Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls
 

X-Cart and PCI DSS / PA-DSS compliance

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #1  
Old 03-06-2009, 05:57 AM
  xplorer's Avatar 
xplorer xplorer is offline
 

X-Cart team
  
Join Date: Jul 2004
Posts: 925
 

Default X-Cart and PCI DSS / PA-DSS compliance

Hi folks,

I know that PCI DSS compliance is very important for many X-Cart users, so, I would like to announce our plans towards making X-Cart stores PCI-DSS compliant:

1. We release X-Cart 4.3
2. We develop a payment module for X-Cart 4.3 and X-Cart 5.0 and verify it by a PA-QSA; probably, the source code of the module will be encrypted with Zend/ionCube
3. X-Cart users disable its credit card processing functions (so, X-Cart becomes not a subject for PCI DSS) and install the PA-DSS verified payment module that handles all the credit card stuff; we will distribute the module among existing X-Cart users for free
4. The payment module will be implemented in such a way that allows its use with X-Cart 4.1.x and 4.2.x (with moderate customization of X-Cart source code).
5. Third-parties developing integration modules for payment gateways, not supported by the verified payment module out of the box, will have to complete a PA-DSS audit themselves (that costs dozens of thousands USD annually) if the chosen gateway integration method is a subject for PCI DSS rules.

Best regards,

Last edited by ambal : 08-13-2013 at 03:00 AM.
Reply With Quote

The following 10 users thank xplorer for this useful post:
balinor (03-06-2009), dmpinder (04-25-2010), gravel (03-06-2009), hramani (03-06-2009), just wondering (10-28-2009), JWait (03-07-2009), robertswww (03-06-2009), sambamu (03-07-2009), tobychapman (03-08-2009), Xel (03-19-2009)
  #2  
Old 03-06-2009, 06:12 AM
 
exsecror exsecror is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,284
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

How much of that section will be encrypted? We're in the process of writing an eBillMe (BillMeLater cousin) module into our cart to start accepting that form of payment. We also already have extensive modifications done to payment_cc and payment_ccend to have hooks into our system.
Reply With Quote
  #3  
Old 03-06-2009, 06:31 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Very good news. Thanks for responding so quickly to this issue.

I vote for no Zend/Ioncube encryption. I bought X-Cart because I get 100% of the source and don't have to run encoded programs. Several years ago ionCube had incompatibilities with Zend and took many sites down that used encoding (other software, not X-Cart). I don't need those kind of headaches. I also need to be able to use the X-Cart code as a base if I choose to use a gateway not supported by X-Cart - that's part of the faster development leverage you get when you buy a product that gives you source code.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote

The following 3 users thank geckoday for this useful post:
exsecror (03-06-2009), James.Schoaf (10-23-2009), Xel (03-19-2009)
  #4  
Old 03-06-2009, 06:32 AM
 
exsecror exsecror is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,284
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by geckoday
I vote for no Zend/Ioncube encryption. I bought X-Cart because I get 100% of the source and don't have to run encoded programs.

I agree 100% with this, last thing I want is to have to throw out all the code we've been working on to integrate eBillMe for our next refit
Reply With Quote
  #5  
Old 03-06-2009, 07:23 AM
 
SMDStudios SMDStudios is offline
 

eXpert
  
Join Date: Dec 2003
Location: Orlando, FL
Posts: 207
 

Thumbs up Re: X-Cart and PCI-DSS / PA-DSS compliance

Good news here....
__________________
X-Cart Gold various versions
Tahoe Web Design

WebsiteCM.com - We recommend WebsiteCM
Reply With Quote
  #6  
Old 03-06-2009, 07:56 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,364
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Because there's certificate involved in exactly how the process works, I'm sure SOME of it would have to be encoded just so that actions by users wouldn't circumvent the certification itself. The purpose of the certification is so that they can verify that it's secure and whatever, if it's opensource and anyone can access the code and modify it, then essentially EACH OF US would need to get re-certified that the process is still doing what it was originally designed to do.

At least, that's what I would think anyway?
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote

The following 2 users thank bigredseo for this useful post:
sambamu (03-07-2009), Xel (03-19-2009)
  #7  
Old 03-06-2009, 08:51 AM
 
kulture kulture is offline
 

X-Man
  
Join Date: Feb 2005
Location: Norwich UK
Posts: 2,085
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

How nice. Now how about doing the same for Litecommerce. It is modular after all and so it should be possible.
__________________
Richard
Ex Litecommerce 2.2.35
www.kultureshock.co.uk
Reply With Quote
  #8  
Old 03-06-2009, 08:53 AM
 
exsecror exsecror is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,284
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by handsonwebhosting
Because there's certificate involved in exactly how the process works, I'm sure SOME of it would have to be encoded just so that actions by users wouldn't circumvent the certification itself. The purpose of the certification is so that they can verify that it's secure and whatever, if it's opensource and anyone can access the code and modify it, then essentially EACH OF US would need to get re-certified that the process is still doing what it was originally designed to do.

At least, that's what I would think anyway?

Well as long as they do it that way I'm fine but if it hinders my ability to implement new payment methods (e.g. I shouldn't have to pay qualiteam to do it when our IT staff is more than capable of writing the code) then I will have a problem with it.
Reply With Quote
  #9  
Old 03-07-2009, 05:02 AM
  JWait's Avatar 
JWait JWait is offline
 

X-Man
  
Join Date: Nov 2005
Location: California
Posts: 2,440
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by xplorer
2. We develop a payment module for X-Cart 4.3 and X-Cart 5.0 and verify it by a PA-QSA; probably, the source code of the module will be encrypted with Zend/ionCube

Will this be in addition to, or instead of making X-Cart 5.0 PA-DSS certified?
__________________
Two Separate X-Cart Stores
Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux
Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series.
Integrated with Stone Edge Order Manager + POS

Version 4.1.12 Gold (fresh install) - X-AOM - Linux
Mods - XCSEO free
Reply With Quote
  #10  
Old 03-07-2009, 09:16 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by handsonwebhosting
Because there's certificate involved in exactly how the process works, I'm sure SOME of it would have to be encoded just so that actions by users wouldn't circumvent the certification itself. The purpose of the certification is so that they can verify that it's secure and whatever, if it's opensource and anyone can access the code and modify it, then essentially EACH OF US would need to get re-certified that the process is still doing what it was originally designed to do.

At least, that's what I would think anyway?
The intent of PA-DSS is to facilitate/allow PCI-DSS compliance by merchants not to force/enforce it. Therefore PA-DSS does not require encoding the software so it can't be modified. PA-DSS only requires the vendor to develop their software in a PCI-DSS compliant manner. Any modifications would be custom development for that one merhcant and as such those modifications would not be subject to PA-DSS. Custom developed payment applications fall under the merchants PCI-DSS assessment. For most of us smaller merchants that means we would need to attest in our self assessment questionnaire that we followed PCI-DSS guidelines in developing our modifications and no outside verification would be required. That's the same thing that PA-DSS is doing for vendors - making sure they follow PCI-DSS guidelines in developing their software. PA-DSS requires that vendors get outside certification because their application will be used by many merchants and magnifies the impact of insecure development.

Another example of how PA-DSS only facilitates compliance and does not mean that a vendor must prevent you from shooting yourself in the foot and implementing their software in a non-PCI-DSS compliant manner. PA-DSS only requires that the vendors software *can* be implemented to be PCI-DSS compliant and the vendor has documented for the user how to implement it securely. IOW, its ok for the application to have the an option to store CVV numbers. But the documentation with the application has to tell the user that option must be turned off to be PCI-DSS compliant.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote
Reply
   X-Cart forums > News and Announcements



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:04 PM.

   

 
X-Cart forums © 2001-2020