X-Cart forums

[tqualizerman]

Hi Carrie,

Just working on our SAQ but am confused about something. The BCSE web site says that we can use the SAQ-A if we're using this DPM module, but the SAQ-A has the following requirement:

"The entirety of all payment pages delivered to the consumer's browser originates directly from a third-party PCI DSS validated service provider(s)."

But with DPM that's not the case, or am I confused?

** Edit **

That quote comes from the SAQ 3.0 (which doesn't come into force until January 2015.) Nonetheless, this will have implications for this addon, no?

[BritSteve]

You also can't fill out SAQ-A if you take orders by phone, or fax. Saying you can use SAQ-A is not true if you take credit card payments by other methods.

Steve

[BCSE]

Let me get back to you on this. It seems they have changed some things recently. The best person to help me with this answer is out until Tuesday.

I do know that you can tell the scanning people that you are a 'redirect merchant' type which makes what scans you have to pass simpler. And Steve is right, it all really depends on your other business processes as well as to what SAQ you fill out per our *'d note on the page too.

"* A full assessment of a vendors specific business process is required to determine which SAQ needs to be completed to achieve PCI compliance."

Thanks,

Carrie

[Mr. G]

I'm trying to determine what BCSE DPM module will look like when implemented with X-Cart's default One Page Checkout, which looks like this: http://marketplace.x-cart.com/images/xcart_4_4_screenshots/one_page_checkout.png

Will it look like this? http://www.x-cart.com/sites/default/files/blog/4.png
or this?
http://www.x-cart.com/sites/default/files/blog/__PayPal_Advanced.png
or something else?

Unfortunately BCSE's page for it here http://www.bcsengineering.com/store/authorize.net-dpm-module-for-x-cart-pa-dss-compliant.html does not have any screenshots.

[BCSE]

Quote:

Originally Posted by Mr. G

I'm trying to determine what BCSE DPM module will look like when implemented with X-Cart's default One Page Checkout, which looks like this: http://marketplace.x-cart.com/images/xcart_4_4_screenshots/one_page_checkout.png

Will it look like this? http://www.x-cart.com/sites/default/files/blog/4.png
or this?
http://www.x-cart.com/sites/default/files/blog/__PayPal_Advanced.png
or something else?

Unfortunately BCSE's page for it here http://www.bcsengineering.com/store/authorize.net-dpm-module-for-x-cart-pa-dss-compliant.html does not have any screenshots.

It basically looks like this:
http://www.x-cart.com/sites/default/files/blog/4.png

But it has the card logos, etc too.

Let us know if that doesn't help answer your question.

Thanks,

Carrie

[BCSE]

We're still improving this module based upon customer feedback! Most recent improvement was some extra javascript to help customer interaction!

Carrie

[BCSE]

Our Authorize.net DPM module is now compatible with 4.7.x!

http://www.bcsengineering.com/store/authorize.net-dpm-module-for-x-cart-pa-dss-compliant.html

Did you also know we have a Paypal DPM now too?!

http://www.bcsengineering.com/store/paypal-dpm-for-x-cart.html

Carrie

[snowman99]

I get the following message when I submit an order with Auth DPM enabled.

An error occurred while trying to report this transaction to the merchant. An e-mail has been sent to the merchant informing them of the error. The following is the result of the attempt to charge your credit card.

This transaction has been approved.
It is advisable for you to contact the merchant to verify that you will receive the product or service.


I thought this might be a receipt or response URL issue. I do not use Receipt or Response URLS by default. But I went ahead and added: http://www.memorial-urns.com/authorizenet_dpm_response.php to the receipt URL in Authorize.net's panel. (BTW, this is a live site. I have my IP added for testing).

Now I get the following message when an order is executed:

3,2,14,The referrer, relay response or receipt link URL is invalid.,,P,0,,,0.02,CC,auth_capture,,,,,,,,,,,,,, ,,,,,,,,,

The script is in the store root directory. I have tried changing it to 777 permissions. No help.

I have submitted a BCSE ticket: #ZWM-970-72798

Thanks,

Vaughn

[BCSE]

Vaughn,

I'll detail more in your ticket, but I'd recommend *not* having a return url as we pass that to Authorize.net anyway.

The reason for the first error, could be due to various things.

1. Shop Closed
2. SSL certificate that Authorize.net doesn't recognize.
3. Reverse DNS issues

Basically it's saying, yes I approved your transaction, but I don't trust your site to get back to it, or I can't get there.

I'll submit in the ticket as well and we can figure it out from there so we can share the info with my staff.

thanks,

Carrie

[snowman99]

I have the BCSE DPM module working temporarily by forcing the Authorizenet response URL to a non-secure HTTP instead of HTTPS which is timing out.

Some history and a heads up...

This all came about because I wanted to verify on the Authorizenet sandbox that our site would continue working after May 26th when the SHA2 certs would be required. Their Sandbox has the upgraded ver 3.1 that will go live on May 26th. What I discovered while testing was that the BCSE module installed two years ago on our site had never been executing. I'm disappointed in myself for not checking more deeply. I relied on the installation instruction for the module and it's method for determining if the module was really executing. It turns out, that for us, with the Xcart's One Page Checkout installed, that the method is inconclusive. Whether the module is enabled or not the order submit page displayed is exactly the same. I hold myself fully responsible for this as I should have caught this then. I have since placed log messages in the code to indicate when it's Executing.

The installation instructions state:

If the mod is active and working correctly the credit card input fields will become disabled and gray out when the customer hits the button to submit the order.

In case anyone is interested here is what I think is the problem, but since I'm not a security expert it's going to be an uphill climb.

Our current certificate connection as shown on Chrome:

- Your connection to www.memorial-urns.com is encryted with obsolete crytography.
- Connection uses TLS 1.2
- Your connection is encrypted with aes_256_cbc, with SHA1 for message authentication, and ECDHE_RSA as the key exchange mechanism.

I'm getting all Green locks on Chrome. My understanding is this has to do with server settings having to do with encryption and not the certificate itself which is a SHA2 Cert as verified by QUALYS SSL Labs.

QUALYS LABS:
Key: RSA 2048 bits.
Signature Algorithm: SHA256withRSA

According to QUALYS Labs, The certificate path does show a Self Signed RSA 2048 bits / SHA1withRSA which is weak or insecure but no impact on root certificate.

I'll be sending this to Authorizenet and my host provider and see what they say.