X-Cart forums - View Single Post - X-Payments 1.0 beta5 announcement

geckoday · #**280** 07-15-2010, 07:27 AM

Quote:

Originally Posted by Ene

Ralph, I appreciate your impressive knowledge of all these PCI-DSS related stuff and your input in the discussion. However I cannot agree with you on this point.

1. PA-DSS is applied to the payment application only. It isn't applied to a server or a network environment, so PA-DSS cannot have any requirements for how you log in to your network. It has requirements for how you connect to your application.

2. Payment gateways are not certified by PA-DSS, because they are not payment applications (in terms of PA-DSS). They're certified using PCI-DSS. As you said, PCI-DSS requires two factor authentication for network environment, no to the gateway`s backend itself. Thus gateways don't have it.

However PA-DSS requires this feature for all kinds of "remote access" and doesn't give any clear description what "remote access" is. If you check the doc, you will not find any word about network there.

When you log in to your X-Cart or X-Payments backend, do you access your orders database remotely? I think you do.

3. The last and the main one.
The initial version of X-Payments didn't have the two factor authentication (e.g. PINs) at all.

This feature was added by our QSA`s demand. They have discussed this internally and decided that "remote access" term includes the web logins.

I think you have hired an extremely over-zealous QSA. Fire him and hire a better QSA. Even if you believe him 11.2 only requires that your implementation guide include instructions to your customer that they need to use two-factor authentication - it doesn't require that the application build in two-factor authentication. A customer can use SSL client certs to satisfy a second factor for login or other methods that don't require anything built into X-Payments. This is a clear case of The QSA Connundrum where a well meaning QSA inflates the requirements.

Your PA-QSA should know that PA-DSS is not intended to define new requirements above and beyond PCI-DSS - its intended to make sure your application doesn't prevent a merchant from implementing your application in a PCI-DSS compliant manner.