Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

X-Cart and PCI DSS / PA-DSS compliance

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #161  
Old 03-02-2010, 04:55 AM
 
lbs_09 lbs_09 is offline
 

Advanced Member
  
Join Date: May 2009
Posts: 81
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by xplorer
eSelect Hosted Paypage API is supported in X-Cart since the 4.3 version.

Is there any way to use it in earlier versions? 4.1.x?
__________________
X-Cart 4.1.11
---------
X-AOM
CDSEO Pro
Altered Cart On Sale
Kosmos Gift Registry
BCSE Shipping Per Product
What's New
xCMS - Blogs, News, Articles
Reply With Quote
  #162  
Old 03-24-2010, 04:28 PM
 
speedyskis speedyskis is offline
 

Newbie
  
Join Date: Mar 2005
Location: Fl
Posts: 1
 

Smile Re: X-Cart and PCI-DSS / PA-DSS compliance

There are three key areas for PCI DSS - storage, processing, and transmittal.
I don't recommend you store any card data. Period. There are many ways to get around this. If your virtual terminal won't let you do a refund without CVV, you need a new terminal or to change your controls.
THE SERVER
Among the largest processors, First Data is requiring EVERY merchant to pass a PCI Compliance SAQ. If you have an ecommerce site, your site/server will be scanned as part of that process. Tons of merchants process through what's called an "ISO" of First Data. That means a whole bunch of you either already have, or will have to pass that test this year via the third party company they hired, Security Metrics.
You're supposed to do this on your own regardless of your processor, but too many people (50%) didn't so now it's mandatory with at least that processor.
PAYMENT PROCESSING
You need an SSL certificate on any system, and everyone has that part down. But the rest of it is where the problems come into play. There are really no short cuts.
You either have a shopping cart that is certified compliant or not.

Chase Paymentech and others have a stringent cart certification process that most developers have not completed yet.

The hosted payment page is a viable alternative to all the issues and cart certification. I'm not familiar with x-payment. Magento users have a solution through CRE Secure. X-cart users can also use the solution. While X-cart is not a ready made module at this time, you can still use the custom integration. When you add up the cost of scanning and everything else, I'm betting this is a cost effective and quick solution.

check out this page for how it works
http://www.cresecure.com/pages.php?pID=7&CDpath=0

(I'm the "payment network" in the diagram; I have no vested interest in CRE other than it makes clients compliant.)

I hope this helps those with immediate needs.
__________________
Chris
Ecommerce merchant services specialist
Former ecommerce/SEO developer (10 years+)
x-cart latest version
Reply With Quote
  #163  
Old 03-25-2010, 05:20 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

CRE Secure is really just another hosted payment page like Authorize.Net SIM or Paypal Payflow Link. To pay extra for CRE Secure when many gateways already have hosted payment page options at no cost to the merchant doesn't seem to be a cost effective solution. Yes, CRE Secure automatically scrapes your site design so you don't need to fiddle with configuring a hosted payment page to match your site. But to avoid a per transaction cost on every transaction and the cost of integration I would take the time to configure a hosted payment page at a gateway already supported by X-Cart.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote

The following user thanks geckoday for this useful post:
ambal (03-30-2010)
  #164  
Old 03-31-2010, 11:25 AM
 
robertswww robertswww is offline
 

X-Adept
  
Join Date: Jul 2003
Posts: 586
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

PCI info for those X-Cart users who use PayPal for your merchant account...

PayPal and PCI compliance (Website Payments Pro, Payflow Pro, or Virtual Terminal):
https://www.paypal.com/pcicompliance

PayPal helps (from the above link):
PayPal has partnered with ScanAlert, a Visa and MasterCard-certified PCI vendor, to help our customers comply at no cost for the first year. Enroll online with ScanAlert at: https://www.scanalert.com/SignUp.sa?oc=9673.


PCI Data Security Standards Payment Card Industry Data Security Standards (PCI DSS) – are a set of network security and business practice guidelines adopted by major credit card companies to help protect customers’ payment card information. This module reviews the 12 requirements all merchant websites must meet to comply with PCI DSS. We also explain how to validate compliance and how to implement and support PCI DSS when using a PayPal solution.

Module:
http://www2.eventsvc.com/paypaldev/event/0a654a52fd7a4c9db8ef81d3441f4c1d

PCI Compliance for PayPal Developers (PDF):
https://cms.paypal.com/cms_content/CA/en_US/files/developer/PP_PCI_Compliance_WhitePaper.pdf

PCI DSS Compliance – Website Payments Standard:
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing/merchant/PCIComplianceDSS-outside

PDF:
https://www.paypalobjects.com/WEBSCR-620-20100330-1/en_US/pdf/PP_WebsitePaymentsStandard_PCIComplianceDSS.pdf

PCI Compliance Solutions:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/solutions_pci_compliance

---

And from PCI Security Standards Council...

PCI DSS New Self-Assessment Questionnaire (SAQ) Summary V1.2:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml

Self-Assessment Questionnaire - Instructions and Guidelines v1.1 (PDF):
https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf
__________________
X-cart 4.1.10
Reply With Quote
  #165  
Old 03-31-2010, 12:23 PM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by robertswww

And from PCI Security Standards Council...

PCI DSS New Self-Assessment Questionnaire (SAQ) Summary V1.2:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml

Self-Assessment Questionnaire - Instructions and Guidelines v1.1 (PDF):
https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf
The SAQ Instructions and Guidelines v1.1 have been out of date for over a year now. The correct link to the 1.2 version is:
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote
  #166  
Old 04-04-2010, 06:01 PM
 
happycamper happycamper is offline
 

Advanced Member
  
Join Date: Dec 2004
Posts: 76
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

This thread is making me dizzy, so please forgive my basic questions:

- I'm currently using 4.0.19 and TrustCommerce (a gateway that I see will not be supported in 4.3). I do not store customer credit card data in my store. Will I still be considered non PCI compliant when the new rules go into effect?

- TrustCommerce is offering me a better discount rate if I sign a new 2-year contract with them. I've been satisfied with them, but should I not sign up for 2 more years, given that newer versions of X-Cart won't support them?

Thanks for helping me understand how to proceed.
__________________
Currently 4.0.19
Upgrading to ?????
Reply With Quote
  #167  
Old 04-05-2010, 06:41 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by happycamper
- I'm currently using 4.0.19 and TrustCommerce (a gateway that I see will not be supported in 4.3). I do not store customer credit card data in my store. Will I still be considered non PCI compliant when the new rules go into effect?
PCI-DSS compliant - probably (depends on your Self Assesment Questionnaire answers and quarterly vulnerability scans).

Compliant with the new VISA mandate to use PA-DSS certified applications - no.
Quote:
Originally Posted by happycamper
- TrustCommerce is offering me a better discount rate if I sign a new 2-year contract with them. I've been satisfied with them, but should I not sign up for 2 more years, given that newer versions of X-Cart won't support them?
Unless they are going to supply you with some way of meeting the VISA mandate then no, I wouldn't sign a long term contract. You can ask them if they will develop the X-Payments module for their gateway or if they will build an Authorize.Net emulation API for their gateway. If not, I would be looking elsewhere. When it comes to credit card processing rates it never hurts to look around anyway.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote
  #168  
Old 04-20-2010, 02:30 PM
  icnjan's Avatar 
icnjan icnjan is offline
 

Advanced Member
  
Join Date: Nov 2004
Location: Wine Country, California
Posts: 80
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by geckoday
But to avoid a per transaction cost on every transaction and the cost of integration I would take the time to configure a hosted payment page at a gateway already supported by X-Cart.

Could you please share some recommended "hosted payment pages"?
__________________
X-Cart Version 4.1.12
Dedicated server
Reply With Quote
  #169  
Old 04-28-2010, 05:12 AM
  BCSE's Avatar 
BCSE BCSE is online now
 

X-Guru
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 3,060
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by icnjan
Could you please share some recommended "hosted payment pages"?

We have been researching many and find these to be popular and also well configurable:

-Authorize.net SIM
-Payflow Link
-CyberSource (Hosted)

Cybersource looked pretty interesting as far as making the checkout look like your own site.

Hope that helps!

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
  #170  
Old 04-28-2010, 05:55 AM
 
lbs_09 lbs_09 is offline
 

Advanced Member
  
Join Date: May 2009
Posts: 81
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

For Canadians I recommend:

Elavon / Virtual Merchant
Moneris / sSelectPlus

Depending on the version of x-cart you have you may have to pay someone to backport the integration file for you like we did. This costs about $200. Elavon has better credit card rates but Moneris has more complex software so it just depends what your needs are. Also you can get better rates from Moneris but you have to negotiate hard.
__________________
X-Cart 4.1.11
---------
X-AOM
CDSEO Pro
Altered Cart On Sale
Kosmos Gift Registry
BCSE Shipping Per Product
What's New
xCMS - Blogs, News, Articles
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 02:20 PM.

   

 
X-Cart forums © 2001-2020