact, even the big boys are trying to eliminate the storage of credit card numbers. The PCI-DSS compliance hurdles needed for credit card number storage are just way too much for a small merchant and the liability in the event of a breach too great.