Thread: X-Cart and PCI DSS / PA-DSS compliance
View Single Post
  #92  
Old 12-28-2009, 12:35 PM
 
geckoday geckoday is offline
 

X-Wizard
   
Join Date: Aug 2005
Posts: 1,073
 
Default Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Originally Posted by cflsystems
Can someone (Ralph Day or someone else with good understanding of this) explain which SAQ will apply for most xcart owners - A,B,C, or D - as I am getting really confused by that whole thing. For example an ecommerce store that sells only online and has only one server with only xcart on it and accepts cc payments on that server without storing any cc data?


Probably SAQ C. You should read all of the requirements for SAQ C as Steel posted but the one that most likely could push you to SAQ D is the connection to other systems in the merchant environment. I've heard varying opinions from QSA's on what that means but I believe that for the typical X-Cart user that is administering their cart via HTTPS the connection to other systems doesn't apply so you would be eligible for SAQ C.

Quote:
Originally Posted by cflsystems
Or same but processing cc data offsite on the payment gateway page?
Probably SAQ A but almost equally as likely SAQ C. The issue many merchants run into with qualifying for SAQ A is handling phone orders and entering credit card numbers into the gateway virtual terminal from their PC. Suddenly, you are not completely outsourced and that pushes you to SAQ C. OTOH, I hear of acquirers who are OK with SAQ A even if you enter credit card numbers into the gateway from your PC. Ultimately its up to the acquirer to approve which SAQ you use so if you tell them what you are doing and they say SAQ A is OK then you're good with SAQ A. Just make sure you document their answer.
Quote:
Originally Posted by cflsystems
How about a store connected to POS for face-to-face transactions where cc is physically present at time of purchase?
This is pretty tricky depending on exactly what you mean. If your POS system is sending card numbers to your X-Cart store you're into SAQ D for sure. If the X-Cart store doesn't store card numbers and its just sending inventory changes to X-Cart you get into a grey area around what exactly connected means for SAQ C again. If the inventory changes are sent via HTTPS with login/password authentication and that's all that is done I personally would argue for SAQ C but your acquirer might have different views. No possibility for SAQ A or B because it isn't outsourced and you have both face-to-face and internet.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote