Thread: X-Cart 4.4 has been added to the development plan
View Single Post
  #48  
Old 12-17-2009, 05:52 AM
  xplorer's Avatar 
xplorer xplorer is offline
 

X-Cart team
   
Join Date: Jul 2004
Posts: 925
 
Default Re: X-Cart 4.4 has been added to the development plan
Hi!

Thank you for your feedback! We will consider this once again and maybe will remove X-Cart 4.4 from the development plan.

As for PCI compliance:

The PCI DSS security requirements apply to all network components, servers, and applications that are included in or connected to the part of the network that possesses cardholder data or sensitive authentication data. If the part of the network is not isolated (segmented) from the remainder of the network, the entire network (with all purchased and custom applications, including web applications either) is in scope of the PCI DSS assessment.

The easiest way to reduce the scope of the PCI DSS assessment is to completely outsource credit card processing to a PCI-compliant payment gateway so that your server with all installed web applications (including X-Cart) is isolated from the part of the network that possesses cardholder data. You can do this in any X-Cart version by disabling all built-in CC processing functions and using X-Cart in connection to a payment gateway that hosts the payment form on its own server. Note: there are payment gateways that allow you to host the payment form on your web server in such a way that the cardholder data is directly submitted from the form to the gateway. Since the data never touches your server, the server may be moved out of the assessment scope (please consult with your acquirer to clarify whether it is true for your payment gateway).

For those who can't or don't want to completely outsource CC processing to a payment gateway, we will release X-Payments. X-Payments is a stand-alone web application with encrypted code acting like a proxy between an X-Cart store and a payment gateway. When a customer places an order in X-Cart, he will be redirected to the payment form displayed by X-Payments. X-Payments will handle the entire payment processing job and will redirect the customer back to X-Cart. So, X-Payments is the payment application that processes and transmits cardholder data, not X-Cart. The main idea is still isolating X-Cart from the part of the network that possesses cardholder data, however now X-Payments (the payment application) is included into that network part and is in the scope of the assessment. Since payment applications will be subject for PA-DSS rules soon, X-Payments will be certified by an authorized PA-QSA as a PA-DSS verified payment application (Q1 2010).

For X-Cart 4.3 there will be a connector module that integrates X-Payments with X-Cart. It may happen that X-Cart 4.2 users will be able to use the module with a few modifications. Integration of X-Payments with X-Cart 4.1 and LiteCommerce most likely will require customization.

Why not to certify X-Cart as a PA-DSS verified payment application? The reasons are:
1. PA-DSS would require costly certification of every released X-Cart version
2. You would experience difficulties when explaining your acquirer that the custom modifications made to your X-Cart are not against the PCI DSS requirements