View Single Post
  #77  
Old 11-20-2009, 06:41 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by geckoday
For the small internet merchant, SAQ A & C are your friends. SAQ D is a nasty tar pit you don't want to step in with 238 complex requirements that a small merchant can't realistically meet. If you are OK with 100% outsourcing (Paypal, Authorize.Net SIM, etc.) and never handling card numbers yourself then SAQ A is the way to go as you have virtually no requirements to meet (11 simple requirements). But the more normal situation is you want the payment integrated into your web site and have a need to take phone orders, etc. Then you should target SAQ C by not storing card numbers. SAQ C has 38 requirements without all of the hard stuff for a small merchant to meet. These merchants are the typical X-Cart customer. For these customers only 6.1 applies.

Hello Ralph,

It seems that X-Payments amounts to a gateway, and it seems logical that whoever manages it will have to deal with the "nasty tar pit" SAQ.

In studying other compliant shopping carts, it seems that X-Cart is already employing security features that would allow users to meet SAQ Validation Type 4 / SAQ C with a 3rd party gateway, and may only be a matter of certification, which could just amount to a set of instructions that describe X-Cart user settings/code removal/monitoring/etc. for the various PCI Data Security Standard requirements 1-12 and A1.

Can anyone confirm if some type of 3rd party gateway is required to qualify for SAQ Validation Type 4 / SAQ C compliance?
__________________
X-Cart Gold v4.6.6
Reply With Quote