View Single Post
Old 05-22-2010, 03:24 PM
cautious cautious is offline

Advanced Member
Join Date: Oct 2003
Location: FL, US
Posts: 64

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Originally Posted by a1deano
May i ask as iam not that clued up on this stuff, iam thinking of moving host to uk secure web hosting, their Ecommerce SSL Hosting package is PCI DSS Compliance, does this mean if i move over to them then i will be covered for accepting credit cards etc on my store.

At present i use paypal standard which isn't a very good idea as customers leave my store to pay, but iam thinking of upgrading my store so customers stay on my site to pay so does this mean id be covered if i change hosting to uk secure web hosting..

Thanks for any advise..

Just to clarify: are you worried that customers leaving your site to pay at PayPal will make you less PCI compliant? In another way, are you thinking if customers stay on your site to pay this would enhance your PCI compliance?

I hope the answers to both are not yes, yes.

We often forget that in reality, the only time a customer "stays" on one's site to pay is when they use store's gift certificates, money order, or check. At all other methods, they "leave" the store to pay. The issue is whether it is shown to the customer they are leaving and whether we collect the info and help transfer it instead of them actually entering the info at the external site. So even if you use, the customer's data has to leave your site to for the payment to occur. The only quick difference here with PayPal standard is that you help transfer the customer info to "silently" whereas the customer is involved with the transfer for PayPal

In fact, one could argue that the PayPal system, like Google Checkout is more secure for both the merchant and the customer overall. Because the customer has to login to her PayPal account to approve (pay) or not approve the payment the PayPal system gives a layer of security similar to VISA verified. Even better, if integrated normally by the merchant, PayPal Standard, PayPal Express and Google Checkout all have the advantage that the actual account# (e.g. Credit/Debit card number plus CVV, or Bank account # in the case of PayPal) is never seen nor saved by the merchant.

The net effect of this is that the customer's sensitive payment data is saved in only one place (may be two places if she uses PayPal and Google Checkout) rather than on every merchant database where she shops, including at, and all the other gateways. As we advise security-conscious customers, this is one of the situations where it is a good thing to put one's eggs in a single basket (or two at most), instead of having sensitive data all over the place at each merchant; it is the way to avoid multiple points of failure leading to more frequent data compromise.
Recommend for good deals on camping & outdoor supplies.
x-cart v4.1.10 on LAMP
Reply With Quote