[gb2world]

I am not a QSA and also not a merchant, so I might need to be corrected ...

I don't think QT is absolved of answering questions like this about the proper installation of the software, which they probably have included in their own certification process. I think they have spent a lot of money for PA-DSS certification and the >$1k X-Payments price includes the installation instructions approved by their own QSA.

We must be able to depend on QT's installation instructions and their own PA-DSS certification. Aren't their installation instructions part of what has been certified?

I think they answer the question in their X-Payments FAQ and in the post I referenced about installing on a separate server or hosting account on a shared server. Only if I wanted to not follow those directions would I think to get my own QSA approval and/or approval from the bank's compliance officer.

Most compliance officers that I have dealt with, which is a very small sample, do not get into that kind of detail with the software that is on the PCI-DSS approved list on the PCI Security Standards website. (I don't think small businesses hire their own QSA - they rely on the PCI-DSS certification process of the vendor and self certification?)

For software that is on the approved list on the PCI Security Standards website - all they seem to need to know is that we have properly installed it following the vendor's directions, so we can self-certify with SAQ-C. The vendor (QT) is the one that certified it, so they should be able to tell us the right way to install it and remain compliant with what their QSA certified. That is why it would be important for QT to have all these good questions answered in their installation instructions and FAQ, and not depend on each of us to get certification to that amount of detail. If you can tell the compliance officer that you are using PA-DSS certified software, demonstrate it is on the approved list, and that you have followed the vendor's installation instructions, that would seem to be enough. (You can find the X-Payments software on the web site approval list under Creative Development, LLC.)

But the more assurance you have from that person in writing, the better off you are if there ever are issues. I've just not seen bank compliance officers, in my limited experience, who understand that level of detail and answer those kinds of questions.

It is only when using something not clearly on the list, like DPM, that I've had to get the compliance officer more involved - to make sure they approve it for SAQ-A (can't use any other SAQ because it is not approved).

If I wanted to deviate from the installation instructions, I would expect that would also require re-certification, or at least, some kind of approval.

---