Thread: X-Payments 1.0 beta testing
View Single Post
  #28  
Old 03-25-2010, 02:43 PM
 
hyper1 hyper1 is offline
 

Advanced Member
   
Join Date: Jun 2008
Posts: 52
 
Default Re: X-Payments 1.0 beta testing
Quote:
Originally Posted by geckoday
It seems like you don't understand whats really going on. Merchants are already required to comply with PCI-DSS and have been for years. What is changing in July is that VISA is requiring merchants to only use software purchased from a third party that the third party has had PA-DSS certified. Therefore, there are really 4 options come July for merchants:

1) Use a gateway hosted payment page so you don't store, process or transmit card numbers
2) Use a transparent redirect gateway API like NMI (Braintree and others) or USAePay. This allows you to host the payment page but when the customer submits the page the data goes direct to the gateway server instead of your server.
3) Convince your shopping cart vendor to get PA-DSS certification for their payment module that uses a payment page on your server that submits the data to your server where it is then sent to the gateway.
4) Write your own payment module to use a payment page on your server that submits the data to your server where it is then sent to the gateway. Or you can have someone else write it for you as a one-off module (it can't be something they sell to multiple clients).

If you choose 1) or 2) you get to fill out the simplest of PCI-DSS Self Assessment Questionnaires since you never handle card number yourself.

If you choose 3) or 4) the complex setup in your diagram is not required by PCI-DSS. A large company may want to do it that way to reduce the systems in scope for their PCI-DSS assessment. But for your typical X-Cart shop that is a PCI level 3 or 4 merchant there is really no gain in doing it that way. In fact, it just complicates their life and costs them more money. In either 3) or 4) the merchant will probably have to fill out SAQ C or D depending on whether or not they store card numbers. No other certification is required unless the merchant is large and falls into level 1 or 2, in which case they will need an outside certification of PCI-DSS compliance no matter how they handle payments.

Thanks Ralph. I am only interested in option 3 - option 1 and 2 are not even a consideration. I understand the implications of option 3 and the increased annual cost to comply. My shopping cart vendor is x-cart, and I am convinced I have not received due diligence from x-cart in their communication regarding their efforts to bring v4.1+ into a position of compliance...until now.
__________________
Tim
x-cart pro 4.1.11, x-AOM, CDSEO, css layout - no tables (almost), free social bookmarking mod (xcartmod.co.uk - thanks), altered cart On Sale, One Page Checkout and Smart Search (all amazing products), Custom Code from CFL (the best), Hands-On Hosting for live site
Reply With Quote