| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
X-Cart and PCI DSS / PA-DSS compliance | ||||
|
|
Thread Tools |
#31
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
We have been looking into this and what it appears like to me is that all versions of x-cart are not and can not be PCI-DSS compliant. The reason for this is that in x-cart you have the option to store credit card information, and this is a BIG no-no. Even if there is a "upgrade patch" it can be circumvented so that credit card information can still be stored.
For this reason, version 5 must not have the option to store credit card information and be developed in such a way that it never can store credit card information in order to be PCI-DSS compliant. X-cart absolutely needs to make a "database upgrade patch" that works 100% correctly 100% of the time to convert older carts to version 5. Most people can handle re-designing their site if need be, but retaining their data is of the utmost importance. Am I wrong about this?
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#32
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
As far as I can tell, you can store credit card number and expiration date, but the three or four digit code (CVV2/CVC) code cannot be stored. But, this data must be encrypted where it is stored. You can be secure and NOT pass PCI-DSS or insecure and pass it. See https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf (Warning: PDF), Myth #9
__________________
My name is Steve 4.2.0 |
|||||||
#33
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Another thing to note is that PCI-DSS compliance is nothing that X-Cart can do - it is the merchant that must be PCI-DSS compliant as it includes many things with respect to the merchant environment such as anti-virus software, firewalls, etc. What Qualiteam can and is doing is splitting out the payment part of X-Cart and getting it certified as PA-DSS compliant. What PA-DSS compliance means is that it has passed testing showing that it can be implemented in a PCI-DSS compliant manner and includes instructions for the merchant to implement it in a PCI-DSS compliant manner. Its still up to the merchant to implement it properly. Qualiteam has said they will port the modified PA-DSS compliant payment module they are developing for version 5 back to the version 4 releases. Although storing credit card numbers is allowed by PCI-DSS, I wouldn't recommend that small merchants do so. In fact, even the big boys are trying to eliminate the storage of credit card numbers. The PCI-DSS compliance hurdles needed for credit card number storage are just way too much for a small merchant and the liability in the event of a breach too great.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#34
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
What I was trying to say is that because x-cart "can be" configured to store CVV codes as well as other credit card information it doesn't pass. Stone Edge Order Manager doesn't pass for the same reason,
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#35
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
I understood that and its still wrong. Whether or not X-cart or Stone Edge can be configured to store anything has no bearing on passing PA-DSS or PCI-DSS. The fact that it can be configured not to store sensitive data and that the merchant configures it that way meets PA-DSS and PCI-DSS requirements. PA-DSS only says that when implemented following the vendors documented PCI-DSS compliant configuration it can't store CVV codes. It doesn't say a thing about what can or can't be stored if you don't use the vendors documented configuration. PCI-DSS only says the merchant can't store the CVV. It says nothing about the capability of the software the merchant is using to store it if one chooses to configure it that way. You just can't configure it that way and be compliant. BTW, CVV is the only piece of data that X-Cart deals with that can't be stored under PA-DSS and PCI-DSS requirements. For Stone Edge it would be CVV and the mag stripe track data that can't be stored. Card number, expiration date and cardholder name are all acceptable to store as long as they are properly encrypted.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#36
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
I don't mean to be obtuse here but going by what you say I take it to mean that all a shopping cart vendor has to do is be able to configure their cart to not process or save any credit card information to be in PCI-DSS / PA-DSS compliance. What the buyer of the shopping cart software does after that shouldn't affect the software vendor's compliance, only the software buyer's compliance. Since x-cart does that now, why isn't it compliant?
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#37
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
There are really three different compliance issues we are talking about:
But this is not how most people use X-Cart and other shopping cart software. Most people want a more integrated checkout process where there is no jump out to a form on a payment gateway web site and then back to their site. So they are using Authorize.Net AIM, Paypal Payflow Pro or another gateway API where the credit card number is sent to the X-Cart software which behind the scenes sends it along to the payment gateway. When you configure X-Cart this way it becomes your payment application and now compliance is required on all three fronts. This requires X-Cart to be PA-DSS compliant, you must configure X-Cart according to whatever configuration standards Qualiteam documents as part of their PA-DSS certification and your web server must be configured to be PCI-DSS compliant. This will make you compliant with the VISA PA-DSS mandate. This is why PA-DSS compliance is an issue for a majority of X-Cart users. Essentially, PA-DSS certification ensures the software:
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#38
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
This is a nightmare. Of course speaking as a merchant. It is a whole different story if I am just a customer - I want this security from the sites I will be buying from
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#39
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
What's the current status on the PA-DSS certified Authorize.net AIM payment module? Do you think it will be ready soon? You said in the thread that it should be ready in the next month or so?
__________________
X-Cart version 4.2.3 PHP 5.2.9 Details MySQL server 5.1.30 Web server Apache/2.2.11 Linux Addons: none |
|||||||
#40
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
The PA-DSS compliant payment module has been moved out to January 2010. See http://www.x-cart.com/roadmap.html
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
|||
X-Cart forums © 2001-2020
|