Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Authorize.net DPM (PA/DSS Compliant)
 
Reply
   X-Cart forums > X-Cart 4 > Third Party Add-Ons for X-Cart 4
 
Thread Tools
  #21  
Old 03-16-2011, 05:24 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Quote:
Originally Posted by balinor
Because the credit card form isn't actually on your site and the data isn't processed by your site.

Hm, if you use Authorize.Net DPM, then the credit card form is generated by your shopping cart/scripts.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.
Reply With Quote
  #22  
Old 03-16-2011, 05:26 AM
 
Anna_S Anna_S is offline
 

Newbie
  
Join Date: Nov 2008
Posts: 2
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Also, I don't see Auth.net advertises DPM as a cure for PA-DSS
__________________
4.1.11
Reply With Quote
  #23  
Old 03-16-2011, 05:48 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Perhaps BCS should step in here and answer this question, as clearly there is some confusion - my own included
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #24  
Old 03-16-2011, 07:55 AM
 
gravel gravel is offline
 

Senior Member
  
Join Date: Mar 2004
Posts: 156
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

I think the concept behind this is the same as the Braintree Transparent Redirect:

The key thing isn't where the cc information is typed in; it's where and how information is sent. A customer's computer is completely outside of PCI scope, and they can type their cc numbers anywhere on their computer til the cows come home, with no problem. It's how and where the numbers are sent that makes the difference.

So they type it in their browser but instead of it being sent to your server, that information is sent directly to the gateway (Braintree / Authorize.net). Your hosting server never sees it.
__________________
X-Cart version 4.0.17
X-Cart version 4.0.18
Web servers = Apache
OS = Linux
Reply With Quote

The following user thanks gravel for this useful post:
gb2world (03-16-2011)
  #25  
Old 03-16-2011, 08:09 AM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Man
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 2,902
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Quote:
Originally Posted by gravel
I think the concept behind this is the same as the Braintree Transparent Redirect:

The key thing isn't where the cc information is typed in; it's where and how information is sent. A customer's computer is completely outside of PCI scope, and they can type their cc numbers anywhere on their computer til the cows come home, with no problem. It's how and where the numbers are sent that makes the difference.

So they type it in their browser but instead of it being sent to your server, that information is sent directly to the gateway (Braintree / Authorize.net). Your hosting server never sees it.

I think Gravel explains it very well.

Authorize.net can't say it takes you out of PA/DSS scope because they cannot comment on your other business processes which may touch/transmit CC information. This is also why we state on our site states that it
Quote:
supports you to be PCI compliant including the new PA/DSS standard

and

Quote:
Allows the store owner to complete PCI compliance with a Self Assessment Questionnaire (SAQ) A, instead of the more complex SAQ D*.
.....

* A full assessment of a vendors specific business process is required to determine which SAQ needs to be completed to achieve PCI compliance.

So it is one step towards PCI compliance, but PCI compliance goes beyond just your payment gateway.

This is also the same as X-payments if you choose to use that route. It's just one step towards PCI compliance.

I hope this helps.

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote

The following user thanks BCSE for this useful post:
gb2world (03-16-2011)
  #26  
Old 03-16-2011, 08:39 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Yea, that's what I meant
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #27  
Old 03-16-2011, 10:27 AM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

For what it is worth - I sent the links for DPM and also the product descriptions on BCSE's site to the director of PCI compliance for the bank who holds the merchant account for one of my clients. They reviewed it and let this particular client know that they would qualify to use SAQA for compliance. I always advise people to try and get the plans for compliance to be reviewed by the bank (with mixed results).

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote

The following user thanks gb2world for this useful post:
zgtecinc (07-29-2011)
  #28  
Old 03-16-2011, 05:28 PM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Man
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 2,902
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Quote:
Originally Posted by gb2world
For what it is worth - I sent the links for DPM and also the product descriptions on BCSE's site to the director of PCI compliance for the bank who holds the merchant account for one of my clients. They reviewed it and let this particular client know that they would qualify to use SAQA for compliance. I always advise people to try and get the plans for compliance to be reviewed by the bank (with mixed results).

---


Glad to hear they were able to do the SAQA! That's good news! Thanks for letting us know.

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
  #29  
Old 03-16-2011, 08:12 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

No Carrie - thank you. Your mod + DPM is a real game changer for my newer Authorize.net clients as well as the clients I have that were lucky enough to get delayed by the confusion over PCI/DSS compliance. (I guess sometimes the late bird lucks out and gets a worm as well.) I hope Authorize.net, Braintree and others with these methods start getting a competitive advantage so the other gateways are encouraged to do it as well. (I'm plagued with several Innovative and Cybersource accounts to support.) But even within Authorize.net - they ignore my pleading with them to offer a DPM for their CIM method! Not that I want to give X-Payments an early retirement - but with the gateways knowing this kind of thing is possible and not doing it - we'll still need X-Payments.

Also - for at least 2 of my clients, it swings us back in favor of upgrading to 4.4.x or waiting for 5, instead of leaving X-Cart all together. If more gateways start implementing similar methods, and you are still able to release reasonably priced connectors - this should be good news for QT too.

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #30  
Old 03-18-2011, 03:41 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,109
 

Default Re: Authorize.net DPM (PA/DSS Compliant)

Just to make sure we are on the same track - we are talking about one of the PCI-DSS requirements - having to use a PA-DSS certified solution in case you want customers to enter credit card details on your site.

Technically DPM implementation makes entering credit card details "out of scope" of your shopping cart, but at the same time the credit card details page belongs to shopping cart application and this is the fuzzy moment here - must that shopping cart application be PA-DSS certified or not?

Our QSA suggested that yes since the credit card form is generated by the application and this is the main reason we had to implement a separate "enter credit card details" page in X-Payment.

Looks like DPM makes meeting PCI-DSS requirements easier for a merchant (SAQ A instead of SAQ C according to gb2world's post), but it can't be advertised as a PA-DSS compliant solution (Auth.net doesn't advertise it so either). Neither DPM is a replacement for X-Payments in terms of "using a PA-DSS certified solution".

I am still not sure whether or not it can be a way to avoid having to use a PA-DSS certified solution.

I "+1" to gb2world's suggestion:
Quote:
Originally Posted by gb2world
I always advise people to try and get the plans for compliance to be reviewed by the bank

Ask *your bank* before implementing DPM or anything else. PCI-DSS requirements are vague and different specialists may understand it differently.

PS:
and post your results here to help other merchants, too!
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
Reply
   X-Cart forums > X-Cart 4 > Third Party Add-Ons for X-Cart 4


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:01 AM.

   

 
X-Cart forums © 2001-2020