Quote:
|
Originally Posted by JWait
What I was trying to say is that because x-cart "can be" configured to store CVV codes as well as other credit card information it doesn't pass.
Stone Edge Order Manager doesn't pass for the same reason,
|
I understood that and its still wrong. Whether or not X-cart or Stone Edge can be configured to store anything has no bearing on passing PA-DSS or PCI-DSS. The fact that it can be configured not to store sensitive data and that the merchant configures it that way meets PA-DSS and PCI-DSS requirements.
PA-DSS only says that when implemented following the vendors documented PCI-DSS compliant configuration it can't store CVV codes. It doesn't say a thing about what can or can't be stored if you don't use the vendors documented configuration.
PCI-DSS only says the merchant can't store the CVV. It says nothing about the capability of the software the merchant is using to store it if one chooses to configure it that way. You just can't configure it that way and be compliant.
BTW, CVV is the only piece of data that X-Cart deals with that can't be stored under PA-DSS and PCI-DSS requirements. For Stone Edge it would be CVV and the mag stripe track data that can't be stored. Card number, expiration date and cardholder name are all acceptable to store as long as they are properly encrypted.