| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
X-Payments 1.0 beta5 announcement | ||||
|
|
Thread Tools |
#271
|
|||||||||
|
|||||||||
Re: X-Payments 1.0 beta5 announcement
Canuck, since this issue is server related we have to ask you to help debug code. I am sorry for this frustration but you are the only person with such a problem at the moment.
With regards to BeanStream partial capturing - I see you are discussing this issue with our complaints manager already as well as slow response time. This is the right way.
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#272
|
|||||||
|
|||||||
Re: X-Payments 1.0 beta5 announcement
Quote:
I have just downloaded and installedthe official release of x-payments and have set the LUYN option above to "Y" and I am still getting the issue that this was supposed to have fixed. Do we still have to apply this patch if we are using the actually Released non-beta version.
__________________
Version 4.3.2 |
|||||||
#273
|
|||||||
|
|||||||
Re: X-Payments 1.0 beta5 announcement
Quote:
As for ideas.x-cart.com - when you reopen one page checkout or give me my votes back I might actually visit there again. One page checkout was closed with credit card payments still being two pages. I didn't get my votes back so I gave up on it being a way to actually influence development. Don't tell me it can't be done - other carts do it and third parties are starting to do it for X-Cart. You guys need to start thinking customer friendly instead of tech-nerd excuses and over-engineering.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
#274
|
|||||||||
|
|||||||||
Re: X-Payments 1.0 beta5 announcement
I asked about the pins in the beginning of this thread and did not get an answer. Hope you do get one so we all know
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#275
|
|||||||||
|
|||||||||
Re: X-Payments 1.0 beta5 announcement
Quote:
You refer to PCI-DSS, however we should check PA-DSS. https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf It says that: Quote:
When you log in to your application, do you access it remotely? Yes. That's why we need two-factor authentication, i.e. PIN codes. Quote:
No.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
|
#276
|
|||||||
|
|||||||
Re: X-Payments 1.0 beta5 announcement
Quote:
"PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company▓s own network" So its VPN-style network-level access that is being referred to, not web application logins. If remote access included people logging into a web application then every gateway out there would be in violation of PCI-DSS 8.3. But all the gateways are QSA certified. As PA-DSS 11.2 is derived from PCI-DSS 8.3 the same definition of remote access applies. Granted PA-DSS 11.2 could be written better for clarity (as can a whole lot of PCI-DSS and PA-DSS) but the reference back to the PCI-DSS requirements are there so you can refer back to the PCI-DSS to understand the intent of the PA-DSS requirements. You might also want to take a look at the fact that none of your competitors (at least that I have been able to find) that are PA-DSS certified have implemented two factor authentication.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
#277
|
|||||||||
|
|||||||||
Re: X-Payments 1.0 beta5 announcement
I had the wonderful pleasure of being on a webinar with Coalfire (an IT Audit & Compliance company) earlier today. QualiTeam really need to get in contact with them on things as it's all clearly spelled out when they go through things as to what's needed and what's not.
There's sections in the PCI-DSS which require the logging of all logins to a system, but again, it referrs back to the section Ralph talked about - it requires logins through a remote system (physical access, root access or machine access through remote computer) - it does not require login tracking of customers through a web interface (which is what our customer thought it required). While the two guides (PCI-DSS & PA-DSS) are black and white, there are cross references to each other and interpretation required.
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
|
#278
|
|||||||||
|
|||||||||
Re: X-Payments 1.0 beta5 announcement
> I have just downloaded and installedthe official release of x-payments
> and have set the LUYN option above to "Y" and I am still getting the > issue that this was supposed to have fixed. Do we still have to apply > this patch if we are using the actually Released non-beta version. No, you do not need to apply the patch if you see that option. It means you downloaded software package with the patch applied already. Set "Y" there and you'll disable LUHN check. UPDATE: I just noticed you say you still get the issue despite of the option being enabled. I advise you to contact our techs for help either using your HelpDesk account at https://secure.qtmsoft.com or at helpdesk@qtmsoft.com
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager Last edited by ambal : 07-15-2010 at 05:32 AM. |
|||||||||
#279
|
|||||||||
|
|||||||||
Re: X-Payments 1.0 beta5 announcement
Quote:
Ralph, I appreciate your impressive knowledge of all these PCI-DSS related stuff and your input in the discussion. However I cannot agree with you on this point. 1. PA-DSS is applied to the payment application only. It isn't applied to a server or a network environment, so PA-DSS cannot have any requirements for how you log in to your network. It has requirements for how you connect to your application. 2. Payment gateways are not certified by PA-DSS, because they are not payment applications (in terms of PA-DSS). They're certified using PCI-DSS. As you said, PCI-DSS requires two factor authentication for network environment, no to the gateway`s backend itself. Thus gateways don't have it. However PA-DSS requires this feature for all kinds of "remote access" and doesn't give any clear description what "remote access" is. If you check the doc, you will not find any word about network there. When you log in to your X-Cart or X-Payments backend, do you access your orders database remotely? I think you do. 3. The last and the main one. The initial version of X-Payments didn't have the two factor authentication (e.g. PINs) at all. This feature was added by our QSA`s demand. They have discussed this internally and decided that "remote access" term includes the web logins.
__________________
Eugene Kaznacheev, Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009) ex-Head of X-Cart Tech Support Department ex- X-Cart Hosting Manager - X-Cart hosting ex-X-Cart Technical Support Engineer Note: For the official guaranteed tech support services please turn to the Customers HelpDesk. |
|||||||||
|
#280
|
|||||||
|
|||||||
Re: X-Payments 1.0 beta5 announcement
Quote:
Your PA-QSA should know that PA-DSS is not intended to define new requirements above and beyond PCI-DSS - its intended to make sure your application doesn't prevent a merchant from implementing your application in a PCI-DSS compliant manner.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
|
|||
X-Cart forums © 2001-2020
|