| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
X-Cart and PCI DSS / PA-DSS compliance | ||||
|
|
Thread Tools |
#21
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Hi guys!
If the changes to X-Cart 4.0 are not very complex, we will release a patch for it as well. Most likely it will be so. I will let you know when have more details on the architecture of the payment module. Thanks! |
|||||||||
#22
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Thanks
__________________
My name is Steve 4.2.0 |
|||||||
#23
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
This question was specific to 4.0, but if you look at the top of this thread you'll see it mentions the other 4.x branches.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#24
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Mr. Petrov, I applaud you for listening to your users and making the decision to give us 4.x'ers a simple, cost-effective upgrade path into PA-DSS compliance without having to recreate the entire site with v.5. Thanks!
I assume Authorize.net will be supported in this upcoming module?
__________________
----------------- X-cart version 4.2.1 |
|||||||
#25
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
__________________
My name is Steve 4.2.0 |
|||||||
#26
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
I have just found this thread and I am very confused. Is there a simple way of defining who this applies to?
|
|||||||||
#27
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Yes, Authorize.Net is one of the popular payment systems and it is in the list. Quote:
As far as I know if your website neither stores nor collects credit card numbers, it is not a subject for PCI DSS rules. Since it depends on the payment gateway and the integration method you use, please clarify this point with your payment services provider. |
|||||||||
#28
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
I have gotten mixed messages from the credit card industry about how your cart will be treated if it "neither stores nor collects credit card information". My sense is that different merchant service providers are trying to figure this out too.
The answer I've been given that made the most sense to me is based on the intent of the whole PCI/PA-DSS compliance thrust. The idea is to identify holes in the credit card processing system where ill intentioned people can gain access to someone else's credit card information and then close the holes. The self-assessment questionnaire is most effective as a way to make site owners aware of the issues. It doesn't provide any real protection. The way a merchant service provider will know whether the the merchant's site doesn't store credit cards is by audit (admittedly the current process is still pretty leaky.) I believe most merchant service providers will require the software audit now (or in the near future) as the industry internalizes PCI-DSS compliance. The only loophole I could imagine post-July 2010 is that if your site passes PCI-DSS compliance and the audit validates you never see or store credit card information you might be able to avoid the PA-DSS compliance. We'll see what tomorrow brings.
__________________
Mark in Oregon Xcart Gold version 4.1.8, 4.1.10 Linux MySQL server 3.23.58 Apache 1.3.27 PHP 4.4.2 |
|||||||||
#29
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Besides not storing credit card info in your database, you may also run into issues if you process the information on-site. If a purchase takes the customer off-site for processing, you should be okay.
__________________
v4.7.12 v5.4.x (In Dev) |
|||||||
#30
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
I agree that you should be okay if you allow all the credit card info to be handled by your merchant service provider and your shopping cart never sees this information. However, I believe it is the case that cart owners will need to prove this to their merchant service provider. Based on less than rock solid definitiveness, my sense is that ultimately each cart will need to pass the software audit in addition to the self assessment questionnaire. If your volume is high enough you will also need to pass the on-site audit.
There are 2 main benefits of allowing the merchant service provider to handle the entire credit card info trail. We avoid the devastating cost of lost credit card information and, if we're lucky, we might avoid the PA-DSS compliance requirement...TBD Mark
__________________
Mark in Oregon Xcart Gold version 4.1.8, 4.1.10 Linux MySQL server 3.23.58 Apache 1.3.27 PHP 4.4.2 |
|||||||||
|
|||
X-Cart forums © 2001-2020
|