View Single Post
  #1  
Old 03-23-2012, 07:35 AM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Hello X-Carters,

We would like to inform you about major changes in upcoming X-Cart v 4.4.6 (to be released very soon, in a week or so):

1) Due to PCI-DSS requirements being enforced over last months we have to remove all background (aka "onsite" or "merchant hosted") credit card processing methods from core X-Cart package. See the list of removed methods below.

A merchant that need such credit card payment methods has to use a PA-DSS validated application like our X-Payments or go with "offsite" or "gateway hosted" methods.

2) No credit card data will be stored in X-Cart anymore (due to PCI-DSS requirements again).

3) USPS shipping calculator module will be completely revised and updated to meet the latest USPS APIs requirements.

4) Two new built-in skins.

You are welcome to ask any questions.

List of the credit card processing methods removed from X-Cart since v4.4.6 release:

* ANZ eGate - Merchant-Hosted (cc_anz_mh.php)
* AuthorizeNet - AIM (cc_authorizenet.php)
* Bean Stream (cc_bean.php)
* BluePay (cc_blue.php)
* Caledon (cc_caledon.php)
* CyberSource - SOAP Toolkit API (cc_csrc_soap.php)
* DIBS (cc_ideb.php)
* DirectOne - Direct Interface (cc_directone.php)
* ECHOnline (cc_echo.php)
* ePDQ - MPI XML (cc_epdq_xml.php)
* eProcessingNetwork - Transparent Database Engine (cc_eproc.php)
* eSec - Direct (cc_esec.php)
* eSec - ReDirect (cc_esecd.php)
* eSelect Plus - Direct Post (cc_eselect.php)
* eWAY Merchant Hosted Payment (cc_eway.php)
* First Data Global Gateway - LinkPoint (cc_linkpoint.php)
* GoEmerchant - EZ Payment Gateway Direct (cc_goem.php)
* GoEmerchant - XML Gateway API (cc_goem_xml.php)
* HeidelPay (cc_heidel.php)
* HSBC - XML API integration (cc_hsbc_xml.php)
* Innovative E-Commerce (cc_innec.php)
* iTransact (Process USA) - XML scheme (cc_processusa.php)
* Netbilling gateway - Direct (cc_netbilling.php)
* NetRegistry e-commerce (cc_nrecom.php)
* Ogone - Direct (cc_ogone.php)
* PayFlow - Pro (cc_payflow_pro.php)
* PayPal WPP Direct Payment (ps_paypal_pro_us.php and ps_paypal_pro_uk.php)
* PlugnPay - Remote Auth method (cc_plugnpaycom.php)
* PSiGate - XML Direct (cc_psigate_xml.php)
* RBS WorldPay - Global Gateway (cc_bibit.php)
* Sage Pay Go - Direct protocol (cc_protxdir.php)
* SecurePay - Non-Recurring Interface (cc_securepay.php)
* SkipJack (cc_skipjack.php)
* USA ePay (cc_usaepay.php)
* Virtual Merchant - Merchant Provided Form (cc_virtualmerchant.php)

============================================
FAQs (covering the major questions asked in this forum thread)
============================================

===
Q1:

If a store is not storing credit card information, why must it lose the ability to use Authorize.net AIM?

A1:

X-Cart is not PA-DSS verified application, unfortunately. So, in order to handle, process and transmit cardholder data THROUGH your cart (which X-Cart's Authorize.Net AIM payment module does), you need to use another PA-DSS verified software, even if you are not storing the CC info. Or you can still use Authorize.Net AIM in the following cases:

* via a PA-DSS verified application like X-Payments on top of X-Cart.
NOTE: The web-server environment which hosts X-Payments should be PCI-DSS compatible (you should ensure the hosting provider is PCI-DSS compatible).

* via PCI-DSS certified payment system like CRE Secure's Hosted Payment Page, thus outsourcing all cardholder data functions to third-party.

===
Q2:

I've got several sites that use AIM. What am I supposed to do now that all payment processor modules are being removed from X-Cart?

How do I upgrade them and still use authorize.net?

A2:

You can upgrade to 4.4.6, and use one of the possible solutions:

* Authorize.Net AIM via a PA-DSS verified application like X-Payments.
NOTE: The environment which hosts X-Payments should be PCI-DSS compatible.

* CRE Secure's Hosted Payment Page solution (PCI-DSS certified payment system) which support such payment gateways as Chase Paymentech, Authorize.net, PayPal Payflow PRO, PayPal Website Payments PRO, eProcessing Network, PayLeap, SkipJack, USAePay, FirstData.

* Authorize.Net SIM integrated into X-Cart.

===
Q3:

Does Qualiteam have any plans to release Authorize.Net DPM solution for X-Cart?

A3:

We are considering this option at the moment, but have not made a decision yet.

One of the reasons - different QSAs consider solutions like DPM differently, and it is not clear enough if the merchant using X-Cart + Auth.net DPM solution would need to go with completing:

* SAQ A - addressing requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.

- OR -

* SAQ C - addressing requirements applicable to merchants who process cardholder data via payment applications connected to the Internet, but who do not store cardholder data on any computer system.

We would recommend to consult with your QSA or merchant account provider directly regarding the matter.

NOTE:SAQ C, in contrast to SAQ A, requires merchants to use Payment Applications validated according to PABP/PA-DSS.

===
Q4:

Is X-Payments a PA-DSS validated payment application? And what about X-Cart?

A4:

X-Payments is a PA-DSS validated payment application, but X-Cart is not.

So, in order to meet PCI-DSS merchants should:

1) Outsource all cardholder data processing from X-Cart to an external PCI-DSS compatible system, for example:

* "offsite" or "gateway hosted" payment solutions like Authorize.Net SIM, 2Checkout, PayPal, Checkout by Amazon, SagePay Go (Form integration), etc.
* CRE Secure's Hosted Payment Page PCI-DSS certified payment system
* PCI-DSS compatible hosting + X-Payments PA-DSS validated payment application

= OR =

2) Have their X-Cart application validated according to PA-DSS + have the X-Cart's hosting to be PCI-DSS compatible.

In fact, having the X-Cart software PA-DSS certified and validated is much expensive than the X-Payments's price. Please also note, one X-Payments license allows you to connect up to 10 online stores.

===
Q5:

How many online stores X-Payments installation can be connected to?

A5:

One X-Payments license/installation can be connected up to 10 online stores.

====
To be continued...
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart

Last edited by seyfin : 03-30-2012 at 11:57 PM.