X-Cart forums

[cflsystems]

Thanks Ryan, those were my thoughts as well but wanted to ask again... with all the info in here taking us in different directions all the time...

[balinor]

Read this if you haven't already:

http://forum.x-cart.com/showthread.php?t=54408

[geckoday]

Quote:

Originally Posted by Duramax 6.6L

This is a paragraph from the pdf that BSCE has in their email this month.

""PCI compliance requires that certified and non‐certified processes be run on different servers
(see SAQ‐D section 2.2.1). As a result, certified code (X‐Payments) cannot run on a machine that is also
running uncertified code (X‐Cart). X‐Payments must run on a separate server to be fully compliant.
Many companies cannot afford to have a second server that is dedicated to running software such as XPayments.
As a solution, BCS Engineering is providing X‐Payments software as a service on a PCIcompliant
system for a much lower cost than a second dedicated host. BCS Engineering▓s Hosted XPayments
solution is also cheaper than a virtual host. Not all virtual hosts can be considered PCICompliant
and are not all equal. Very cheap virtual hosts can be considered, from a security standpoint,
to be equivalent to a shared hosting solution.""

I can attach the pdf if you need it.

This is not correct. 2.2.1 is directed at the system component (web server, database server, mail server, etc.) level, not the application level. Its intent is to move components that don't need to be directly accessed from the internet off of servers that are directly accessed from the internet. If you are a merchant that must fill out SAQ D (most of us aren't unless you store credit card numbers) then 2.2.1 means you must run your web server software and database server software on separate servers and that the database server can't be accessed from the internet. If you meet the requirements to fill out SAQ C (mostly meaning you don't store credit card numbers) 2.2.1 doesn't even apply to you.

Besides, PA-DSS allows only the payment module portion of a software package to be certified. If you aren't allowed to run the non-certified core application alongside the certified payment module the payment module would be useless.

[geckoday]

Quote:

Originally Posted by 27stars

one client told me authorize.net customers may be getting 1 year extension. Many clients did not get anything from their payment gateways or merchant account providers about PCI.

It sounds like the client is talking about the Mastercard/Discover partial authorization mandate which Authorize.Net did get a one year extension on and not the PA-DSS mandate.

[geckoday]

Quote:

Originally Posted by cflsystems

So are we allowed to continue to use CC payments on site like nothing happened or we will get fined if not compliant? I for one never received any notice or request from the gateway or the merchant account about compliance. Tried to submit to them once and they told me "ok but we don;t need it. if we need it we'll ask you to provide it". So I guess my question is:
1. Can I still collect CC payments on site like before without being compliant until X-Payments officially is released? Or another solution is found.
2. What happens if I turn on payment gateway hosted payment page? Do I still have to file any compliance report?
3. Am I required to send any of the SAQ's even though noone asked for it?

If you payment processor isn't giving you a hard time I would continue as you are. If they are then let them know what Qualiteam is saying about when XPayments will be available and the additional time you'll need to implement it. Most payment processors will be happy with that and may want to check with Qualiteam before approving it.

Switching to a gateway hosted page won't mean no paperwork but it can change which SAQ you need to fill out, reducing your compliance requirements and making your life easier. It can also reduce your liability exposure.

If you process less than 20,000 VISA transactions and less than 20,000 Mastercard transaction annually (level 4 merchants) then its up to your payment processor to decide what is required for you to validate your compliance. So at level 4 you don't need to fill out and send in any compliance paperwork UNLESS your payment processor asks for it. I would encourage you to fill out the appropriate SAQ annually anyway and keep it on file as documentation in the event of a breach to keep your liability to a minimum.

If you process over 20,000 anuual VISA or Mastercard transactions then your payment processor should already be asking you for your annual SAQ as it is required by VISA / Mastercard and not a decision left up to the payment processor.

[geckoday]

Quote:

Originally Posted by geckoday

This is not correct. 2.2.1 is directed at the system component (web server, database server, mail server, etc.) level, not the application level. Its intent is to move components that don't need to be directly accessed from the internet off of servers that are directly accessed from the internet. If you are a merchant that must fill out SAQ D (most of us aren't unless you store credit card numbers) then 2.2.1 means you must run your web server software and database server software on separate servers and that the database server can't be accessed from the internet. If you meet the requirements to fill out SAQ C (mostly meaning you don't store credit card numbers) 2.2.1 doesn't even apply to you.

Besides, PA-DSS allows only the payment module portion of a software package to be certified. If you aren't allowed to run the non-certified core application alongside the certified payment module the payment module would be useless.

I guess I should also add that this doesn't mean you don't need to worry about the security of other web applications you run on the same server with your payment application. You still must make sure you are applying vendor security patches promptly to all applications and not use known vulnerable applications, etc.

[EN4U]

Ralph, Ryan.... On the brink of my meeting today whether or not to Jump ship has me going in allot of directions. Last thing I want to do is leave, I hope i have established that.

Reading the posts today, especially from these 2 has me wondering if we do have more time here and all isn't going to come crashing down. My first site here is with authoriznet, which I have heard nothing from or sent any letters about compliance or otherwise. My other site, that goes thru First Data and all ive heard from them was a letter pimping out there choice of PCI scanners and that was early this year, nothing since.

So where are we at? Should I fear things being shut down? Should I bolt as fast as I can? I am in the same boat as everyone else here, confused, dazed and just trying to figure out what in the hell to do.

Thanks

[geckoday]

Quote:

Originally Posted by EN4U

Ralph, Ryan.... On the brink of my meeting today whether or not to Jump ship has me going in allot of directions. Last thing I want to do is leave, I hope i have established that.

Reading the posts today, especially from these 2 has me wondering if we do have more time here and all isn't going to come crashing down. My first site here is with authoriznet, which I have heard nothing from or sent any letters about compliance or otherwise. My other site, that goes thru First Data and all ive heard from them was a letter pimping out there choice of PCI scanners and that was early this year, nothing since.

So where are we at? Should I fear things being shut down? Should I bolt as fast as I can? I am in the same boat as everyone else here, confused, dazed and just trying to figure out what in the hell to do.

Thanks

Authorize.Net is not your payment processor - they are just a gateway. Whoever sends you your merchant statement is your payment processor.

You should not fear being shut down and there is no reason to bolt. Its unlikely your payment processor will shut you off without giving you some time to comply - especially when your software vendor is making progress on compliance. Other issues you have while waiting for Qualiteam are:

1. Liability. You are now required by VISA to use a PA-DSS compliant payment application whether or not anyone is checking up on you. If you are breached and are not doing so your payment processor might pass some fines down your way. It might also increase your liability for breach clean-up costs (replacing cards, etc.). And VISA might impose restrictions like forcing you to hire a QSA (big bucks) to certify your PCI-DSS compliance for you to continue taking credit cards.

2. If you decide to shop around payment processors you may find you can't switch to a new processor because some are asking what software you are using and won't take you if its not PA-DSS certified.

[EN4U]

Quote:

Originally Posted by geckoday

You should not fear being shut down and there is no reason to bolt. Its unlikely your payment processor will shut you off without giving you some time to comply - especially when your software vendor is making progress on compliance. Other issues you have while waiting for Qualiteam are:

1. Liability. You are now required by VISA to use a PA-DSS compliant payment application whether or not anyone is checking up on you. If you are breached and are not doing so your payment processor might pass some fines down your way. It might also increase your liability for breach clean-up costs (replacing cards, etc.). And VISA might impose restrictions like forcing you to hire a QSA (big bucks) to certify your PCI-DSS compliance for you to continue taking credit cards.

2. If you decide to shop around payment processors you may find you can't switch to a new processor because some are asking what software you are using and won't take you if its not PA-DSS certified.

Thanks

[cflsystems]

Thanks Ralph, that explains a lot. I wonder did QT ever hired you at least as an advisor. Probably mosty of this mess would have been avoided if they did