X-Cart forums

[zorg]

Thank you all for your interest in X-Payments application. My name is Yury Zaytsev, I'm CTO at Qualiteam, though haven't been posting much to X-Cart forums previously.

Quote:

Originally Posted by balinor

Just to reiterate once again, this module needs to be available for 4.0, 4.1 and 4.2 or you will have THOUSANDS of very unhappy clients.

Just to make it clear, X-Payments 1.0 will be released along with a mod for X-Cart 4.3.

Depending on your needs we'll also prepare guidelines and patches on using X-Payments with other X-Cart versions, LiteCommerce and other open source e-commerce software.

The important thing to note is that X-Payments is intended only for the minor part of merchants who want to go through the complete process of PCI-DSS certification. X-Payments, thanks to the PA-DSS compliance, will make it easier for the merchants.

The major part of online stores currently operating could be configured to actually become out of the scope of PCI-DSS certification (in this case a store should not store, process or transfer cardholder data). Guidelines on configuring X-Cart in this manner can be found at http://help.qtmsoft.com/index.php?title=X-Cart:User_manual_contents (see "Configuring X-Cart to meet PCI DSS").

Thank you for the cooperation, and feel free to contact me for further clarification.

[gravel]

Quote:

Originally Posted by zorg

The major part of online stores currently operating could be configured to actually become out of the scope of PCI-DSS certification (in this case a store should not store, process or transfer cardholder data). Guidelines on configuring X-Cart in this manner can be found at http://help.qtmsoft.com/index.php?title=X-Cart:User_manual_contents (see "Configuring X-Cart to meet PCI DSS").

Thank you Yury for finally commenting on this important question. In the part of the manual you point to, it says:

Quote:

Disable background payment methods

With a background payment method, customers input their credit card data on the side of X-Cart at the final step of checkout. Since X-Cart itself is taken out of PCI DSS scope and does not comply to PCI DSS requirements, you must disable all background payment methods in your store. This does not really mean that you will not be able to use background payment methods to accept payments online: an interface to use such methods is now fully supported by X-Payments, which is PA-DSS compliant.

What this says is that anyone using, for instance, Authorize.net AIM, which is indeed a background method, would have to use X-Payments. Do you really think that such installations are in the minority? Don't the vast majority of shops prefer to NOT have their customers go off-site during checkout (as happens with, for instance, Authorize.net SIM)? Isn't that why there is so much clamor for X-Payments to be released - and for older versions of X-Cart?

The you say:

Quote:

Depending on your needs we'll also prepare guidelines and patches on using X-Payments with other X-Cart versions, LiteCommerce and other open source e-commerce software.

Really? "Depending on your needs"...!? How could you not understand that many, many X-Cart users NEED a suitable version of X-Payments?

With all due respect, I think you do not know your customer base very well.

I am confident that I speak for many X-Cart users: Please make releasing X-Payments for ALL versions a top priority.

[Viejo]

We'd like to participate in the beta testing. We have 2 new 4.3.x sites up or going up. I'm also hopeful you'll have x-payments certified for at least 4.1.x and 4.2.x.

[Duramax 6.6L]

I have been waiting for x-payments to be released. Please include me in the beta testing.

[necroflux]

Indeed the vast majority of X-cart users are using Authorize as a background payment process, and are still using 4.1 or 4.2. Let me second the fact that not programming this payment module to be compatible with these still heavily used versions would be a devastating oversight that would alienate a huge number of your customers once the PA-DSS compliance deadline passes.

I would go as far to say that it is your responsibility as a company to ensure that to a certain degree all widely used versions of your software receive a working payment module that is PA-DSS compliant.

[SamsonWebDesign]

I'd like to test this also.
We currently only have 3 customers on 4.3 and a LOT on the 4.1 and 4.2 strains so it would be good to have is compatible with these too as echoed in this thread.

[canuck]

Quote:

Originally Posted by zorg

The important thing to note is that X-Payments is intended only for the minor part of merchants who want to go through the complete process of PCI-DSS certification. X-Payments, thanks to the PA-DSS compliance, will make it easier for the merchants.

The major part of online stores currently operating could be configured to actually become out of the scope of PCI-DSS certification (in this case a store should not store, process or transfer cardholder data). Guidelines on configuring X-Cart in this manner can be found at http://help.qtmsoft.com/index.php?title=X-Cart:User_manual_contents (see "Configuring X-Cart to meet PCI DSS").

I'm concerned and frankly stunned that the CTO of Qualiteam feels that most merchants are OK with having customers leave the site to make their payment, and that making the Xpayments available for anything less than 4.3 will be an afterthought.

For the last 6-9 months, I've been watching threads about this magical payment module, XCart V5, then 4.2, 4.3, etc. There seems to be VERY little actual information available about X-Payments and how it would work with each payment gateway. I've even tried to get this information directly through Qualiteam's support desk with nothing but vague answers.

I'm watching threads about people having trouble with Paypal and a number of other issues with 4.3 which is why I'm sure MANY people including me, are avoiding an upgrade. I was hoping finally a nice one-page checkout would have been in the works too but apparently not.

This post was very revealing and at the same time disheartening. I'm not sure about the other customers out there but I'm desperately in need of some better information, fast!

[zorg]

Quote:

Originally Posted by canuck

I'm concerned and frankly stunned that the CTO of Qualiteam feels that most merchants are OK with having customers leave the site to make their payment

By taking PCI-DSS into effect in July 2010 VISA is giving merchants only 2 options:

1) configure their stores so that they wouldn't store, process or transmit cardholder data, by using web-based payment gateways.

or (if a merchant wants to be responsible for the safety of credit card data):

2) become PCI-DSS certified.

I do believe the first option, being many times easier and cheaper, should be considered by the most of merchants. That's a typical practice anyway.

By choosing the second option a merchant is obliged to comply with strict PCI-DSS standard requiring him to set up a quite complicated environment where cardholder data could be stored or processed safely (i.e. http://help.qtmsoft.com/index.php?title=File:Xpayments_dataflow.png), and then go through the certification process.

By delivering X-Payments, PA-DSS certified solution, we'll be happy to serve merchants who would select the second option.

[exsecror]

Quote:

Originally Posted by zorg

By taking PCI-DSS into effect in July 2010 VISA is giving merchants only 2 options:

1) configure their stores so that they wouldn't store, process or transmit cardholder data, by using web-based payment gateways.

or (if a merchant wants to be responsible for the safety of credit card data):

2) become PCI-DSS certified.

I do believe the first option, being many times easier and cheaper, should be considered by the most of merchants. That's a typical practice anyway.

By choosing the second option a merchant is obliged to comply with strict PCI-DSS standard requiring him to set up a quite complicated environment where cardholder data could be stored or processed safely (i.e. http://help.qtmsoft.com/index.php?title=File:Xpayments_dataflow.png), and then go through the certification process.

By delivering X-Payments, PA-DSS certified solution, we'll be happy to serve merchants who would select the second option.

It may be in your best interests to also support Payment gateways that take the whole processing out entirely but without requiring the customer to go offsite such as Braintree's Transparent Gateway. For many merchants including us it is not an acceptable or viable solution to have our customers redirect off-site (we do thousands of transactions a week). I also do not want to have to be forced to invest unnecessary funds in a completely separate box for a program that may or may not work (plus I don't trust encrypted code because it's security and stability cannot be audited effectively). Nor do I want to deal with the fact that if the program happens to break due to poor QA testing of having downtime till a engineer looks at which would be a problem anyway because I don't allow unauthorized personnel access to our facilities or servers. Granted right now until I transition us over to Braintree we are out of scope since I re-wrote X-Cart's payment core to forcefully truncate the credit card numbers in compliance with PCI but that's something I can't keep doing, hence the Braintree transition.

[hyper1]

After months of deceitful thread responses and answering questions in a way that never obligates x-cart to provide a fully functional payment option for pci compliance, I am at least happy to see the CTO finally state they have no intention of meeting our requirements. It has finally forced us to realize we must choose to spend a lot of money to upgrade to an interim solution (v4.3), which has little or no benefits over 4.1.x, or leave. The latter option is looking much better than it did before the CTO response. It took months, but it is finally clear. Thanks