http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2 Visa just says "if applicable" under tier 4. I can't seem to find the definition of when these scans are "applicable". I would do the scan if I were you, but maybe search for a low cost provider.
I just found these guys:
http://www.ncircle.com/index.php?s=products_pci-compliance looks like just $25.00 per scan or you can get an annual subscription which may lower the cost further. Again never used them, but the price looks good...
Edit: just found this- "Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
Note scanning does not apply to all merchants. It is required for SAQ C and D √ those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required."
In most x-payment/xcart installs there is some "internet connectivity" involved. So the answer is yes, you must be scanned.
Quote:
Originally Posted by componentman
If they ARE still necessary, what is the point of X-Payments?
|
The point is that you must use a PA-DSS validated payment application, or redirect the cardholders to the processor's site. Using a validated app is only one piece of the puzzle, you must be scanned and modify any problems with your hosting identified by the scan. Additionally you must have corporate policies in place for dealing with cardholder data. You can see an example security policy here:
https://www.pcisecuritystandards.org/docs/pci_saq_c.doc