| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements | ||||
|
|
Thread Tools |
#111
|
|||||||
|
|||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
OK, got it.
One more question: Lets say you buy/use X-Payments and are a level 4 merchant. Are the quarterly scans and yearly questionnaire still necessary? If they ARE still necessary, what is the point of X-Payments? From this link, under point #4, it sounds like you are compliant if you just fill out the questionnaire and scan quarterly (although time consuming).
__________________
Aaron Running version: 4.5.5 |
|||||||
#112
|
|||||||||
|
|||||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2 Visa just says "if applicable" under tier 4. I can't seem to find the definition of when these scans are "applicable". I would do the scan if I were you, but maybe search for a low cost provider.
I just found these guys: http://www.ncircle.com/index.php?s=products_pci-compliance looks like just $25.00 per scan or you can get an annual subscription which may lower the cost further. Again never used them, but the price looks good... Edit: just found this- "Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ C and D √ those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required." In most x-payment/xcart installs there is some "internet connectivity" involved. So the answer is yes, you must be scanned. Quote:
The point is that you must use a PA-DSS validated payment application, or redirect the cardholders to the processor's site. Using a validated app is only one piece of the puzzle, you must be scanned and modify any problems with your hosting identified by the scan. Additionally you must have corporate policies in place for dealing with cardholder data. You can see an example security policy here: https://www.pcisecuritystandards.org/docs/pci_saq_c.doc
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey XcartGuru X-cart Tutorials | X-cart 5 Tutorials Check out the responsive template for X-cart. |
|||||||||
#113
|
|||||||
|
|||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
I currently use Realex's addon module for Realex remote payments that customers fill in a form on our website and the data is sent to Realex and replied back.
I'm guessing I need to now start using x-payments because I am transmitting data? Would I need to install x-payments and then the Realex addon into that? We Bank with Allied Irish Bank and use Realex and have not even been contacted about PCI or PA-DSS compliance!!
__________________
Live with Gold 4.5.1 Dedicated Linux server MaxCDN 4 pull zones Dedicated SSL |
|||||||
#114
|
|||||||||
|
|||||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
Quote:
Actually, we are planning to launch X-Payments Hosted plan on our hosting very soon. Please sign up for receiving our announcement at http://eepurl.com/kBo9v
__________________
Sincerely yours, Alex Mulin VP of Business Development for X-Cart X-Payments product manager |
|||||||||
#115
|
|||||||
|
|||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
Quote:
Clearly the rep you spoke to doesn't understand the situation - nor would their tech support I wouldn't think. This is a regulation enforced by the Merchant Bank, not the gateway. Auth.net doesn't care where the sales come from - whether it be a validated cart or not, it is all the same to them.
__________________
Padraic Ryan Ryan Design Studio Professional E-Commerce Development |
|||||||
#116
|
|||||||
|
|||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
Hi All,
I have read this thread with great interest and having read it, I am very glad we made the decision several years ago (right at the inception of PCI in the UK) to move customer payments away from our website to our 3rd party Payment Processor (who naturally have the highest level of PCI compliance). By so doing, and following one or two other simple procedures, we became PCI compliant over night. From talking to our acquiring bank (we work with one of the UKs “big 4”banks) we were their first customer to become PCI compliant in the UK. We were also their first to renew compliance last year. I can only speak for the UK but our bank does enforce PCI compliance and started doing so 12 months or so ago. They are one of the big 4 UK banks so I guess the others will follow suit, if they are not already. I only mention all this because we are a very small company but because we were “first up” with our bank, we had some input to our banks processes and also some very good feedback from them. They also put us in touch with some senior bods at MasterCard who were heading up aspects of PCI, as we had many questions that no-one else was yet asking in the UK at the time. In turn we were put in contact with a top PCI consultant from the US (consulting to major brands). His advice is the reason I am posting on this thread and it went along the lines of “unless you are a major business, perhaps along the lines of a famous retailer named after renowned female warriors, you should not be considering hosting payment pages on your store”. I appreciate this is quite stark advice and many will disagree. However, his reasoning for this advice was that he foresaw years of increasingly onerous legislation and compliance, getting stricter each year. He also foresaw increasingly draconian penalties. He felt that the goal posts would move many times and that store owners would be placed in an increasingly difficult and exposed position. Perhaps I am wrong but itseems to me that his predictions are starting to be borne out. We made the move immediately after speaking to him and have rested easy ever since. It was not too costly and was reasonably simple to achieve. To those on this forum who bemoan the 3rd party solution as somehow being detrimental to sales conversions because customers do not like it, or get confused, all I can say is that our experience has been the absolute opposite. Our basket-to-order conversion rate (which we do measure) has increased significantly year-on-year since we made the change. It does of course depend how you implement the changes, how you explain it in your site and how you manage the redirection to the payment processor. But our experience has only been positive. We are a business-to-business site and perhaps for more retail-orientated sites, where customers may be less well informed, the experience will be different, I do not know. I just wanted to share our experience as a counter-point to some of the posts on here, to give an alternative view that will maybe help some storeowners make the right decision, one way or the other. To host or not to host, that is the question. . . . .
__________________
SJ B2B Site Owner X-cart Gold 4.3.1 |
|||||||
|
#117
|
|||||||
|
|||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
In Case anyone is interested, we have decided to take another approach and work with our cc processor/gateway and create a new module that will work like this:
1. On the One Page Checkout, the customer selects "Credit Card". 2. When they click the Submit Button, the X-Cart Dialog modal box(like the login modal box) opens over top of the Checkout page, where the customer enters their CC info and clicks submit. 3. Upon a successful payment processing, the page is directed to the X-Cart receipt page as normal. The benefits of this method are: 1. The customer never leaves the site to enter their CC Info. 2. The X-Cart installation is out of scope for PCI and PA DSS Compliance - meaning that you do not need to have your website or web server validated. This is because technically, credit card info only "looks" like it is being entered into X-Cart via a modal box, but in fact it is being entered into a PCI DSS validated middleware. This is a great solution for any size X-Cart site, but especially for small sites that are on shared hosting accounts. 3. We want to make it available at no cost for merchants who switch to our payment processor/gateway (the one we work with). If anyone is interested, PM me for details. They tell me they can match whatever rates people already pay.
__________________
Joel Rhome x-cart 4.4.X |
|||||||
#118
|
|||||||||
|
|||||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
This does sound like a good idea. I wonder how "legal" it is to show the hosted payment page in a popup instead of redirecting the whole browser to it and if this in fact takes the cart out of scope?
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#119
|
|||||||
|
|||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
I had the same question, but according to those I have spoken with, and documentation, the reason that this method takes X-Cart out of scope, is that it is the middleware capturing the cc info, and not even the modal. It isn't quote a "hosted" off site gateway like Authorize.net SIM or Paypal, but rather, it is a patented technology that is Validated. All I know is that the middleware is validated, and those who do the PCI Compliance validation tell me that X-Cart is out of scope this way.
__________________
Joel Rhome x-cart 4.4.X |
|||||||
#120
|
|||||||||
|
|||||||||
Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements
__________________
Sincerely yours, Sergey Fomin X-Cart team Chief support group engineer === Check this out. Totally revamped X-Cart hosting http://www.x-cart.com/hosting.html Follow us: https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart Last edited by ambal : 04-03-2012 at 09:58 PM. |
|||||||||
|
|||
X-Cart forums © 2001-2020
|