Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

balinor · #91 04-02-2012, 09:37 AM

Quote:

We have a customer that is using a payment module like authorize.net (cc info entered on their website) and they recently passed their PCI compliance audit

It isn't being enforced by all Merchant Banks yet - seems they are as confused as everyone else. I have some clients who were immediately made to switch, others haven't been forced to yet.

Also, don't confuse a PCI compliance server scan with PA-DSS compliance - a PA-DSS compliant cart can't be picked up by a scan (yet), it is self-reported.

balinor · #92 04-02-2012, 09:38 AM

Quote:

What is the difference between one "website" or "up to 10 online stores"...am I missing the definition of a website? You can't run 10 online stores on one website, right? So for X-Payments all stores would be processed through one instance of X-Payments?

They are saying you can have X-Payments installed and run 10 different site's payments through it. Of course, no one will ever do this because the url will change, and you'd need to generically brand it. If someone is on redwidget.com and ends up at a checkout with bluewidget.com graphics, they will of course freak out and leave without completing the payment. So, you really need one X-Payments license PER URL. A 10 store license doesn't do anything for you.

balinor · #93 04-02-2012, 09:41 AM

nick, that pretty much covers it, yes. Just keep in mind that the DPM solution is a grey area - it technically gets around the requirement but some really strict enforcement types may find a problem with it.

We have used this solution with many of our clients and so far they have all passed without a problem. BCS did a great job with it, very few if any glitches, and that was mostly due to some of our custom coding conflicting with it.

totaltec · #94 04-02-2012, 09:49 AM

I am starting to doubt that the BCSE module is compliant on it's own. From what I understand PA DSS determines whether or not an application is secure. So if X-cart is not secure, or at least not validated as such, how can the BCSE module fix that?

It is still a form on your website, whether it is in an Iframe or not I'm not sure. Even if it is an Iframe or some other method, a hacker that compromised X-cart, could easily transform that into a form that submits the info to him. And if X-cart itself is not validated as safe from such intrusion, then it seems this would not be compliant.

I think we need to clear up once and for all whether iframes or forms that post directly to the merchant provider's site are compliant or not. Love to hear thoughts on this.

cflsystems · #95 04-02-2012, 09:55 AM

My payment gateway offers 3 ways of processing payments - on the site, hosted page and iframe. According to them the hosted page and iframe options take you out of the scope. Since the iframe is generated and passed to the site from the payment gateway server and processed directly by them this option should be ok

balinor · #96 04-02-2012, 10:00 AM

We talked about this a lot back when these regs first came out, and pretty much everyone agreed that the Direct Post Method (DPM) is an acceptable solution.

Sara · #97 04-02-2012, 10:09 AM

Quote:

Originally Posted by balinor

They are saying you can have X-Payments installed and run 10 different site's payments through it. Of course, no one will ever do this because the url will change, and you'd need to generically brand it. If someone is on redwidget.com and ends up at a checkout with bluewidget.com graphics, they will of course freak out and leave without completing the payment. So, you really need one X-Payments license PER URL. A 10 store license doesn't do anything for you.

Then if I have 2 PURCHASED X-Cart Licenses I should have been "gifted" 2 X-Payments Licenses. Otherwise I should have ordered X-Cart separately (2 separate logins.) That's a joke.

Quite frankly it would be cheapest to do the free version of PayPal b/c that sends you to a 3rd party website, too, and directs you back, which is why we pay the $30/month fee for PayPal Pro to be a smooth transition so it looks professional. $1000+ is not an option. For that I'm guessing I can find a cart that is compliant.

balinor · #98 04-02-2012, 10:18 AM

Yes, it was slap in the face that they did that. I managed 20 of my clients' licenses when they 'gifted' them. If each client had their own license, they all would have had one - but since I managed them, I would have had to shell out the extra $$$ for their licenses as I promised them it would be free (Qualiteam said it would be and didn't mention the 'one per account' rule until later). Whole threads on this in the Rants and Raves forum.

Yes, PayPal standard is indeed an option - but keep in mind that sending your client to an offsite gateway, particularly PayPal, can hurt your conversion rate. Some people don't like PayPal, and adding an extra step always hurts conversions.

tam10 · #99 04-02-2012, 10:28 AM

What about Google checkout is it compliant or not?

balinor · #**100** 04-02-2012, 10:31 AM

Yes, anything that allows customers to pay OFF your site takes you out of compliance scope.