X-Cart forums

[cflsystems]

Quote:

Originally Posted by seyfin

Let me clarify - one X-Payments license/installation can be connected up to 10 online stores.

That is true but will result of url change for 9 of the store. And there is the additional checkout step. So all the 10 stores can use payment gateway hosted page with the same success (url change as well and additional checkout step) and for FREE (as an oposite to $1200 for XPayments).

The ability of XPayments to connect up to 10 stores is good yes but it is good for someone selling it as a service and acting like payment gateway. Every individual store owner will want the url not to change and no redirection

[Paul H]

PCI-DSS Sounds like a right load of B*****ks. I'll be sticking with my 4.4.5 , manual CC processing and Paypal. I did enqire once about online processing and it was expensive and riddled with paperwork and questionaires fit for joining MI5.
A colleague of mine who runs a similar shop has recently ceased accepting credit cards and relies solely on Paypal and bank transfers

[mabiuso]

Quote:

Originally Posted by seyfin

In fact, having the X-Cart software PA-DSS certified and validated is much expensive than the X-Payments's price.

Mmmh: this fact is still not very clear to me.

Quote:

Originally Posted by balinor

If you are accepting credit cards ON your site (not at LinkPoint's site) than you are not compliant unless you purchase X-Payments.

This is not true at all.


First of all, if you look carefully at the link provided by seyfin

Quote:

Originally Posted by seyfin

http://usa.visa.com/download/merchants/payment_application_security_mandates_regions.pdf

The text states that:

Quote:

Originally Posted by VISA

While use of PA-DSS validated payment applications is recommended, a payment application does not need to be included on the List of Validated Payment Applications in order to comply with these mandates for use of PADSS compliant applications. Acquirers may determine the PA-DSS compliancof a payment application through their own alternate validation processes, which confirm that applications meet the PA-DSS requirements and facilitate compliance with the PCI DSS.

Second, if you look at the official PCI Compliance:
https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php
You just need to fill in a SAQ and have a quarterly PCI Security Scan (and pass them)

Third: if you know how to fill in the SAQ, you just need to pay for the scans, which cost very much less than x-Payments.
http://www.ncircle.com/index.php?s=products_pci-compliance

I have been contacted by a famous company wich does PCI compliance and asked for $4000 for being compliant (we have made our own personalized payment gateway connection software), but I do not agree that the price should be that high. After all they just have an online form for the SAQ and a scan service with non-automated (ie human) support service.

Still very perplexed, but until PCI council web site states: "you need a $4000 service to be PCI-DSS compliant", I'm trying to find cheaper alternatives.

[donavichi]

Sounds to me like X-Payments just needs to be made part of X-Cart and then the problem is solved. I doubt the competition are going to remain non PCI compliant for long...

[balinor]

mabiuso, no offense, but you are incorrect. We've been dealing with this issue for quite a long time (look through the history of this subject here in the forums). The PDF you quoted from is from 2009 - the new regulations kicked in July of 2010. So get your info correct before you quote it. Current documentation is here:

https://www.pcisecuritystandards.org/security_standards/documents.php?association=PA-DSS

Next, PCI is only part of the PCI-DSS regulations. Yes, you need a quarterly scan and be on a server that is compliant. That is half of it - but then you need to be using a compliant cart, processor or system. You cannot store CC info and you cannot process cards through a non-compliant processor. While it is true that a PCI scan and SAQ were all you needed in the past, that is no longer the case. Hence the major uproar here, and the reason for X-Payments and for X-Cart to drop payment gateways from their cart.

X-Payments is compliant, X-Cart is not. So if you want to process cards on your site with X-Cart, you need to use X-Payments. So that is indeed a correct statement.

Paul H, if you really think this regulation is BS, you are in for a rude awakening. You absolutely cannot store CC info on the server anymore, if your merchant account or customers found out you were doing that, you'd be dropped in a heartbeat and liable for some serious fines. Worse, if you are hacked and your credit card data is stolen, you are liable for $50k fines. Have fun with that. Paypal is fine - that takes you out of the PA-DSS scope, but storing CC info is just plain dumb.

donavici, X-Payments can't be part of X-Cart - that's the point. If it was, X-Cart itself would have to be made compliant, which would be a whole lot more expensive as Qualiteam would have re-certify it each time they upgrade it. Hence the reason X-Payments was built - to take X-Cart out of the scope of compliance.

[donavichi]

Of course, a subscription-based service for X-Payments might go a long way to reduce friction and increase take-up from the community, seeing as it's more likely to attract more interest if there's not such a high cost of entry - just a thought.

[balinor]

Subscription-based service?

[PhilJ]

It's like the ecommerce equivalent of the millenium bug.

Don't panic, people.

[balinor]

While there isn't reason for panic, it shouldn't be taken lightly either. They ARE fining for non-compliance, and if you are hacked while non-compliant, you ARE liable. It does need to be taken seriously.

[PhilJ]

It's just common sense, I don't think there's any need to ramp it up and put people in fear of fines. It's the way the internet is going, so let's get on with it.