Thread: X-Cart and PCI DSS / PA-DSS compliance
View Single Post
  #90  
Old 12-27-2009, 04:40 PM
 
Steel Steel is offline
 

eXpert
   
Join Date: Dec 2006
Posts: 253
 
Default Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Originally Posted by cflsystems
Can someone (Ralph Day or someone else with good understanding of this) explain which SAQ will apply for most xcart owners - A,B,C, or D - as I am getting really confused by that whole thing. For example an ecommerce store that sells only online and has only one server with only xcart on it and accepts cc payments on that server without storing any cc data? Or same but processing cc data offsite on the payment gateway page? How about a store connected to POS for face-to-face transactions where cc is physically present at time of purchase?
Hello Steve,

1) An ecommerce store that sells only online and has only one server with only xcart on it and accepts cc payments on that server without storing any cc data? Answer: Could possibly qualify for C or D.
2) Same but processing cc data offsite on the payment gateway page? Answer: Could possibly qualify for A or C.
3) A store connected to POS for face-to-face transactions where cc is physically present at time of purchase? Answer: Could possibly qualify for B, C, or D.
You would need to supply additional information for your questions to be answered.

The PCI information is here: https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf

For simplification, I look at this as a process of elimination.

From the information Ralph has posted earlier in this thread, http://forum.x-cart.com/showpost.php?p=269106&postcount=37
http://forum.x-cart.com/showpost.php?p=273460&postcount=76
and other information I have read, I have concluded that SAQ Validation Type 5 / SAQ D is unrealistic for most businesses. If your company does not have someone that can comprehend and implement procedures/solutions for most of the questions asked in SAQ Validation Type 5 / SAQ D, then you could be looking at $10,000+/year for compliance. And, if you have staff that can comprehend and implement procedures/solutions, then perhaps you can get by on a budget of $1,000 to $10,000/year for compliance. So, for the majority, I suspect SAQ Validation Type 5 / SAQ D is out.

The other practical options for the small internet merchant, as Ralph stated, are SAQ A & C; and, unless you have a third party handle ALL creditcard data functions (internet, phone, fax, mail, and card present), SAQ A is also out.
Quote:
SAQ Validation Type 1 / SAQ A: Card-not-present, All Cardholder Data Functions Outsourced
SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their premises.

So, our business will focus on what requirements/procedures we will need to change in order to meet SAQ Validation Type 4 / SAQ C. It would be helpful to have detailed discussions on the various options available for all aspects.
__________________
X-Cart Gold v4.6.6
Reply With Quote