X-Cart forums

[totaltec]

Quote:

Originally Posted by joelrhome

By the way, the other question... Hard Hat Hosting ROCKS!!!

+1

I agree that the DPM method is a grey area. It doesn't seem like a compliant solution to me, since X-cart is generating the form. I'd love to hear a QSA's opinion on this. On the other hand, if you can get the payment processor's blessing than you are golden.

If this solution does remove X-cart from scope(DPM), why isn't Qualiteam scrambling to implement similar solutions? Integrating a DPM or CIM payment method directly in X-cart would certainly make a lot of people happy. If it is truly compliant.

I also like the idea of the iframe solution.

[BCSE]

I was on the phone with PayPal yesterday and they have a solution for simpler PCI compliance similar to Authorize.net DPM as well. They are just now starting to market it and rumor has it, it will be in 4.4.7 of X-cart (hopefully someone from X-cart can confirm this).

We are going to keep our eyes on the need for it to be available for pre 4.4.7 as we have a lot of clients using Paypal Pro and needing a PCI compliant solution for that payment processor. It will be similar to DPM but even better because Paypal hosts the CC payment area that you can embed into your website to look seamless.

Please email us with your X-cart version number (all 3 digits, x.y.z) and what checkout method you use (AlteredCart OPC, built in OPC, Fastlane) if you are interested in this option being back-ported to your version of X-cart.

I'm working with them to continue to keep up-to-date on this so we can several options to simplify PCI compliance for the X-cart community.

Carrie

[componentman]

Quote:

Originally Posted by BCSE

I was on the phone with PayPal yesterday and they have a solution for simpler PCI compliance similar to Authorize.net DPM as well. They are just now starting to market it and rumor has it, it will be in 4.4.7 of X-cart (hopefully someone from X-cart can confirm this).

We are going to keep our eyes on the need for it to be available for pre 4.4.7 as we have a lot of clients using Paypal Pro and needing a PCI compliant solution for that payment processor. It will be similar to DPM but even better because Paypal hosts the CC payment area that you can embed into your website to look seamless.

Please email us with your X-cart version number (all 3 digits, x.y.z) and what checkout method you use (AlteredCart OPC, built in OPC, Fastlane) if you are interested in this option being back-ported to your version of X-cart.

I'm working with them to continue to keep up-to-date on this so we can several options to simplify PCI compliance for the X-cart community.

Carrie

We use Paypal Payflow Pro, so I really hope this is true. We also need a solution for Magento which our other store is run on, do you think the Paypal solution you speak of will apply to other carts too?

[BCSE]

Quote:

Originally Posted by componentman

We use Paypal Payflow Pro, so I really hope this is true. We also need a solution for Magento which our other store is run on, do you think the Paypal solution you speak of will apply to other carts too?

Aaron,

Yes it will be something that can work with both carts. You can contact us if you want help with both carts. We have a lot of knowledge in both.

Thanks,

Carrie

[seyfin]

Quote:

Originally Posted by philrisk

I currently use Realex's addon module for Realex remote payments that customers fill in a form on our website and the data is sent to Realex and replied back.

I'm guessing I need to now start using x-payments because I am transmitting data?

Would I need to install x-payments and then the Realex addon into that?

We Bank with Allied Irish Bank and use Realex and have not even been contacted about PCI or PA-DSS compliance!!

Realex offers two ways of integration:

1) Realex Remote Method integration - this is a "onsite" or "merchant hosted" method

2) Realex Redirect Method integration - this is a "offsite" or "gateway hosted" method

When using the 1st method, the payment form is generated by the X-Cart software. When a byuer submits the payment form, the cartholder data is stored in the customer's session data and processed by the X-Cart software in order to post the payment transaction details including the cartholder data to the payment gateway.

Just have a look at the code of the Realex Redirect Method's script (cc_realex_auth.php) to understabd the point:

Quote:

$post[] = "<card>";
$post[] = "<number>".($hash[]=$userinfo["card_number"])."</number>";
$post[] = "<expdate>".$userinfo["card_expire"]."</expdate>";
$post[] = "<chname>".utf8_encode($userinfo["card_name"])."</chname>";
$post[] = "<type>".$userinfo["card_type"]."</type>";
$post[] = "</card>";
...
list($a,$return)=func_https_request("POST","https: //epage.payandshop.com/epage-3dsecure.cgi", $post, "", "", "text/xml");

Note, there are three variables - $userinfo["card_number"], $userinfo["card_expire"] and $userinfo["card_name"] - which store sensitive cardholder data.

So, using such a method of integration (aka "onsite" or "merchant hosted" method) brings the X-Cart software to be in the scope for PA-DSS, does not it? If so, your need to fill in SAQ C and use a PA-DSS validated application to process payments in order to meet PCI-DSS requirements.

By the way, does not the BCSE's Auth.Net DPM solution use the same payment form generated by the X-Cart software? If so, it brings the X-Cart software to be in the scope for PA-DSS, does not it?

X-Cart is not PA-DSS validated application, unfortunately.
X-Payments is PA-DSS validated application.

X-Payments does not support Realex payment gateway, unfortunately. X-Payments can not be used in bundle with the Realex addon either.

So, in order to exclude your X-Cart store from the scope for PA-DSS you should use an "offsite" or "gateway hosted" solution like Realex Redirect Method.

Alternatively, you can choose another payment gateway in place of Realex and use one of the possible solutions:

1. A PA-DSS validated payment application like X-Payments installed on a PCI-DSS compatible hosting.

2. CRE Secure's Hosted Payment Page solution (PCI-DSS certified payment system).

3. BarainTree payment integration (PCI-Compliant Transparent Redirect solution).

4. Any other "offsite" or "gateway hosted" solution like Authorize.Net SIM, 2Checkout, PayPal, Checkout by Amazon, SagePay Go (Form integration) or similar.

When using either of the above solutions, it takes your X-Cart application and web-site out of scope for PA- and PCI-DSS compliance, as all cardholder data processing is outsourced to an "external" side.

=======

As for X-Payments, it is used as a "bridge" beetween your X-Cart store and your Payment Gateway. X-Payments creates and handles the payment page, and securely posts the payment transaction details including the cartholder data to the payment gateway.

The design of the X-Payments' payment page can be made to look seamless to your X-Cart store pages.

The X-Payments application and its payment page can be hosted:
- on a separate server (PCI-DSS compatible hosting) =OR=
- on the same web-server as your X-Cart store (but it must be under a separate hosting account on a PCI-DSS compatible hosting).

So, you can set up a hosting account and configure a subdomain like "secure.yoursite.com" which would host X-Payments, whearas your X-Cart store would be hosted under another hosting account at "yoursite.com". Buyers will be redirected from "yoursite.com" to "secure.yoursite.com" to complete their payment, and then redirected back to "yoursite.com" on the order reciept page.

When using X-Paments, your X-Cart application and web-site is out of scope for PA- and PCI-DSS compliance, as all cardholder data processing is outsourced to an "external" side - X-Payments' payment page.

However, you will still need to fill in SAQ C - which addresses requirements applicable to merchants who process cardholder data via payment applications connected to the Internet, but who do not store cardholder data on any computer system. Anyway, the bundle of X-Payments PA-DSS validated payment application + PCI-DSS compatible hosting helps you to meet PCI-DSS requirements easily.

Whereas using solutions ##2-4 helps to simpify PCI-DSS compliance for you as much as possible, as your X-Cart application and web-site are out of scope for PA- and PCI-DSS compliance and all cardholder data processing is outsourced to an "external" side. In this case, you just need to fill in SAQ A - which addresses requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.

Finally, as Alex already mentioned in one of the previous posts, we are planning to launch X-Payments Hosted plan on our PCI-DSS compatible hosting very soon. When you use the X-Payments Hosted solution, we take care about most PCI compliance concerns for you, and you just need to fill in SAQ A

Ignoring PCI-DSS requirements may lead you being fined by Visa and MasterCard.

[joelrhome]

Quote:

This sounds very good - please add me to your mailing list - also - i've been to your site - will you be making this available for more than one payment gateway? Thanks!

Tim, thanks for your question. We are making this mod for one specific gateway and one specific processor. The reason is that they are the ones that created the gateway and are the ones who are validated PCI compliant. I am sure we could easily make another mod to work with other middleware, but that would fall under the custom development category.

At the end of the day though, if the gateway is secure, the payment processor meets or beats existing rates to switch to them, I am out I scope for PCI, and my customers don't get frustrated, then all is well and I would be content no matter who the gateway is. I think that this is true for most business people.

I am also going to consider what PayPal is doing since it is similar. From what I understand though, they will not do rate matching and PayPal pro costs more than APT's X-Charge. Again though, we always try to accomodate whatever is requested of us. Is there a specific gateway you like or was that just a general question?

[DPP]

screen shot of new templates?

[bitofeverything]

Paypal just changed their plans and now have Standard, Advanced, and Pro. The advanced is only $5 - I have not heard back as to if the advanced plan works like the (old) pro plan. https://www.paypal.com/webapps/mpp/merchant?nav=2

[cflsystems]

I was just reading that. The Advanced plan says this when customers are at checkout on site

Quote:

With our new solution, you can keep your customers on your site for the entire
checkout process without taking on all of the burden of protecting their
financial data. In addition to a merchant account and gateway in one, PayPal
provides you with a secure checkout template to integrate within your website so
your customers won't know that we're processing their payment behind the scenes.
Plus, it▓s pre-integrated to work with the most popular shopping carts,
including Cashie, Magento, OS Commerce.

AND

Quote:

3. They enter their credit card details on your site. PayPal hosts the
payment pages behind the scenes, so we handle data security on your behalf.

Does that means that PP Advanced plan will take XC out of scope and customers stay ON the site for payment?

[totaltec]

Quote:

Originally Posted by cflsystems

Does that means that PP Advanced plan will take XC out of scope and customers stay ON the site for payment?

Yes. I just got off the phone with their technical support guys. They stay on-site and connect to PayPal via an iframe. This makes PayPal one of the cheapest and easiest solutions out there for small merchants IMO. We need a payment module for this ASAP.

Since PayPal is the processor, everything points to them for the final say where the merchant is concerned. They have determined that an iframe is all that is required to remove the merchant's site from scope, and they are so confident about it that they are telling even their customer service reps to confirm that to public inquiries. Guys, this might be the solution, not just for PayPal but for other processors as well.