| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
X-Cart and PCI DSS / PA-DSS compliance | ||||
|
|
Thread Tools |
#91
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
More clear Steel thanks. I guess I will have to read more on the subject as I was getting confusing reports - from one place D, from another place C.
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#92
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
Probably SAQ C. You should read all of the requirements for SAQ C as Steel posted but the one that most likely could push you to SAQ D is the connection to other systems in the merchant environment. I've heard varying opinions from QSA's on what that means but I believe that for the typical X-Cart user that is administering their cart via HTTPS the connection to other systems doesn't apply so you would be eligible for SAQ C. Quote:
Quote:
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
#93
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Thank you Ralph. Nothing in this life is meant to be easy I guess
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#94
|
|||||||||
|
|||||||||
Summary So Far: X-Cart & PCI-DSS / PA-DSS compliance
Hi All,
I am breaking this over two posts - apologies for the length - but I very much hope worth the read. A) Introduction I am a loyal XCart customer, trying to decide on a PCI-DSS/PA-DSS compliance strategy (henceforth "Compliance"). XCart has enabled my business and I have no business with out it. My heartfelt thanks to the XCart team for that. Sadly however, the Compliance debate in these forums is scaring me. What is the best strategy for a modified 4.1.x user like myself? (Does that profile put me in the majority here?). Should I:
This is my business, my livelihood, my family's well being. With only 6 months to go, I consider that I have reached the minimum responsible window to make my decision. The following is my interpretation of the main issues and my open questions. I am trying to write a definitive post that, along with the responses to it, will help myself and others to decide on strategies 1-6. Quote:
B) An Enlightening Thread I have been following the thread here (http://forum.x-cart.com/showthread.php?t=51228&page=2). That thread:
That post prompted me to seek clarity here. C) What We Want I believe that most of us want a Compliance solution that:
The XCart team have suggested:
Quote:
E) Some Realisations All of the above brought home some realities to me: Relisation 1 - I can not bet my Business in v5.0 Version 5.0 is not due out until mid 2010. It has been delayed already and XCart have not been confident enough about it's progress to provide a hard delivery date. But July 2010 is the cut off date for Compliance. Realistically, this means that none of us can confidently put our hopes on v5.0 for meeting the deadline because:
Realisation 2 - X-Payments Requires A 2nd Server In the post I referenced above, it was suggested that the X-Payments solution needs to run on a separate server (not your X-Cart Server) so as to satisfy the Compliance requirement of being a distinct system to XCart. So you need to rent another server from your hosting provider ($$$) to achieve Compliance using X-Payments. There did seem to be debate around this point, but if this is the case then the value-for-money argument for investing in XCart just took a hit. Realisation 3 - X-Payments Diverts Customers Away From XCart In the post I referenced above, it was also suggested that the design of X-Payments results in customers being visibly diverted away from XCart, to an X-Payments server, and then back to XCart. So, to a customer, it's not that different to being sent off to a PayPal or other third party server. That is, the page diverts to the X-Payments server, they enter their details, the server tells them to wait, they wait, if all goes well they get diverted back to XCart. It does seem that the template system that comes with X-Payments allows you to customise the look and feel of the Payment Screen (probably more so than PayPal etc allow). But, I/we just don't want people leaving XCart because they all-too-often get annoyed and walk away. Customised look-and-feel or not, customers are fickle and diversions to another site get noticed, make true one-page-checkout impossible, and lead to abandoned carts (I remember a terrific post in these forums by Balinor that discusses this issue). [To Be Continued in next post]
__________________
/Jarron Stephens/X-Cart Gold/4.1.12+4.4 /Marketing Manager/AOM/Returns/Massive Customisation....it hurts |
|||||||||
#95
|
|||||||||
|
|||||||||
Summary So Far: X-Cart & PCI-DSS / PA-DSS compliance
[Continued from pevious post]
Realisation 4 - X-Payments Will Not Support My Gateway on Release My gateway provider (www.paydollar.com) is not on the X-Payments supported gateway list. I asked XCart if I could get them added but received a "maybe later" styled answer. (XCart built the custom mod in my current XCart to connect with PayDollar...). So now my XCart 4.1.x options are:
There are posts all through the forums on how hard it is to move to XCart 4.2/3 from 4.1.x. I won't repeat all of that here but the key takeaways for me were:
Realisation 6 - Other Carts Are Already Compliant I didn't know this until I read the post referenced above. So there is Choice and we have 6 months to get it working. But for many of us, this would be very painful given the degree to which we have integrated XCart into our business processes and technology stack. Realisation 7 - Phone Orders etc - Am I screwed anyway? 7.1 Phone Orders This is probably not an X-Payments issue so much as an issue of how to interpret the Compliance rules. What if I want to take an order by Phone/Mail/Fax/Email? I'm thinking that with all of these, the moment I have a record of the customer's details in my posession (on paper or email) then I'm screwed, right? In terms of processing the Payment I actually have a choice. I can either:
7.2 Subscriptions & "Remembered" Credit Card Details My customers have been complaining that they don't want to enter their credit card details every time they buy from me. I explain the security advantages of me not storing their credit card details and they simply respond that they are confident the bank will sort them out if they are subject to credit card fraud. Now, whether that's correct or not, they want maximum convenience at checkout. But this means storing credit card details somewhere. So how do I simultaneously:
I guess the related question is, does/can X-Payments store credit card details in a compliant manner? Or (as I suspect) is X-Payments a pure gateway with no persistence? Realisation 8 - A Possible Solution? In the above referenced post, Vyacheslav Petrov from XCart gave me hope when he wrote: Quote:
Does this mean I can:
So, which gateways offer this? Anyone got experience in this? Or is there a forum rule that stops us discussing gateway providers' offerings? F) Open Questions So all of the above leaves me with the following open questions that I hope XCart plus this fantastic user base can help me with. I suspect/hope that the answers to these questions will help many in the forum! F.1) Questions for the XCart Team
OK - thx to all who have read this tome. Greatly looking forward to the responses. thx, js
__________________
/Jarron Stephens/X-Cart Gold/4.1.12+4.4 /Marketing Manager/AOM/Returns/Massive Customisation....it hurts |
|||||||||
|
#96
|
|||||||||
|
|||||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Jarron, what a wealth of information and questions! Great job documenting it all. I really think that these questions deserve their own thread rather than getting burried here in this PCI thread. Can forum admins move these to another NEW thread so we can follow along on this?
From a web hosts standpoint, we are seeing MOST people who install X-Cart using the 4.3 branch and really we're not seeing any complaints from users on it. I don't know if it's "stable" by forum standards, but definitely from our end we're not seeing half the questions or problems that people ran into in the 4.0 and 4.1 versions. It seems to play rather nice on the server from our end. One question I wanted to throw in here was in regards to the F.2-2 part (using X-Payments on a 2nd server). Can someone clarify if this just means hosting it on an alternate SHARED account with a dedicated IP number, or if it requires it's own environment (VPS or Dedicated Server)? Even if it needed it's own Dedicated IP number that will mean TWO SSL certificates needed by store owners - one for their site (customer logins etc) and one for the Payment section which would be on a separate server/domain. So my question is does having X-Payments on a separate shared hosting account that ONLY runs X-payments satisfy PCI, or does it need to be on a VPS/Dedicated Server?
__________________
Conor Treacy - Big Red SEO - @bigredseo Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding! If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet. Omaha SEO Office with National & Local SEO Services Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance |
|||||||||
|
#97
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Great post. I use Litecommerce and am currently considered "PCI compliant" by my merchant service provider. Or at least by the auditors they have recommended. In my opinion the only real way to get a definitive answer for YOU is to ask your card provider what YOU have to do to satisfy them.
All that said, I consider version 5 a non starter. It has already slipped from its original delivery date; there is absolutely no information as to what is in it; there is no way I would go live on it in its first year. Litecommerce is clearly no longer supported by Qualiteam (no meantion of it in the recent paypal pro changes for 3d secure). So I am moving cart and not to XCart. Regarding gateways, I am looking at Sagepay Server which looks like it runs from an IFrame in my chosen new cart and thus is hosted on Sagepays server BUT looks like its your site. |
|||||||
#98
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
I was thinking again over Christmas and as QT have pushed back x-cart 5.0 and have given no insight into it or some of the features to expect I'm again looking at competitors carts. QT, you need to show us what 5.0 is all about asap. Kulture, I recently signed up with Sage pay as Worldpay are expensive. Sagepay were useless. They took two months to set my account up and it was full of bugs. I decided not to bother in the end and cancelled. They then tried to say I was contracted to pay them 3 months fee. Shit company.
__________________
2007-2010 LC: 2.2.41 Jumped ship due to lack of development. |
|||||||
#99
|
|||||||
|
|||||||
Re: X-Cart and PCI-DSS / PA-DSS compliance
Quote:
First off. X-Payments will not require a second server even though that is the way Qualiteam has designed/envisioned/promoted its use. I've probably contributed a bit to that misconception due to my vocal objections to how the design allowing it to run on a second server makes it an ugly bolt-on to the end of the checkout process instead of it being integrated into checkout. X-Payments can be installed into a folder within your X-Cart site and use your sites existing IP and SSL certificate. The downside to this is that your X-Cart server will be in PCI-DSS scope. For most of us level 3 or 4 merchants who are not storing credit card information and filling out SAQ C that shouldn't be a big deal - no worse than dealing with the X-Payments server being in scope. If you do store credit card information or are otherwise pushed to SAQ D having your X-Cart server in scope *might* not be something you want to do as any changes you make to the X-Cart server then would require all of the development process and associated documentation required by SAQ D. Qualiteam assumed we are all in the SAQ D boat and all didn't want to deal with the development process & documentation, hence the two server design. In reality, I think most of us are in the SAQ C boat and hence don't have the development process & documentation burden. Ok, but what if you want to install X-Payments on a second server? A shared hosting account, VPS or dedicated server are all OK. If you are going to store credit card numbers whichever you choose must not have the database on the same server as X-Payments. The database server must be on another server that is not accessible from the internet. In addition, if you are using shared hosting and storing credit card numbers your shared host must meet the requirements in Appendix A of SAQ D - processes must run under merchants user account (no mod_php), access restrictions keeping everyone in their own environment, PCI required logging in place, processes in place for rapid forensic investigation of compromises.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
#100
|
|||||||
|
|||||||
Re: Summary So Far: X-Cart & PCI-DSS / PA-DSS compliance
Wow, Jarron. Glad to see you taking this seriously. I'll answer what I can as I find time.
Quote:
Quote:
With any of these methods you have the issue that you are probably entering card numbers into your gateway virtual terminal using a computer at your store/office/home. That means that computer and its associated network are in scope for PCI-DSS compliance. You will at least need to comply with SAQ C for that environment. If that environment is considered connected to your web site it can push you to SAQ D. What is considered connected? Unfortunately, that is unclear even amongst QSA's. One QSA opinion I agree with is that if you are connecting to the web site via HTTPS for normal X-Cart type administrative stuff and not passing card numbers back and forth you can probably consider it not connected. For phone orders there are possibly two issues. One, you may be writing down the card numbers. Then you must comply with paper record PCI-DSS requirements. The second won't apply to many people - its more common in call centers. If you record any customer calls you are now storing card numbers and probably CVV codes which is not allowed after authorization. Best not to do this unless you want to sort out the problems with it. If you are using an outsourced call center you must ensure their PCI compliance. Fax requires your fax machine be in a secure area and compliance with paper record requirements. If you use a fax to email service you must ensure the compliance of your fax to email provider and the email issues below. Email can be a big problem if customers are sending you card numbers via email. This might push you into SAQ D for storing card numbers on your email server. If you tell customers not to send card numbers via email, just a phone number you can call them at to get it and an occasional customer sends you one which you delete immediately it shouldn't be a problem according to one QSA I heard from on this. Post/snail mail just adds the paper record requirements.
__________________
Manuka Bay Company X-Cart Version 4.0.19 [Linux] UGG Boots and other fine sheepskin products http://www.snowriver.com |
|||||||
|
|||
X-Cart forums © 2001-2020
|