Thread: X-Cart and PCI DSS / PA-DSS compliance
View Single Post
  #37  
Old 09-24-2009, 01:18 PM
 
geckoday geckoday is offline
 

X-Wizard
   
Join Date: Aug 2005
Posts: 1,073
 
Default Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Originally Posted by JWait
I don't mean to be obtuse here but going by what you say I take it to mean that all a shopping cart vendor has to do is be able to configure their cart to not process or save any credit card information to be in PCI-DSS / PA-DSS compliance. What the buyer of the shopping cart software does after that shouldn't affect the software vendor's compliance, only the software buyer's compliance. Since x-cart does that now, why isn't it compliant?
Well, sort of.

There are really three different compliance issues we are talking about:
  1. PA-DSS compliance
  2. VISA PA-DSS mandate compliance
  3. PCI-DSS compliance
X-Cart is not required to be compliant with anything if it is not used as the payment application - i.e. if it doesn't store, process or transmit credit card numbers. So if it is configured to use Authorize.Net SIM, Paypal Payflow Link or other gateway where the credit card numbers go directly from the customer browser to the gateway then there is no need for it to be compliant with PA-DSS, your web server doesn't have to be configured to be PCI-DSS compliant and you will be exempt from the VISA PA-DSS mandate since you won't be using a vendor supplied payment application. So although its not compliant with PA-DSS it can be used without violating PCI-DSS standards or the VISA PA-DSS mandate.

But this is not how most people use X-Cart and other shopping cart software. Most people want a more integrated checkout process where there is no jump out to a form on a payment gateway web site and then back to their site. So they are using Authorize.Net AIM, Paypal Payflow Pro or another gateway API where the credit card number is sent to the X-Cart software which behind the scenes sends it along to the payment gateway. When you configure X-Cart this way it becomes your payment application and now compliance is required on all three fronts. This requires X-Cart to be PA-DSS compliant, you must configure X-Cart according to whatever configuration standards Qualiteam documents as part of their PA-DSS certification and your web server must be configured to be PCI-DSS compliant. This will make you compliant with the VISA PA-DSS mandate.

This is why PA-DSS compliance is an issue for a majority of X-Cart users. Essentially, PA-DSS certification ensures the software:
  • Includes features required for PCI-DSS compliance, like encrypting credit card numbers using a strong encryption algorithm with good key management, logging access to payment data, etc.
  • Won't prevent you from configuring your server environment in a PCI-DSS compliant manner such as requiring all users to log on as root or administrator.
  • Includes documentation on how the merchant must configure the software for PCI-DSS compliance.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote