Thread: X-Cart and PCI DSS / PA-DSS compliance
View Single Post
  #78  
Old 11-20-2009, 07:23 AM
 
geckoday geckoday is offline
 

X-Wizard
   
Join Date: Aug 2005
Posts: 1,073
 
Default Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Originally Posted by Steel
Hello Ralph,

It seems that X-Payments amounts to a gateway, and it seems logical that whoever manages it will have to deal with the "nasty tar pit" SAQ.
Nope. From the description of X-Payments it sounds like its designed like a gateway to modularize it away from the core X-Cart code - sort of a gateway to gateways. But it shouldn't have the requirement of storing card numbers that a third party gateway does. If X-Payments doesn't store card numbers or can be configured not to store card numbers and you are a level 3 or 4 merchant you could host X-Payments on your own server and fill out SAQ C.

Quote:
Originally Posted by Steel
In studying other compliant shopping carts, it seems that X-Cart is already employing security features that would allow users to meet SAQ Validation Type 4 / SAQ C with a 3rd party gateway, and may only be a matter of certification, which could just amount to a set of instructions that describe X-Cart user settings/code removal/monitoring/etc. for the various PCI Data Security Standard requirements 1-12 and A1.
Mostly true but you really have to put X-Cart up against the PA-DSS standard. I haven't looked at X-Cart 4.3 yet but earlier versions are missing a few requirements particularly around key management. PA-DSS requires documented software development processes and other behind the scenes processes that Qualiteam may or may not have in place. Certification is quite a bit more extensive than just providing an implementation guide. It requires a review by a PA-QSA including validating development processes, penetration testing and forensic testing and costs tens of thousands of dollars.

Quote:
Originally Posted by Steel
Can anyone confirm if some type of 3rd party gateway is required to qualify for SAQ Validation Type 4 / SAQ C compliance?
Not required by PCI-DSS, but anyone small enough to fill out an SAQ will never get certified to go direct to the big payment networks like Visanet. That's the whole reason gateways exist - to insulate the big processing networks from the small fry.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote