Quote:
|
Originally Posted by geckoday
So its OK if you don't support it when there is no evidence either way and your customers want it?
|
Future X-Cart versions will feature one-step checkout provided it is not against PCI-DSS or PA-DSS. You can share your thoughts on this feature at
ideas.x-cart.com
Quote:
|
Originally Posted by geckoday
The test for scope is: store, process or transmit cardholder data. My server does none of those so its out of scope. I asked quite a few questions of Braintree about this and they have had it approved by every QSA they have worked with as removing the server from PCI-DSS scope. By your logic even a merchant that uses Paypal or Authorize.Net SIM would have their server in scope because they could be hacked to send customers to a phishing site. Or even a site that says only call us with your credit card information could be hacked to add a card input page or link to a phishing site. Whether or not their are risks doesn't relate to scoping - there are always risks. Scoping just separates the high risk from the lower risk environments. Certainly no merchant should neglect securing their servers - in scope or out of scope.
|
Yes, your server neither stores, nor processes, nor transmits CC data. However, X-Cart is a client-server software. And the payment page is a part of X-Cart. Unfortunately, PA-DSS doesn't give a clear answer on this question.