Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Does X-Payments have to live on a separate server?
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #1  
Old 04-30-2012, 04:12 PM
 
Dima65 Dima65 is offline
 

Advanced Member
  
Join Date: Jul 2008
Posts: 79
 

Exclamation Does X-Payments have to live on a separate server?

Hey everyone,
The good folks at HardHatHosting are telling me that even though X-Payments is PCI compliant, it is not TRULY compliant unless you buy a second VPS account and host it on it's own separate account?

I know there's been talk back and forth about this, so I'd like to hear from Qualiteam about this, since they are the makers of X-Payments.

If you host X-Payments on the same server as your store, will you pass the scan? And if anyone hacks into your server after that, and steals the credit cards, will you be liable just for hosting X-Payments on the same server?

Important questions, that need knowledgeable answers.
Dima
__________________
X-Cart v4.7.5
reBOOT
Reply With Quote
  #2  
Old 04-30-2012, 04:46 PM
  a1deano's Avatar 
a1deano a1deano is offline
 

X-Adept
  
Join Date: Oct 2004
Posts: 745
 

Default Re: Does X-Payments have to live on a separate server?

Hi i asked the same question and from all the reply's ive received on here and from qualiteam then yes xpayments must be installed on its own and not in the same folder as xcart, it does work in the same folder and it does pass the scan as ive tested it, but to be truly compliant it must be on its own...i am going to be taking out a smaller hosting package just for xpayments, don't want to run the risk if something happens and your merchant bank find you hadn't followed the rules for being fully compliant, don't think $10,000 fine is work the risk, my argument was as long as you give your merchant bank the pci scan certificate they should be happy as long as nothing goes wrong that is....
__________________
--------------
V4.6.1
xcartmods - Reboot Template

X-cart - X-PDF

Altered Cart - Checkout one
Reply With Quote
  #3  
Old 04-30-2012, 05:04 PM
 
Dima65 Dima65 is offline
 

Advanced Member
  
Join Date: Jul 2008
Posts: 79
 

Default Re: Does X-Payments have to live on a separate server?

Right, as long as nothing goes wrong, all is always well. But if something does go wrong, it would be good to know what the liabilities are. I think you've answered my question, though.

Unfortunately, VPS accounts are expensive to begin with, so paying for two of them is not feasible to most small merchants, I suspect.

So it seems the only real alternative is to process payments on AuthorizeNet's own site, instead of in the background. Has anyone had any bad experiences with that? I know sending customers to a third party gateway is not ideal, but AuthoriseNet is pretty well known, so customers should still feel safe. Thoughts, anyone?

D
__________________
X-Cart v4.7.5
reBOOT
Reply With Quote
  #4  
Old 05-01-2012, 01:03 AM
  a1deano's Avatar 
a1deano a1deano is offline
 

X-Adept
  
Join Date: Oct 2004
Posts: 745
 

Default Re: Does X-Payments have to live on a separate server?

Hi have you thought about having a small shared hosting which allows dedicated ips and ssl just to put xpayments in, not sure how this would work for you as your on VPS, but i am on shared hosting with Handson they said if i have just a small server just for xpayments and the total monthly cost for this would be around $25 per month extra, not what i really want to do since xpayments is working fine along side xcart but from a compliance point of view think its something i need to do..

Your right its not feasible for you to have two VPS's but maybe one small shared account just for xpayments or whether your host could do something for you with your vps but i am getting out of my depth now so you would need to check with them..

Ive used securetrading and customers get redirected to their site so most people don't have a problem with been redirected then back again, but in saying this it does bother others and it seems more professional if you stay on site to pay for your goods...
Running the risk is fine as long as nothing goes wrong but thats a BIG IF!!
__________________
--------------
V4.6.1
xcartmods - Reboot Template

X-cart - X-PDF

Altered Cart - Checkout one
Reply With Quote
  #5  
Old 05-01-2012, 07:06 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,825
 

Default Re: Does X-Payments have to live on a separate server?

I think that it is more important from a compliance standpoint to consider hosting the database on a separate server than x-payments. But I also believe that since x-cart is not PA-DSS validated, then it compromises the pci-compliance of whatever server it is installed on.

The point of the compliance is to prevent breaches and ensure the security of the web server, so a non-validated applications existence would seemingly bring the entire server out of compliance. So to be completely safe you might need 3 servers!!!

Getting your site to be compliant is such a grey area that it doesn't seem to be worth the effort. What we need to do is find out how many conversions will be lost due to re-direction before we can consider that option.

The general consensus is that re-directing customers away from the site to the hosted gateway will decrease conversions.

I found some opinions on the net to the contrary:
http://forum.boagworld.com/discussion/6549/payment-gateways-on-site-processing-or-hosted-page

One could make the argument that clients feel safer entering their info at PayPal or Authorize.net, but I am not a believer yet.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote
  #6  
Old 05-01-2012, 07:55 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,427
 

Default Re: Does X-Payments have to live on a separate server?

PayPal is well known and actually I think everyone trying to pay with PP will expect to be redirected to PP page to login and complete payment so I don't see a problem there. It is another question that a lot of customers actually don't like PP and will try to avoid using it.

For me personally the problem with redirecting to payment gateway hosted page is not that you are taking customers away form the site but the way the hosted page looks. There is very little control to modify the desing of the page to look like the site. I am pretty sure the average customer do not pay that much attention to the address bar and url as long as they feel the page is legit and secure.

As for XPayments on different server - I don't think putting it on shared hosting is any different or more secure than in XC subdirectory. What happens when some other site on that same shared hosting account is not compliant or is compromized? Your XPayments installation will also be compromized. You will have to do scan on it as well and state that is on shared hosting. This just doesn't seem like good solution to me
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #7  
Old 05-01-2012, 08:01 AM
  a1deano's Avatar 
a1deano a1deano is offline
 

X-Adept
  
Join Date: Oct 2004
Posts: 745
 

Default Re: Does X-Payments have to live on a separate server?

I never thought about that what if the server got compromised were xpayments is could this be a security threat....a million questions... is xpayments really worth all this hassle!!
__________________
--------------
V4.6.1
xcartmods - Reboot Template

X-cart - X-PDF

Altered Cart - Checkout one
Reply With Quote
  #8  
Old 05-01-2012, 08:10 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,427
 

Default Re: Does X-Payments have to live on a separate server?

Securing the server - physically and online - is an ongoing process, it never stops and there is always a risk of someone to break in. You cannot prevent this no matter what you do and the PCI-DSS is not there to stop hacking but to make it more difficult and close to imposible, at least my understanding.

My point was if for example you install XPayments on shared hosting and someone else hosts there say WP site and that WP site is hacked to a point the hacker gets access to the server it is possible they get access to your XPayments install and db as well. You did everything required to prevent this and you did scans and you get your cert... but the other guy is not responsible for keeping your site out of trouble, they just host informational WP site and don't care much about security... Your bank will hold you responsible... Of course the host has to make sure server is PCI compliant but that doesn't mean it cannot be hacked because one of the sites on it is vulnerable
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #9  
Old 05-01-2012, 08:26 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,825
 

Default Re: Does X-Payments have to live on a separate server?

Totally agree with Steve about all sites being susceptible to hacking. There is always someone out there that can break in no matter what you do. Look at Sony.

The point of being compliant is to do everything you are required to in order to not get fined if/when a breach occurs. From what I have read, virtual private servers are considered safe by the council, but I don't know there exact definitions in those regards. Typical shared hosting is probably not sufficient. VPS or dedicated servers are required in my opinion.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 01:21 AM.

   

 
X-Cart forums © 2001-2018