Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Install Xpayments on development site?
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #11  
Old 06-15-2012, 11:08 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,415
 

Default Re: Install Xpayments on development site?

The thing is I don't think this is up to the developer of the application to say if it needs to be installed on a separate server or not. Yes the developer have to provide you with installation instructions and make sure the application is certified, etc. but how the developer can control or require where the installation will be? It is up to the PCI-DSS requirements to state and control this.

http://forum.x-cart.com/showthread.php?t=63462&highlight=separate+server

Like you said - I am not a QSA - same applies to QT. They can state their opinion or interpretation, as well as their SAQ opinion or interpretation but as we all read a lot on this forum their SAQ was giving them advices and requirements with which many here disagreed of the way they interpreted it. I still think that your bank is the one to say how you are compliant. It is another question if the compliance officer knows what all this means or not. They may approve you and later if there is a breach blame everything on you for not following the requirements even if they approve the compliance

This is a very thin ice a lot of merchants walk on. And it is a very dark territory
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #12  
Old 06-17-2012, 11:16 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,099
 

Default Re: Install Xpayments on development site?

I +1 to Steve's advice about "contact your bank/merchant account provider".

With regards to where to install X-Payments - a separate server or separate VPS hosting account is recommended but if your bank/merchant account/QSA approves using the same hosting space with your main cart - well, you have someone to point at after all. Technically X-Payments can be installed anywhere and you don't have to hire our techs to do that, btw.

But with new X-Payments license ($1189) we include installation and configuration plus a free 1yr Instant SSL certificate so you get it live and running within days after purchase. I forgot at mention "1 month free support after installation".

http://www.qtmsoft.com/xpayments.html
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager

Last edited by ambal : 06-19-2012 at 12:53 AM.
Reply With Quote
  #13  
Old 06-18-2012, 11:36 AM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Install Xpayments on development site?

Thanks, Ambal. for confirmation that for people using shared hosting accounts, X-Payments should be installed under a separate hosting account or separate server .

Have you considered adding this recommendation to the on-line installation instructions and README that comes with the distribution?

I did not see the separate server or hosting account advise from QT until April this year in the forum. I did not notice it in the FAQ until recently - but it may have been there all along.

It is an important point - and it also could help increase the demand for you to make available hosting for X-Payments.

It seems that it would be a good idea for you and/or other recommended hosting providers to set up a VPS or dedicated server with only accounts with X-Payments available. They could all default to be subdomains of a domain you acquire, for example, myusername.secure-x-payments.com. You could even offer the ability for people to set up cname or a-record at their own registrar to use secure.mydomain.com so they could keep their own URL branding. An individual could acquire this at a cost much less than their own dedicate or VPS account.

I do agree with your frequent advise that small businesses seeking to keep their costs very low need to adapt to the PCI requirements perhaps by using hosted payment processing. But I do find many people trying to hang on to hosting their own payment page. Some do have your generously offered free X-Payments license from last year. And - if you come up with a hosted X-Payments solution that is much less expensive than getting their own VPS - it could become popular?

For new people, the X-Payments cost is daunting - so maybe we will be lucky and your experience of providing a hosted X-Payments for the existing users can demonstrate that you can offer an entire X-Payments hosting package at a low enough cost.

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #14  
Old 06-19-2012, 12:52 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,099
 

Default Re: Install Xpayments on development site?

> for confirmation that for people using shared hosting accounts,

I phrased myself badly. I didn't mean shared hosting. Separate VIRTUAL server/jail environment on a server is minimal requirement.

With regards to X-Payments Hosted - this is what we are going to launch in near future. Just need to finalize something here to be able to announce it.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote

The following user thanks ambal for this useful post:
gb2world (06-19-2012)
  #15  
Old 06-19-2012, 08:13 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Install Xpayments on development site?

Thanks, Ambal -

The recommendations are a bit confusing. Below are the three statements from QT I have found to try and understand what is an installation requirement to adhere to based on your QSA review and PA-DSS approval, as well as what are recommendations by QT. Would it be possible for QT to make a clear statement in the installation instructions or at least in the FAQ?:

Now in the FAQ:
Quote:
Can X-Payments be installed on server where my shopping cart software is hosted or do I need a separate web-server?

Both options are allowed. X-Payments can be set up either together with your shopping cart software or on a separate server (X-Payments uses SSL connection to exchange data with your store).
Can X-Payments be installed on a shared hosting?

Yes, provided that a separate account is used for hosting X-Payments. No other software must be installed and run under this account.

In the forum, by Sergey Fomin in April
Quote:
The X-Payments application and its payment page can be hosted:

- on a separate server (PCI-DSS compatible hosting) =OR=
- on the same web-server as your X-Cart store (but it must be under a separate hosting account on a PCI-DSS compatible hosting).
And your latest:
Quote:
Separate VIRTUAL server/jail environment on a server is minimal requirement.

If I combine all those, I take it to mean:
- X-Payments may be installed on a dedicated server in the same directory structure as an X-cart instance
- QT does not recommend installing X-Payments on a shared hosting server
- On a VPS where an X-Cart instance is installed, X-Payments may be installed under a separate hosting account on the same VPS. A unique VPS only for X-Payments is not required in this instance.
- If a host is willing to create X-Payments specific hosting - a VPS or dedicated server could be dedicated to accounts each running an X-Payments instance, and no other software. A unique VPS only for X-Payments is not required in this instance.

If it were possible to put a clear direction in an official place like the Installation Instructions and README in the distribution, or a semi official place like the FAQ - it would help a lot to clear up confusion.

Of course, you could add the disclaimer about checking with one's own QSA. It would be helpful to know the recommendations of your own QSA, or the installation conditions under which you were granted approval.

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #16  
Old 06-25-2012, 11:30 AM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Install Xpayments on development site?

Bump - to questions in post 15.

Thanks.

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #17  
Old 06-27-2012, 02:56 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,099
 

Default Re: Install Xpayments on development site?

gb2world, sorry for not answering earlier. I was busy with something else (e.g. organized separate forum for X-Payments). I am trying to get final advise on this from our PA-QSA. Once I have it, I'll post here.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote

The following user thanks ambal for this useful post:
gb2world (06-27-2012)
  #18  
Old 06-28-2012, 11:34 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,099
 

Default Re: Install Xpayments on development site?

So finally got consulted on this:
1) A separate shared hosting account can be used for X-Payments if the hosting is 100% PCI-DSS certified. But it is not the best decision as meeting PCI compliance on a shared hosting is much harder and at the same time much easier to break.
2) VPS/dedicated server is the recommended option for hosting X-Payments as it is **much** easier to meet and maintain compliance with PCI-DSS requirements than on a shared hosting.

Perhaps someone from hosting companies can step in here and comment.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote

The following user thanks ambal for this useful post:
gb2world (06-29-2012)
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 12:45 AM.

   

 
X-Cart forums © 2001-2018