X-Cart and PCI DSS / PA-DSS compliance

kulture · #**121** 01-28-2010, 01:21 PM

Some QA people would say that you store the credit card number in the memory of your server as it is your server that serves up and processes the credit card form. Further they may say that x-cart is a payment application, and as such it is not a PA-DSS compliant software and thus on 1st July you must stop using it.

The crux of the problem is the opinion of the person who says you are PCI compliant. Clearly as it is your server that hosts the payment form, it is more vunerable to hackers than a form hosted on say Sage's server. Sooner or latter you will be asked to ensure that your server is PCI compliant (and shared servers CAN be PCI compliant).

xplorer · #**122** 01-28-2010, 11:08 PM

Quote:

Originally Posted by amsruned

Is xcart 4.4 from 4.3 going to be just a simple upgrade or will it require a whole nother redesign?

It won't be a simple upgrade. However, since we will use the same css-based skin templates, I believe it won't require complete redesign either.

Quote:

Originally Posted by just wondering

We've been told that as we're not storing any Card Details at all we DON'T need a Server Scan & only have to fill in the PCI-DSS Form "C". Even though we're on Shared Hosting.

So I'm sat here thinking "Do we even need the X-Payments Addon"?

As far as I understand the standard, if credit card data ever touches your server (and it does with SagePay Direct: php scripts receive it from a customer's browser and send it to a SagePay's server), your server is in the PCI scope.

Although the SAQ-C form omits some requirements, I guess it still requires you to use a PA-DSS verified payment application (the one that transmits card data from a customer's browser to a gateway's server) on a PCI-DSS compliant server (there is a special section related to Shared Hosting in the standard). X-Payments will be a PA-DSS verified payment application that processes SagePay Direct payments in a PCI DSS compliant manner.

geckoday · #**123** 01-29-2010, 06:09 AM

Quote:

Originally Posted by just wondering

We use Streamline & SagePay Direct.

We've been told that as we're not storing any Card Details at all we DON'T need a Server Scan & only have to fill in the PCI-DSS Form "C". Even though we're on Shared Hosting.

So I'm sat here thinking "Do we even need the X-Payments Addon"?

That will make you PCI compliant without the X-Payments addon. Unfortunately, on top of PCI compliance VISA is mandating that all merchants use PA-DSS certified payment applications starting July 2010. X-Cart is not PA-DSS certified. X-Payments will be PA-DSS certified so you'll need to go to X-Payments at some point.

just wondering · #**124** 01-29-2010, 06:10 AM

Cheers Ralph.

geckoday · #**125** 01-29-2010, 06:22 AM

Quote:

Originally Posted by just wondering

We use Streamline & SagePay Direct.

We've been told that as we're not storing any Card Details at all we DON'T need a Server Scan & only have to fill in the PCI-DSS Form "C". Even though we're on Shared Hosting.

So I'm sat here thinking "Do we even need the X-Payments Addon"?

Weird that they don't require a server scan. Card numbers pass through your server so its in PCI scope. I would run the quarterly server scans anyway as PCI clearly requires them in this case.

What you are seeing is a result of the fact that the card brands leave it up to the acquirer to decide what proof of PCI compliance is required from small merchants. So it will vary what hoops any particular merchant will need to jump through. We will probably see the same thing with the PA-DSS mandate. A few months back someone posted that they couldn't get a new merchant account because X-Cart isn't PA-DSS certified. But overall, I think some acquirers will enforce it and some won't especially early on. Over time most will enforce it.

just wondering · #**126** 01-29-2010, 06:43 AM

Hmmm. I'm assuming ... more hoping ... that Streamline will turn around to us and sat "You have to get a Scan, bla bla bla moan moan moan..."

Duramax 6.6L · #**127** 01-31-2010, 09:17 AM

I just wish we could get a working copy of x-payments to see what will be requires to integrate with our web sites. We are getting extremely close to the dead line, and no hint to what we are going to use.

BritSteve · #**128** 01-31-2010, 09:30 AM

Has anyone actually received a notice from their processor informing them that their cart needs to be certified and compliant?

I haven't received any notification so far.

Steve

geckoday · #**129** 01-31-2010, 09:54 AM

Quote:

Originally Posted by BritSteve

Has anyone actually received a notice from their processor informing them that their cart needs to be certified and compliant?

I haven't received any notification so far.

Steve

Someone has been denied a merchant account because X-Cart is not PA-DSS certified.

http://forum.x-cart.com/showpost.php?p=263045&postcount=5

This is because the VISA mandate phase kicked in last year that requires acquirers to only board new merchants who are PCI-DSS compliant or are using software that is PA-DSS compliant. Apparently, some acquirers are missing the "or" in that and are requiring PA-DSS compliance for new merchants. In July of this year the next phase of the mandate kicks in requiring acquirers to ensure their merchants are only using PA-DSS compliant applications. No "or PCI-DSS compliant" in the July mandate.

JWait · #**130** 01-31-2010, 09:59 AM

Quote:

Originally Posted by BritSteve

Has anyone actually received a notice from their processor informing them that their cart needs to be certified and compliant?

I haven't received any notification so far.

Steve

While I haven't received any personally, I know someone that got a notice from his processor (I think Wells Fargo) that he will be billed an extra $20.00 a month for being "non-compliant" and charged at the "card not present" rate even if the card is swiped. He figures for all of the stress and hassle involved it is an acceptable cost of doing business.