Quote:
|
Originally Posted by xplorer
Just a side note: there is no a trustworthy study confirming that putting all the fields on one page increases conversion. One-page checkout looks cool, but it doesn't guarantee that you will get more sales.
|
So its OK if you don't support it when there is no evidence either way and your customers want it?
Quote:
|
Originally Posted by xplorer
Are you sure that you remove your server from PCI scope? Yes, a browser submitting the data to your gateway is out of the scope. But behavior of the payment form is determined by X-Cart, not the browser. X-Cart is the party that decides where the credit card data will be send. And I guess it will be considered as a payment application that must be verified against PCI DSS requirements: just a small change in a template file of X-Cart will result in sending all credit cards though a hacker's proxy server.
|
The test for scope is: store, process or transmit cardholder data. My server does none of those so its out of scope. I asked quite a few questions of Braintree about this and they have had it approved by every QSA they have worked with as removing the server from PCI-DSS scope. By your logic even a merchant that uses Paypal or Authorize.Net SIM would have their server in scope because they could be hacked to send customers to a phishing site. Or even a site that says only call us with your credit card information could be hacked to add a card input page or link to a phishing site. Whether or not their are risks doesn't relate to scoping - there are always risks. Scoping just separates the high risk from the lower risk environments. Certainly no merchant should neglect securing their servers - in scope or out of scope.