View Single Post
  #76  
Old 11-19-2009, 06:48 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by xplorer
Thanks for the information!

If so, I guess it is allowed to install X-Payments on the same server with X-Cart provided the shared server satisfies the requirements listed in Appendix A.

As far as I understand, it will put all web applications installed on the server into PCI DSS scope. So, you will have to satisfy the requirements listed under "Requirement 6: Develop and maintain secure systems and applications" section:
  1. Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches
  2. Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet)
  3. Develop software applications in accordance with PCI DSS (for example,
    secure authentication and logging) and based on industry best practices, and
    incorporate information security throughout the software development life cycle
  4. Follow change control procedures for all changes to system components
  5. Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web ApplicatioN Security Project Guide
  6. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
    • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
    • Installing a web-application firewall in front of public-facing web applications
I believe the 3rd and the 5th requirements apply to all custom modifications to X-Cart and other web applications installed on the server.
Yes and no. It depends on your merchant level and implementation. If a merchant storing card numbers or otherwise is required to fill out SAQ D or is level 1 or 2 and therefore has an assessment done by a QSA then yes, all of requirement 6 applies. But if a merchant is level 3 or 4, is not storing card data and the web server has no connection to any other systems in the merchant environment then no. In this case the merchant is eligible for SAQ C. Under SAQ C the only requirement 6 subrequirement that is listed as applicable is 6.1 - applying security patches.

For the small internet merchant, SAQ A & C are your friends. SAQ D is a nasty tar pit you don't want to step in with 238 complex requirements that a small merchant can't realistically meet. If you are OK with 100% outsourcing (Paypal, Authorize.Net SIM, etc.) and never handling card numbers yourself then SAQ A is the way to go as you have virtually no requirements to meet (11 simple requirements). But the more normal situation is you want the payment integrated into your web site and have a need to take phone orders, etc. Then you should target SAQ C by not storing card numbers. SAQ C has 38 requirements without all of the hard stuff for a small merchant to meet. These merchants are the typical X-Cart customer. For these customers only 6.1 applies.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote