Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

X-Payments 1.0 beta5 announcement

 
Closed Thread
   X-Cart forums > News and Announcements
 
Thread Tools
  #271  
Old 07-14-2010, 05:03 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Default Re: X-Payments 1.0 beta5 announcement

Canuck, since this issue is server related we have to ask you to help debug code. I am sorry for this frustration but you are the only person with such a problem at the moment.

With regards to BeanStream partial capturing - I see you are discussing this issue with our complaints manager already as well as slow response time. This is the right way.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
  #272  
Old 07-14-2010, 11:22 AM
 
dmr8448 dmr8448 is offline
 

Senior Member
  
Join Date: Jun 2003
Posts: 123
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
Originally Posted by ambal
OK, here go the patch for disabling LUHN card number verification in X-Payments (see attached Attachment 2010).

Download it to your computer, rename to patch.diff and apply to your X-Payments installation.

Once applied you will need to set "Y" for "turn_off_luhn_check" option, i.e make it
turn_off_luhn_check=Y
in [security] section in {xp_dir}/config/config.ini.php file

This will disable LUHN in X-Payments.
Absence of the config option or "turn_off_luhn_check=N" means LUHN check of credit card numbers is enabled.

I have just downloaded and installedthe official release of x-payments and have set the LUYN option above to "Y" and I am still getting the issue that this was supposed to have fixed. Do we still have to apply this patch if we are using the actually Released non-beta version.
__________________
Version 4.3.2
  #273  
Old 07-14-2010, 11:48 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
Originally Posted by ambal
re: pin codes - post your better idea to http://ideas.x-cart.com please
We are opened for new ideas!
How about just eliminating the PIN codes? I haven't run into a gateway yet that requires two factor authentication so why does X-Payments? Don't tell me its because PCI-DSS requires two factor authentication. That's only for remote network level access (VPN) to the cardholder data environment not application level access. The same goes for the crazy encryption junk that is needed to communicate between X-Cart and X-Payments. What was that for????? Again, no payment gateway requires this stuff - https is sufficient along with a user name and password. You guys went so nutsy overboard on X-Payments its incredibly customer unfriendly when it doesn't need to be.

As for ideas.x-cart.com - when you reopen one page checkout or give me my votes back I might actually visit there again. One page checkout was closed with credit card payments still being two pages. I didn't get my votes back so I gave up on it being a way to actually influence development. Don't tell me it can't be done - other carts do it and third parties are starting to do it for X-Cart. You guys need to start thinking customer friendly instead of tech-nerd excuses and over-engineering.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com

The following 5 users thank geckoday for this useful post:
carpeperdiem (07-14-2010), cflsystems (07-14-2010), cherie (07-14-2010), Emerson (07-14-2010), stevekem (08-14-2010)
  #274  
Old 07-14-2010, 02:38 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,190
 

Default Re: X-Payments 1.0 beta5 announcement

I asked about the pins in the beginning of this thread and did not get an answer. Hope you do get one so we all know
__________________
Steve Stoyanov
CFLSystems.com
Web Development
  #275  
Old 07-14-2010, 04:24 PM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
How about just eliminating the PIN codes? I haven't run into a gateway yet that requires two factor authentication so why does X-Payments? Don't tell me its because PCI-DSS requires two factor authentication. That's only for remote network level access (VPN) to the cardholder data environment not application level access.

You refer to PCI-DSS, however we should check PA-DSS.

https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf

It says that:

Quote:
PA-DSS Requirements
11. Facilitate secure remote access to payment application


11.2 If the payment application may be accessed
remotely, remote access to the payment
application must be authenticated using a twofactor authentication mechanism

Testing Procedures
11.2 If the payment application may be accessed remotely,
examine PA-DSS Implementation Guide prepared by the
software vendor, and verify it contains instructions for
customers and resellers/integrators regarding required use of
two-factor authentication (user ID and password and an
additional authentication item such as a smart card, token, or
PIN).

When you log in to your application, do you access it remotely? Yes.
That's why we need two-factor authentication, i.e. PIN codes.


Quote:
Then there's the fact that XPayments requires a username, password and PIN code just to log in - the pin codes expire and change every time one logs in, so that means you now need to store PIN codes somewhere - which seems to reduce security, not enhance it.

No.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.

The following user thanks Ene for this useful post:
ambal (07-15-2010)
  #276  
Old 07-14-2010, 05:17 PM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
Originally Posted by Ene
You refer to PCI-DSS, however we should check PA-DSS.

https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf

It says that:



When you log in to your application, do you access it remotely? Yes.
That's why we need two-factor authentication, i.e. PIN codes.




No.
You are misinterpreting this. PA-DSS requirement 11.2, as it says, is derived from PCI-DSS requirement 8.3 which requires two factor authentication for remote access. The problem is that how your customers are accessing X-Payments does not fall under the definition of remote access. The PCI-DSS FAQ on the definition of remote access says:

"PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company▓s own network"

So its VPN-style network-level access that is being referred to, not web application logins. If remote access included people logging into a web application then every gateway out there would be in violation of PCI-DSS 8.3. But all the gateways are QSA certified. As PA-DSS 11.2 is derived from PCI-DSS 8.3 the same definition of remote access applies.

Granted PA-DSS 11.2 could be written better for clarity (as can a whole lot of PCI-DSS and PA-DSS) but the reference back to the PCI-DSS requirements are there so you can refer back to the PCI-DSS to understand the intent of the PA-DSS requirements.

You might also want to take a look at the fact that none of your competitors (at least that I have been able to find) that are PA-DSS certified have implemented two factor authentication.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com

The following 4 users thank geckoday for this useful post:
carpeperdiem (07-14-2010), Emerson (07-15-2010), gravel (07-15-2010), handsonwebhosting (07-14-2010)
  #277  
Old 07-14-2010, 08:33 PM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: X-Payments 1.0 beta5 announcement

I had the wonderful pleasure of being on a webinar with Coalfire (an IT Audit & Compliance company) earlier today. QualiTeam really need to get in contact with them on things as it's all clearly spelled out when they go through things as to what's needed and what's not.

There's sections in the PCI-DSS which require the logging of all logins to a system, but again, it referrs back to the section Ralph talked about - it requires logins through a remote system (physical access, root access or machine access through remote computer) - it does not require login tracking of customers through a web interface (which is what our customer thought it required).

While the two guides (PCI-DSS & PA-DSS) are black and white, there are cross references to each other and interpretation required.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance

The following user thanks bigredseo for this useful post:
ambal (07-15-2010)
  #278  
Old 07-15-2010, 01:56 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Default Re: X-Payments 1.0 beta5 announcement

> I have just downloaded and installedthe official release of x-payments
> and have set the LUYN option above to "Y" and I am still getting the
> issue that this was supposed to have fixed. Do we still have to apply
> this patch if we are using the actually Released non-beta version.

No, you do not need to apply the patch if you see that option. It means you downloaded software package with the patch applied already.

Set "Y" there and you'll disable LUHN check.

UPDATE: I just noticed you say you still get the issue despite of the option being enabled. I advise you to contact our techs for help either using your HelpDesk account at https://secure.qtmsoft.com or at helpdesk@qtmsoft.com
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager

Last edited by ambal : 07-15-2010 at 05:32 AM.
  #279  
Old 07-15-2010, 06:23 AM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
Originally Posted by geckoday
You are misinterpreting this. PA-DSS requirement 11.2, as it says, is derived from PCI-DSS requirement 8.3 which requires two factor authentication for remote access. The problem is that how your customers are accessing X-Payments does not fall under the definition of remote access. The PCI-DSS FAQ on the definition of remote access says:

"PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment. In this context, remote access refers to network-level access originating from outside the company▓s own network"

So its VPN-style network-level access that is being referred to, not web application logins. If remote access included people logging into a web application then every gateway out there would be in violation of PCI-DSS 8.3. But all the gateways are QSA certified. As PA-DSS 11.2 is derived from PCI-DSS 8.3 the same definition of remote access applies.

Granted PA-DSS 11.2 could be written better for clarity (as can a whole lot of PCI-DSS and PA-DSS) but the reference back to the PCI-DSS requirements are there so you can refer back to the PCI-DSS to understand the intent of the PA-DSS requirements.

You might also want to take a look at the fact that none of your competitors (at least that I have been able to find) that are PA-DSS certified have implemented two factor authentication.

Ralph, I appreciate your impressive knowledge of all these PCI-DSS related stuff and your input in the discussion. However I cannot agree with you on this point.

1. PA-DSS is applied to the payment application only. It isn't applied to a server or a network environment, so PA-DSS cannot have any requirements for how you log in to your network. It has requirements for how you connect to your application.

2. Payment gateways are not certified by PA-DSS, because they are not payment applications (in terms of PA-DSS). They're certified using PCI-DSS. As you said, PCI-DSS requires two factor authentication for network environment, no to the gateway`s backend itself. Thus gateways don't have it.

However PA-DSS requires this feature for all kinds of "remote access" and doesn't give any clear description what "remote access" is. If you check the doc, you will not find any word about network there.

When you log in to your X-Cart or X-Payments backend, do you access your orders database remotely? I think you do.

3. The last and the main one.
The initial version of X-Payments didn't have the two factor authentication (e.g. PINs) at all.

This feature was added by our QSA`s demand. They have discussed this internally and decided that "remote access" term includes the web logins.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.

The following user thanks Ene for this useful post:
ambal (07-15-2010)
  #280  
Old 07-15-2010, 07:27 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
Originally Posted by Ene
Ralph, I appreciate your impressive knowledge of all these PCI-DSS related stuff and your input in the discussion. However I cannot agree with you on this point.

1. PA-DSS is applied to the payment application only. It isn't applied to a server or a network environment, so PA-DSS cannot have any requirements for how you log in to your network. It has requirements for how you connect to your application.

2. Payment gateways are not certified by PA-DSS, because they are not payment applications (in terms of PA-DSS). They're certified using PCI-DSS. As you said, PCI-DSS requires two factor authentication for network environment, no to the gateway`s backend itself. Thus gateways don't have it.

However PA-DSS requires this feature for all kinds of "remote access" and doesn't give any clear description what "remote access" is. If you check the doc, you will not find any word about network there.

When you log in to your X-Cart or X-Payments backend, do you access your orders database remotely? I think you do.

3. The last and the main one.
The initial version of X-Payments didn't have the two factor authentication (e.g. PINs) at all.

This feature was added by our QSA`s demand. They have discussed this internally and decided that "remote access" term includes the web logins.
I think you have hired an extremely over-zealous QSA. Fire him and hire a better QSA. Even if you believe him 11.2 only requires that your implementation guide include instructions to your customer that they need to use two-factor authentication - it doesn't require that the application build in two-factor authentication. A customer can use SSL client certs to satisfy a second factor for login or other methods that don't require anything built into X-Payments. This is a clear case of The QSA Connundrum where a well meaning QSA inflates the requirements.

Your PA-QSA should know that PA-DSS is not intended to define new requirements above and beyond PCI-DSS - its intended to make sure your application doesn't prevent a merchant from implementing your application in a PCI-DSS compliant manner.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com

The following 3 users thank geckoday for this useful post:
carpeperdiem (07-15-2010), Emerson (07-15-2010), gravel (07-15-2010)
Closed Thread
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:20 PM.

   

 
X-Cart forums © 2001-2020