Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

 
Closed Thread
   X-Cart forums > News and Announcements
 
Thread Tools
  #31  
Old 03-26-2012, 12:32 PM
 
keystone keystone is offline
 

X-Adept
  
Join Date: Jul 2006
Location: USA
Posts: 740
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

We don't do any developing for other clients. We just use it for our own company's candle site. I don't want to have to switch to Authorize.net SIM, I set that up in my dev site to mess with and it looks awful. I like the idea of the DPM from BSCE but if I need to upgrade further to 4.4.6 for the USPS real-time shipping fix than I won't have access to the AIM version we currently use. I'm wondering if I can get just the USPS updated files from 4.4.6 and apply them to 4.4.5.??? I already have Paypal as a secondary payment method since so many people like it but don't want it to be the only option.
__________________
www.uscandleco.com - X-Cart Version 4.7.11 Gold Plus php7.3
mods:
reCaptcha
running on UNIX

www.keystonecandle.com X-Cart Gold Plus - Version 4.7.11 php7.2
mods:
reCaptcha
cdseo pro
running on UNIX
  #32  
Old 03-26-2012, 12:37 PM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I'm sure it will be possible to just upgrade the USPS portion.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
  #33  
Old 03-26-2012, 05:36 PM
 
thebluedoorboutique thebluedoorboutique is offline
 

Senior Member
  
Join Date: May 2011
Posts: 132
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I still don't fully understand why everyone is saying that X-Payments would be the only approach to fixing this other the BCSE building a Authorize.NET module.

Does X-Cart's NEW Braintree Module (http://www.x-cart.com/braintree.html) not provide the same type PCI DSS Level 1 compliance that it needed? http://www.braintreepayments.com/services/pci-compliance

We use this and love it. You can't beat the technology of Braintree, $300-ish module cost, being able to store credit card information in their Vault feature. It's great.

A side not, I personally think that X-Cart's service is un-matched and their dedication to our stores success (including integrating Braintree) has been amazing-- from working late, to chatting via Skype.
__________________
X-Cart Classic 4.4.X

The following user thanks thebluedoorboutique for this useful post:
ambal (03-27-2012)
  #34  
Old 03-26-2012, 06:57 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
Due to PCI-DSS requirements being enforced over last months

In my very limited sample - still about half of them are not being questioned or informed by their banks of the PCI requirements. To me that is even more scary. (The other half did warn of fines and actively provided information about correctly filling out the SAQ.) But the ones that are not pushing it, I suspect, will be the first to shift all the blame on the merchant if there is an incident of fraud. I do not think it is worth the risk of ignoring the requirement even if they are not aggressively enforcing - but the decision is with the merchant.

Regardless of enforcement by the banks, QT must consider the compliance requirements for those who are serious about adhering to the standards.

If having the non-compliant methods in the software makes X-Cart+X-Payments non compliant, then it has to be removed for the sake of all those who are shelling out large dollars for that solution. You can't just look at how it adversely impacts people who are ignoring compliance requirements, you have to see how it penalizes those who are required by their merchant accounts to be compliant. I think QT has no choice but to make decisions for that group of customers over those who are taking the chance of ignoring the requirements. If you've decided to risk ignoring the requirements, you may as well stick to 4.4.5 and earlier versions. I'd even suggest that QT should name this 4.5.0 as this is a significant change.

This news makes me a bit worried that QT's QSA has advised them that all those methods need to be stripped out for an X-CART+X-Payments to be a valid, certified implementation. That might force an upgrade of current implementations of X-Payment if the rules are to be interpreted strictly - which could be costly. But all this continues to be confusing as X-Payments is what is listed as PCI-PA validated, not its implementation with X-CART. I thought that was outside the scope of QT since X-Payments is separate, but this news seems to bring it back in.

Hence, I continue to try and avoid the X-Payments route if possible. DPM is a nice way to do that for current users of AIM. I suspect for the DPM (or any other transparent redirect method), the solution will all have to be in one addon module. (Just as both BCSE and QT offer modules for BrainTree.) Then, we have something to show to the compliance officers at the banks to get approval. So - QT and/or BCSE could implement the entire DPM module, or maybe even find some way to cooperate with each other. Because this information is new, currently, it is in a limbo state because neither has fully committed to do it, although BCSE is investigating. I imagine they would need to see the 4.4.6 implementation first to gauge the obstacles, so I would not expect an answer until it is released. Hopefully they will resolve it so there is still a lower cost alternative (hopefully much less than the QT Braintree module - which has more features than Authorize.net DPM.)

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
  #35  
Old 03-26-2012, 07:31 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,849
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I guess it depends of how you look at it. If XC including onsite payments cannot pass validation but passes it without including onsite payments then QT should take them out for the sake of everyone.

It is another question if these payment methods are not enables and used but included in the package - does this makes XC not to pass validation?

I think it is better if XC by default does not include or support "illegal" payment methods. If the XC owner wants to do this and custom code them - let them do it, the liability lies with the owner of the store then.

By the way I have never been asked by my bank or payment gateway to be compliant. I tried to send them info and the answer was: if we need it we will ask you for it. Go figure....

The big guys are looking for any excuse to collect more money from merchants, let's not give them the chance. If XC has to exists with hosted payment gateways only let it be. Better safe then sorry
__________________
Steve Stoyanov
CFLSystems.com
Web Development

The following user thanks cflsystems for this useful post:
ambal (03-27-2012)
  #36  
Old 03-27-2012, 03:15 AM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I am writing some FAQs to cover the major questions asked in this forum thread.

UPDATE: moved to the first message in this thread.
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart

Last edited by seyfin : 03-27-2012 at 01:28 PM.

The following user thanks seyfin for this useful post:
totaltec (03-27-2012)
  #37  
Old 03-27-2012, 03:30 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,112
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Hi folks,

re: DPM - it is a very controversial solution. Note that Auth.net doesn't position is as a way to tick "PA-DSS compliant" checkbox. Just as a way to "reduce your PCI compliance level".

Different QSAs consider solutions like DPM differently. In order to be safe I recommend everyone to consult with their QSA or merchant account provider directly. At least you'll have someone to point at.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
  #38  
Old 03-27-2012, 05:41 AM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
Originally Posted by ambal
Hi folks,

re: DPM - it is a very controversial solution. Note that Auth.net doesn't position is as a way to tick "PA-DSS compliant" checkbox. Just as a way to "reduce your PCI compliance level".

Different QSAs consider solutions like DPM differently. In order to be safe I recommend everyone to consult with their QSA or merchant account provider directly. At least you'll have someone to point at.

In addition to Alexander's message:

When using the Auth.net DPM solution, the credit card form is created by the shopping cart software (using X-Cart's template files), and this form is hosted on the merchant's server.

When a buyer fills in and submits this form, the entered cardholder's data is then posted directly to Authorize.Net's endpoint.

However, if the merchant's server is compromised, then the X-Cart's credit card form can be also compromised. So, the merchant need to ensure that their server's environment (including the shopping cart software) is PCI-DSS compliant, do not they?

I would recommend to consult with your QSA or merchant account provider directly regarding the matter - if you need to go with SAQ A or SAQ C when using the Auth.net DPM solution.

You can read more about the Auth.net DPM solution at:
* http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Direct-Post-Method-DPM/ba-p/7014
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart

Last edited by seyfin : 03-27-2012 at 12:26 PM.
  #39  
Old 03-27-2012, 12:04 PM
 
ynotcreative ynotcreative is offline
 

Advanced Member
  
Join Date: Oct 2008
Posts: 65
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I still have not heard an answer to why X-Payments jumped in price to $1200.
__________________
X-Cart Pro 4.1.10, 4.3.1, 4.2.x, 4.3, 4.4.3, 4.5.5, Platinum 4.6
Add-on: X-Affiliate
Fashion Mosaic
Add-on: X-SpecialOffers
Add-on: X-GiftRegistry
Add-on: X-AOM (Advanced Order Management)
Add-on: X-FancyCategories
Add-on: Custom Multi-currency
  #40  
Old 03-27-2012, 02:43 PM
  CenturyPerf's Avatar 
CenturyPerf CenturyPerf is offline
 

eXpert
  
Join Date: Jun 2003
Location: Reno, Nevada
Posts: 396
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Just for reference, my business has passed PCI-DSS compliance using manual processing of orders.

My processor was going to start charging additional fees if we were not compliant. After filling out pages upon pages of questions and providing details in how we process orders, how our customers place their orders, how our internal network operates, and making a couple subtle changes, we received a passing grade.

Although we are currently still using X-Cart vers. 4.0.19, manually processing each order from stored data in the X-Cart database, we still passed. It was my intention to continue manual processing with our new 4.4.x site that is nearing completion.

This new requirement, which sounds like the inability to store encrypted data within the xcart database, disturbs me. Although we could use our payment gateway processor (USA ePay) to Auth only each order, the mess being described in this thread sounds like that too may be impossible without some additional ridiculous expense.

Is manual processing still available? Is the default use of included APIs for gateways such as USA ePay still going to work?

I would like to hear some clarity on what these changes are going to be within X-Cart, and how they are going to affect how I currently utilize my online business.
__________________
Best Regards,

Sam Solace - Pres/CEO
Century Performance Center, Inc.
http://www.centuryperformance.com

(3) sites using X-Cart 5.3.5.5
X-Payments Enterprise 3.1.4
Closed Thread
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 01:37 AM.

   

 
X-Cart forums © 2001-2020