Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

 
Closed Thread
   X-Cart forums > News and Announcements
 
Thread Tools
  #221  
Old 06-11-2012, 10:35 AM
 
Dawn Howard Dawn Howard is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 229
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Currently a customer places an order and inputs their credit card info, we print the order off and process our charges manually, does that mean we are not PCI-DSS compliant?


If so, does that mean I need install X-payments? I know nothing about X-payments. Will I still be able to print the orders off and manually charge them?

Thanks in advance,
Dawn
__________________
Dawn
X-Cart Business 5.3.6.3
Mods:
Qty input - Custom Mod
Part numbers near title - Custom Mod
Membership approval before ordering - Custom Mod
Order Forms - Custom Mod
Freight on Board - Custom Mod
Catalog Order Form
Call For Price
Template: Crisp White skin
Running on Windows
  #222  
Old 06-11-2012, 10:44 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,197
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Quote:
Originally Posted by Dawn Howard
...and manually charge them

Just this is good enough to put you out of business. Unless you are ready to invest tenths of thousands of dollar (in not more) each and every year you cannot store CC info. And even if you do have that kind of money to invest it is just not right. You need to either use X-Payments to process payments - not manually - or payment gateway hosted page. Anything else is asking for trouble.
You current setup makes you non-compliant and a subject to fines if your bank finds out
__________________
Steve Stoyanov
CFLSystems.com
Web Development

The following user thanks cflsystems for this useful post:
ambal (06-12-2012)
  #223  
Old 06-11-2012, 11:07 AM
 
joelrhome joelrhome is offline
 

Advanced Member
  
Join Date: Dec 2003
Posts: 89
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Quote:
Originally Posted by Dawn Howard
...does that mean I need install X-payments? I know nothing about X-payments...

Dawn,

There are several options to keep your website out of scope for PCI Compliance. What you need to do is assess how you want your customers to checkout of your website and what the cost factors are involved and make the decision yourself.

X-Payments: $1189 up front
- Customer goes to a new page after submitting the order, then back to the checkout completion.

Hosted Payment Page: No up front cost, unless required by payment processor - Customer goes to a different website to enter their cc info than redirected back to your website after successful payment

BCS Engineering's Authorize.net DPM Module - $149 Customer enters their cc info on the checkout page. Requires Auth.net account. Your QSA will determine if this is PCI Compliant or not. From what I understand, some will and some won't

Our XCharge Module: No up front cost - Customer does NOT leave the checkout page to enter their cc info, but enters it into the secure modal box. This method requires an Accelerated Payment Technologies (XCharge)account.

I hope that helps...
__________________
Joel Rhome
x-cart 4.4.X
  #224  
Old 06-11-2012, 11:44 AM
 
Dawn Howard Dawn Howard is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 229
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Thank you Steve.

Does X-Payments deposit the money directly to our bank account?
__________________
Dawn
X-Cart Business 5.3.6.3
Mods:
Qty input - Custom Mod
Part numbers near title - Custom Mod
Membership approval before ordering - Custom Mod
Order Forms - Custom Mod
Freight on Board - Custom Mod
Catalog Order Form
Call For Price
Template: Crisp White skin
Running on Windows
  #225  
Old 06-11-2012, 01:00 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,197
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

First let me say that if you bought your XC license before May 1, 2010 (I believe that was the date) you are entitled to one free copy of X-Payments.

Second - X-Payments is not a payment processor. It is simply a bridge between your XC store and your payment processor (payment gateway). if you want to process CC payments on your website and you want to be compliant you have to use certified application - X-Payments is certified appplication. X-Payments will not collect or deposit funds to your bank account, your payment gateway and merchant account does this.
__________________
Steve Stoyanov
CFLSystems.com
Web Development

The following user thanks cflsystems for this useful post:
ambal (06-12-2012)
  #226  
Old 06-11-2012, 01:04 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Quote:
DPM ... Your QSA will determine if this is PCI Compliant or not. From what I understand, some will and some won't
I have not seen anyone report that a QSA or compliance officer has rejected the DPM method. I've seen doubts expressed about the method here on the forum and in discussions with QT, but never anyone who actually reported it was reviewed and rejected by a QSA or compliance officer at a bank.

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
  #227  
Old 06-11-2012, 01:27 PM
 
joelrhome joelrhome is offline
 

Advanced Member
  
Join Date: Dec 2003
Posts: 89
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

I have not personally heard any reports either way. I am basing my statement on the fact that in order to maintain PCI DSS Compliance, cc info must be entered into a PCI DSS Validated application. Since with DPM, the cc info is still entered directly into x-cart generated form fields, then it is technically not being entered into a validated application. That is why it is a questionable method, and why some have doubts.

Leaving it up the the QSA pretty much covers your tracks if they are ok with it. For me though, I have personally looked at developing a DPM module when it became available. My issue is that based on the above fact, I did not choose this for my clients since it was too risky for me. I want to be 100% certain, so I don't have to uproot a client down the road.

I have been getting calls about X-Payments requiring a separate SSL cert. I haven't looked into this personally, since my clients are going with our solution. If anyone else can shed some light on it, I am curious..
__________________
Joel Rhome
x-cart 4.4.X
  #228  
Old 06-11-2012, 04:51 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

I have a couple of emails from compliance officers of different banks who accepted the implementation of the use of DPM and still being able to fill out SAQ-A.

DPM is especially useful for clients who already use and want to continue using Authorize.net. I agree that you assume some risk if you implement it without the acceptance from the bank. Also, if you ever have to make a case, it will be easier if the software is on the PA-DSS certified list.

I do always try to pursue something other than X-Payments - just because of the expense of the software and installation. Your XCharge module is another option which I am appreciative of and will be showing it to people as another option.

Quote:
X-Payments requiring a separate SSL cert
There is a note on this thread from QT recommending installing X-Payments on a separate server or its own hosting account - which then would require its own SSL. (See the end of post 135 which has some X-Payments installation information.)

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
  #229  
Old 06-12-2012, 12:20 AM
 
adriant adriant is offline
 

Senior Member
  
Join Date: May 2006
Posts: 190
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Have just been through the complete PCI compliance testing and form filling.... what a pain.

Have discovered several things.

With HSBC your compliance is logged against your account either as a 'yes' or 'no'. If you don't have a recognised compliance they will be starting to impose fines of ё50 per month. I was advised that this may increase and they may withdraw merchant services if you aren't compliant in a reasonable time.

Was also advised that if you use a compliance company other than the one they recognised there will be a admin charge for administration and obtaining the certification.

Unless you have dedicated servers it is easier to use a third party processor such as SagePay. The security scanning is intensive and will show up any defects.

If you use a third party processor you will most probaly have a virtual terminal as well. This means that the point that you access this terminal will have to be security tested as well.

If you have VOIP phone that you take Credit Card numbers on from customers this will have to be security tested as well.

The security testing has to be done once a quarter and the compliance questionairre has to be done once a year. Cost of two scans and questionaiire is ё75 per year.

As we had only a standard Merchant number with HSBC, this allowed us to use their virtual terminal, we had to get another merchant number from them to use SagePay. So now we have 2 merchant numbers.... and paying for both. We are looking into dropping the original one if we can.

Total time from applying to SagePay, gettting the new Merchant number , getting the scans done and completing the CAT-C questionairre (with help as it is qute technical) - 10 days.

The HSBC approved security company automatically notify HSBC of the results and certifications.

hope this is of interest.
__________________
Xcart gold Plus V4.7.12
REBoot(REdux)

https://www.serpro.co.uk
  #230  
Old 06-12-2012, 02:53 AM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,126
 

Default Re: Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

> I have been getting calls about X-Payments requiring a separate SSL cert.

We bundle new X-Payments licenses with a free 1yr Instant SSL certificate.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Closed Thread
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 09:03 PM.

   

 
X-Cart forums © 2001-2020