| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
X-Cart and PCI DSS / PA-DSS compliance | ||||
|
|
Thread Tools |
#121
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Some QA people would say that you store the credit card number in the memory of your server as it is your server that serves up and processes the credit card form. Further they may say that x-cart is a payment application, and as such it is not a PA-DSS compliant software and thus on 1st July you must stop using it.
The crux of the problem is the opinion of the person who says you are PCI compliant. Clearly as it is your server that hosts the payment form, it is more vunerable to hackers than a form hosted on say Sage's server. Sooner or latter you will be asked to ensure that your server is PCI compliant (and shared servers CAN be PCI compliant). |
|||||||
#122
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
It won't be a simple upgrade. However, since we will use the same css-based skin templates, I believe it won't require complete redesign either. Quote:
As far as I understand the standard, if credit card data ever touches your server (and it does with SagePay Direct: php scripts receive it from a customer's browser and send it to a SagePay's server), your server is in the PCI scope. Although the SAQ-C form omits some requirements, I guess it still requires you to use a PA-DSS verified payment application (the one that transmits card data from a customer's browser to a gateway's server) on a PCI-DSS compliant server (there is a special section related to Shared Hosting in the standard). X-Payments will be a PA-DSS verified payment application that processes SagePay Direct payments in a PCI DSS compliant manner. |
|||||||||
#123
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
That will make you PCI compliant without the X-Payments addon. Unfortunately, on top of PCI compliance VISA is mandating that all merchants use PA-DSS certified payment applications starting July 2010. X-Cart is not PA-DSS certified. X-Payments will be PA-DSS certified so you'll need to go to X-Payments at some point.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
#124
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Cheers Ralph.
|
|||||||
#125
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
What you are seeing is a result of the fact that the card brands leave it up to the acquirer to decide what proof of PCI compliance is required from small merchants. So it will vary what hoops any particular merchant will need to jump through. We will probably see the same thing with the PA-DSS mandate. A few months back someone posted that they couldn't get a new merchant account because X-Cart isn't PA-DSS certified. But overall, I think some acquirers will enforce it and some won't especially early on. Over time most will enforce it.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#126
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Hmmm. I'm assuming ... more hoping ... that Streamline will turn around to us and sat "You have to get a Scan, bla bla bla moan moan moan..."
|
|||||||
#127
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
I just wish we could get a working copy of x-payments to see what will be requires to integrate with our web sites. We are getting extremely close to the dead line, and no hint to what we are going to use.
__________________
Xcart 5.1.6 Building New Store Xcart4.6.4 Gold Plus Xcart 4.6.4 Platinum Smart Template, Mail Chimp Upgrade Checkout One (One Page Checkout) Checkout One X-Payments Connector Checkout One Deluxe Tools Call For Price On Sale Module Buy Together Module MAP Price MOD |
|||||||
#128
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Has anyone actually received a notice from their processor informing them that their cart needs to be certified and compliant?
I haven't received any notification so far. Steve
__________________
Version 4.1.8 & 4.1.9 ezcheckout4.1.x cdseolinks2 product_metatags41x shipping_per_product41x http://www.earthsmagic.com |
|||||||
#129
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Someone has been denied a merchant account because X-Cart is not PA-DSS certified. http://forum.x-cart.com/showpost.php?p=263045&postcount=5 This is because the VISA mandate phase kicked in last year that requires acquirers to only board new merchants who are PCI-DSS compliant or are using software that is PA-DSS compliant. Apparently, some acquirers are missing the "or" in that and are requiring PA-DSS compliance for new merchants. In July of this year the next phase of the mandate kicks in requiring acquirers to ensure their merchants are only using PA-DSS compliant applications. No "or PCI-DSS compliant" in the July mandate.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
#130
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
While I haven't received any personally, I know someone that got a notice from his processor (I think Wells Fargo) that he will be billed an extra $20.00 a month for being "non-compliant" and charged at the "card not present" rate even if the card is swiped. He figures for all of the stress and hassle involved it is an acceptable cost of doing business.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
|
|||
X-Cart forums © 2001-2020
|