Thread: X-Payments 1.0 beta5 announcement
View Single Post
  #279  
Old 07-15-2010, 06:23 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
   
Join Date: Aug 2004
Posts: 907
 
Default Re: X-Payments 1.0 beta5 announcement
Quote:
Originally Posted by geckoday
You are misinterpreting this. PA-DSS requirement 11.2, as it says, is derived from PCI-DSS requirement 8.3 which requires two factor authentication for remote access. The problem is that how your customers are accessing X-Payments does not fall under the definition of remote access. The PCI-DSS FAQ on the definition of remote access says:

"PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the companyâ–“s own network"

So its VPN-style network-level access that is being referred to, not web application logins. If remote access included people logging into a web application then every gateway out there would be in violation of PCI-DSS 8.3. But all the gateways are QSA certified. As PA-DSS 11.2 is derived from PCI-DSS 8.3 the same definition of remote access applies.

Granted PA-DSS 11.2 could be written better for clarity (as can a whole lot of PCI-DSS and PA-DSS) but the reference back to the PCI-DSS requirements are there so you can refer back to the PCI-DSS to understand the intent of the PA-DSS requirements.

You might also want to take a look at the fact that none of your competitors (at least that I have been able to find) that are PA-DSS certified have implemented two factor authentication.

Ralph, I appreciate your impressive knowledge of all these PCI-DSS related stuff and your input in the discussion. However I cannot agree with you on this point.

1. PA-DSS is applied to the payment application only. It isn't applied to a server or a network environment, so PA-DSS cannot have any requirements for how you log in to your network. It has requirements for how you connect to your application.

2. Payment gateways are not certified by PA-DSS, because they are not payment applications (in terms of PA-DSS). They're certified using PCI-DSS. As you said, PCI-DSS requires two factor authentication for network environment, no to the gateway`s backend itself. Thus gateways don't have it.

However PA-DSS requires this feature for all kinds of "remote access" and doesn't give any clear description what "remote access" is. If you check the doc, you will not find any word about network there.

When you log in to your X-Cart or X-Payments backend, do you access your orders database remotely? I think you do.

3. The last and the main one.
The initial version of X-Payments didn't have the two factor authentication (e.g. PINs) at all.

This feature was added by our QSA`s demand. They have discussed this internally and decided that "remote access" term includes the web logins.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.