Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Dima65 · #**101** 04-02-2012, 10:49 AM

Hi all. I'm somewhat confused, then, as to which integration method to use between XC 4.4.6 and eProcessing Network, who processes our payments. Here is a list of their 5 available integration methods. Can anyone tell me please? http://www.eprocessingnetwork.com/Utilities.html

D

balinor · #**102** 04-02-2012, 10:52 AM

You would have to use the Database Engine method.

batt255 · #**103** 04-02-2012, 11:43 AM

I don't know where you are getting your info from, but Authorize.net Aim is still PCI excepted. This is on the SAQ. and requires a different level of scanning when using it. ( Which I just passed )

gb2world · #**104** 04-02-2012, 12:00 PM

Quote:

I think we need to clear up once and for all whether iframes or forms that post directly to the merchant provider's site are compliant or not. Love to hear thoughts on this.

The only judgement that really matters is that of the compliance officer at the merchant's bank. So far, in my small sample, the compliance officer has approved the use of the DPM method, and allowed for filling out of SAQ-A. I would advise having a discussion with them, with an email trail, before you choose to implement it over x-payments.

Quote:

If someone is on redwidget.com and ends up at a checkout with bluewidget.com graphics, they will of course freak out and leave without completing the payment.

I agree that the 10 store functionality of x-payments is not very useful. However - according to QT, you do have the ability to brand the checkout page for each store: http://forum.x-cart.com/showpost.php?p=310504&postcount=2

@nickff

Quote:

You aren't required to make this change until your merchant account provider requires it

I think this is a risky position for you to take with your clients. It could be in the fine print somewhere of something they have received. It could become an issue if there is ever an instance of fraud, then the bank would try to put all the burden on the merchant. I know of several who believe this is a low risk, and choose not to do anything yet while they wait for clear guidance from their banks. It is ultimately the merchant's decision - I just try and make sure they have all the information they need to decide.

---

batt255 · #**105** 04-02-2012, 12:18 PM

I just got off the phone with Authorize.net, Nation wide credit card solutions and Control Scan ( the Company that scans my website for PCI ) none of them have heard of this. They all have said this sounds like a sales ploy. You would think Authorize.net would here about this way before Xcart would.

balinor · #**106** 04-02-2012, 12:34 PM

None of them have heard of PA-DSS compliance? I highly doubt that. What exactly did you ask them?

batt255 · #**107** 04-02-2012, 12:49 PM

I asked them if Authorize.net aim was no longer going to be accepted as being PCI compliant. I also asked them if they have heard of a move not to allow a customer to input their credit card info on a website. That they would be directed to a credit card payment gateway instead and then be allowed to input their credit card info. Such as Authorize.net Sim to be able to be PCI compliant. They all said no they have not heard of such a thing. They all stated as long as you have a SSL installed that you would be fine under PCi guide lines. I know from past experience that the Authorize.net SIm is not very reliable. It will kick out the customer at times sending them back to the website. Authorize.net even suggests using their Aim version instead because of this.

totaltec · #**108** 04-02-2012, 01:30 PM

Quote:

Originally Posted by batt255

I just got off the phone with Authorize.net, Nation wide credit card solutions and Control Scan ( the Company that scans my website for PCI ) none of them have heard of this.

batt, I think you don't yet have a full understanding of the scope of this thing. If you complete your SAQ-C, there should be a question:
Please provide the following information regarding the payment applications your organization uses:
Payment Application in Use | Version Number | Last Validated according to PABP/PA-DSS

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Step 1 to determine if you are compliant is to figure out which SAQ applies to you, most merchants that accept credit cards on their site qualify for SAQ-C

If you call authorize.net back, ask them "Do I need to use a PA-DSS validated payment application?"

componentman · #**109** 04-02-2012, 02:34 PM

Dumb question: Why is X-Payments PCI Compliant if you supposedly don't leave your website to process the payment?

totaltec · #**110** 04-02-2012, 04:03 PM

Because X-payments has been validated by the pci council to meet the requirements of PA-DSS. For you to be pci compliant and accept cards directly on your site, you must use a PA-DSS validated payment application.