Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

 
Closed Thread
   X-Cart forums > News and Announcements
 
Thread Tools
  #91  
Old 04-02-2012, 09:37 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
We have a customer that is using a payment module like authorize.net (cc info entered on their website) and they recently passed their PCI compliance audit

It isn't being enforced by all Merchant Banks yet - seems they are as confused as everyone else. I have some clients who were immediately made to switch, others haven't been forced to yet.

Also, don't confuse a PCI compliance server scan with PA-DSS compliance - a PA-DSS compliant cart can't be picked up by a scan (yet), it is self-reported.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
  #92  
Old 04-02-2012, 09:38 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
What is the difference between one "website" or "up to 10 online stores"...am I missing the definition of a website? You can't run 10 online stores on one website, right? So for X-Payments all stores would be processed through one instance of X-Payments?

They are saying you can have X-Payments installed and run 10 different site's payments through it. Of course, no one will ever do this because the url will change, and you'd need to generically brand it. If someone is on redwidget.com and ends up at a checkout with bluewidget.com graphics, they will of course freak out and leave without completing the payment. So, you really need one X-Payments license PER URL. A 10 store license doesn't do anything for you.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development

The following user thanks balinor for this useful post:
Sara (04-02-2012)
  #93  
Old 04-02-2012, 09:41 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

nick, that pretty much covers it, yes. Just keep in mind that the DPM solution is a grey area - it technically gets around the requirement but some really strict enforcement types may find a problem with it.

We have used this solution with many of our clients and so far they have all passed without a problem. BCS did a great job with it, very few if any glitches, and that was mostly due to some of our custom coding conflicting with it.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development

The following user thanks balinor for this useful post:
nickff (04-02-2012)
  #94  
Old 04-02-2012, 09:49 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I am starting to doubt that the BCSE module is compliant on it's own. From what I understand PA DSS determines whether or not an application is secure. So if X-cart is not secure, or at least not validated as such, how can the BCSE module fix that?

It is still a form on your website, whether it is in an Iframe or not I'm not sure. Even if it is an Iframe or some other method, a hacker that compromised X-cart, could easily transform that into a form that submits the info to him. And if X-cart itself is not validated as safe from such intrusion, then it seems this would not be compliant.

I think we need to clear up once and for all whether iframes or forms that post directly to the merchant provider's site are compliant or not. Love to hear thoughts on this.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
  #95  
Old 04-02-2012, 09:55 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,197
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

My payment gateway offers 3 ways of processing payments - on the site, hosted page and iframe. According to them the hosted page and iframe options take you out of the scope. Since the iframe is generated and passed to the site from the payment gateway server and processed directly by them this option should be ok
__________________
Steve Stoyanov
CFLSystems.com
Web Development
  #96  
Old 04-02-2012, 10:00 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

We talked about this a lot back when these regs first came out, and pretty much everyone agreed that the Direct Post Method (DPM) is an acceptable solution.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development

The following 2 users thank balinor for this useful post:
eddy (04-03-2012), nickff (04-02-2012)
  #97  
Old 04-02-2012, 10:09 AM
 
Sara Sara is offline
 

Advanced Member
  
Join Date: Mar 2010
Posts: 75
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
Originally Posted by balinor
They are saying you can have X-Payments installed and run 10 different site's payments through it. Of course, no one will ever do this because the url will change, and you'd need to generically brand it. If someone is on redwidget.com and ends up at a checkout with bluewidget.com graphics, they will of course freak out and leave without completing the payment. So, you really need one X-Payments license PER URL. A 10 store license doesn't do anything for you.

Then if I have 2 PURCHASED X-Cart Licenses I should have been "gifted" 2 X-Payments Licenses. Otherwise I should have ordered X-Cart separately (2 separate logins.) That's a joke.

Quite frankly it would be cheapest to do the free version of PayPal b/c that sends you to a 3rd party website, too, and directs you back, which is why we pay the $30/month fee for PayPal Pro to be a smooth transition so it looks professional. $1000+ is not an option. For that I'm guessing I can find a cart that is compliant.
__________________
www.foxvalleyviews.com
X-Cart 4.5.4
www.expressionsunglasses.com
X-Cart 4.5.4
hosted by handsonwebhosting.com (and I LOVE them!)
  #98  
Old 04-02-2012, 10:18 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Yes, it was slap in the face that they did that. I managed 20 of my clients' licenses when they 'gifted' them. If each client had their own license, they all would have had one - but since I managed them, I would have had to shell out the extra $$$ for their licenses as I promised them it would be free (Qualiteam said it would be and didn't mention the 'one per account' rule until later). Whole threads on this in the Rants and Raves forum.

Yes, PayPal standard is indeed an option - but keep in mind that sending your client to an offsite gateway, particularly PayPal, can hurt your conversion rate. Some people don't like PayPal, and adding an extra step always hurts conversions.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
  #99  
Old 04-02-2012, 10:28 AM
  tam10's Avatar 
tam10 tam10 is offline
 

eXpert
  
Join Date: Mar 2007
Posts: 252
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

What about Google checkout is it compliant or not?
__________________
Tammy
x-cart gold + 4.7.2
x-cart 5.2.10

  #100  
Old 04-02-2012, 10:31 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Yes, anything that allows customers to pay OFF your site takes you out of compliance scope.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Closed Thread
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 05:19 PM.

   

 
X-Cart forums © 2001-2020