Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Dawn Howard · #**221** 06-11-2012, 10:35 AM

Currently a customer places an order and inputs their credit card info, we print the order off and process our charges manually, does that mean we are not PCI-DSS compliant?

If so, does that mean I need install X-payments? I know nothing about X-payments. Will I still be able to print the orders off and manually charge them?

Thanks in advance,
Dawn

cflsystems · #**222** 06-11-2012, 10:44 AM

Quote:

Originally Posted by Dawn Howard

...and manually charge them

Just this is good enough to put you out of business. Unless you are ready to invest tenths of thousands of dollar (in not more) each and every year you cannot store CC info. And even if you do have that kind of money to invest it is just not right. You need to either use X-Payments to process payments - not manually - or payment gateway hosted page. Anything else is asking for trouble.
You current setup makes you non-compliant and a subject to fines if your bank finds out

joelrhome · #**223** 06-11-2012, 11:07 AM

Quote:

Originally Posted by Dawn Howard

...does that mean I need install X-payments? I know nothing about X-payments...

Dawn,

There are several options to keep your website out of scope for PCI Compliance. What you need to do is assess how you want your customers to checkout of your website and what the cost factors are involved and make the decision yourself.

X-Payments: $1189 up front
- Customer goes to a new page after submitting the order, then back to the checkout completion.

Hosted Payment Page: No up front cost, unless required by payment processor - Customer goes to a different website to enter their cc info than redirected back to your website after successful payment

BCS Engineering's Authorize.net DPM Module - $149 Customer enters their cc info on the checkout page. Requires Auth.net account. Your QSA will determine if this is PCI Compliant or not. From what I understand, some will and some won't

Our XCharge Module: No up front cost - Customer does NOT leave the checkout page to enter their cc info, but enters it into the secure modal box. This method requires an Accelerated Payment Technologies (XCharge)account.

I hope that helps...

Dawn Howard · #**224** 06-11-2012, 11:44 AM

Thank you Steve.

Does X-Payments deposit the money directly to our bank account?

cflsystems · #**225** 06-11-2012, 01:00 PM

First let me say that if you bought your XC license before May 1, 2010 (I believe that was the date) you are entitled to one free copy of X-Payments.

Second - X-Payments is not a payment processor. It is simply a bridge between your XC store and your payment processor (payment gateway). if you want to process CC payments on your website and you want to be compliant you have to use certified application - X-Payments is certified appplication. X-Payments will not collect or deposit funds to your bank account, your payment gateway and merchant account does this.

gb2world · #**226** 06-11-2012, 01:04 PM

Quote:

DPM ... Your QSA will determine if this is PCI Compliant or not. From what I understand, some will and some won't

I have not seen anyone report that a QSA or compliance officer has rejected the DPM method. I've seen doubts expressed about the method here on the forum and in discussions with QT, but never anyone who actually reported it was reviewed and rejected by a QSA or compliance officer at a bank.

---

joelrhome · #**227** 06-11-2012, 01:27 PM

I have not personally heard any reports either way. I am basing my statement on the fact that in order to maintain PCI DSS Compliance, cc info must be entered into a PCI DSS Validated application. Since with DPM, the cc info is still entered directly into x-cart generated form fields, then it is technically not being entered into a validated application. That is why it is a questionable method, and why some have doubts.

Leaving it up the the QSA pretty much covers your tracks if they are ok with it. For me though, I have personally looked at developing a DPM module when it became available. My issue is that based on the above fact, I did not choose this for my clients since it was too risky for me. I want to be 100% certain, so I don't have to uproot a client down the road.

I have been getting calls about X-Payments requiring a separate SSL cert. I haven't looked into this personally, since my clients are going with our solution. If anyone else can shed some light on it, I am curious..

gb2world · #**228** 06-11-2012, 04:51 PM

I have a couple of emails from compliance officers of different banks who accepted the implementation of the use of DPM and still being able to fill out SAQ-A.

DPM is especially useful for clients who already use and want to continue using Authorize.net. I agree that you assume some risk if you implement it without the acceptance from the bank. Also, if you ever have to make a case, it will be easier if the software is on the PA-DSS certified list.

I do always try to pursue something other than X-Payments - just because of the expense of the software and installation. Your XCharge module is another option which I am appreciative of and will be showing it to people as another option.

Quote:

X-Payments requiring a separate SSL cert

There is a note on this thread from QT recommending installing X-Payments on a separate server or its own hosting account - which then would require its own SSL. (See the end of post 135 which has some X-Payments installation information.)

---

adriant · #**229** 06-12-2012, 12:20 AM

Have just been through the complete PCI compliance testing and form filling.... what a pain.

Have discovered several things.

With HSBC your compliance is logged against your account either as a 'yes' or 'no'. If you don't have a recognised compliance they will be starting to impose fines of ё50 per month. I was advised that this may increase and they may withdraw merchant services if you aren't compliant in a reasonable time.

Was also advised that if you use a compliance company other than the one they recognised there will be a admin charge for administration and obtaining the certification.

Unless you have dedicated servers it is easier to use a third party processor such as SagePay. The security scanning is intensive and will show up any defects.

If you use a third party processor you will most probaly have a virtual terminal as well. This means that the point that you access this terminal will have to be security tested as well.

If you have VOIP phone that you take Credit Card numbers on from customers this will have to be security tested as well.

The security testing has to be done once a quarter and the compliance questionairre has to be done once a year. Cost of two scans and questionaiire is ё75 per year.

As we had only a standard Merchant number with HSBC, this allowed us to use their virtual terminal, we had to get another merchant number from them to use SagePay. So now we have 2 merchant numbers.... and paying for both. We are looking into dropping the original one if we can.

Total time from applying to SagePay, gettting the new Merchant number , getting the scans done and completing the CAT-C questionairre (with help as it is qute technical) - 10 days.

The HSBC approved security company automatically notify HSBC of the results and certifications.

hope this is of interest.

ambal · #**230** 06-12-2012, 02:53 AM

> I have been getting calls about X-Payments requiring a separate SSL cert.

We bundle new X-Payments licenses with a free 1yr Instant SSL certificate.