Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

 
Closed Thread
   X-Cart forums > News and Announcements
 
Thread Tools
  #111  
Old 04-02-2012, 06:08 PM
 
componentman componentman is offline
 

Advanced Member
  
Join Date: Sep 2010
Posts: 36
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

OK, got it.

One more question: Lets say you buy/use X-Payments and are a level 4 merchant. Are the quarterly scans and yearly questionnaire still necessary? If they ARE still necessary, what is the point of X-Payments? From this link, under point #4, it sounds like you are compliant if you just fill out the questionnaire and scan quarterly (although time consuming).
__________________
Aaron

Running version: 4.5.5
  #112  
Old 04-02-2012, 07:02 PM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2 Visa just says "if applicable" under tier 4. I can't seem to find the definition of when these scans are "applicable". I would do the scan if I were you, but maybe search for a low cost provider.

I just found these guys: http://www.ncircle.com/index.php?s=products_pci-compliance looks like just $25.00 per scan or you can get an annual subscription which may lower the cost further. Again never used them, but the price looks good...

Edit: just found this- "Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ C and D √ those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required."

In most x-payment/xcart installs there is some "internet connectivity" involved. So the answer is yes, you must be scanned.
Quote:
Originally Posted by componentman
If they ARE still necessary, what is the point of X-Payments?

The point is that you must use a PA-DSS validated payment application, or redirect the cardholders to the processor's site. Using a validated app is only one piece of the puzzle, you must be scanned and modify any problems with your hosting identified by the scan. Additionally you must have corporate policies in place for dealing with cardholder data. You can see an example security policy here: https://www.pcisecuritystandards.org/docs/pci_saq_c.doc
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.

The following 2 users thank totaltec for this useful post:
ambal (04-03-2012), seyfin (04-05-2012)
  #113  
Old 04-03-2012, 02:56 AM
 
philrisk philrisk is offline
 

X-Adept
  
Join Date: Jul 2009
Location: Newcastle upon Tyne, UK
Posts: 412
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I currently use Realex's addon module for Realex remote payments that customers fill in a form on our website and the data is sent to Realex and replied back.

I'm guessing I need to now start using x-payments because I am transmitting data?

Would I need to install x-payments and then the Realex addon into that?

We Bank with Allied Irish Bank and use Realex and have not even been contacted about PCI or PA-DSS compliance!!
__________________
Live with Gold 4.5.1
Dedicated Linux server
MaxCDN 4 pull zones
Dedicated SSL

  #114  
Old 04-03-2012, 04:17 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,119
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
Originally Posted by donavichi
Yeah - pay $XX.xx a month for 'membership' of an X-Payments PCI-DSS solution for your cart whereby as long as the membership is active, your payments get routed through the X-Payments system. Can be setup via the integrated X-Cart Admin's X-Payment Module.

Actually, we are planning to launch X-Payments Hosted plan on our hosting very soon.

Please sign up for receiving our announcement at
http://eepurl.com/kBo9v
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
  #115  
Old 04-03-2012, 04:54 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
I asked them if Authorize.net aim was no longer going to be accepted as being PCI compliant

Clearly the rep you spoke to doesn't understand the situation - nor would their tech support I wouldn't think. This is a regulation enforced by the Merchant Bank, not the gateway. Auth.net doesn't care where the sales come from - whether it be a validated cart or not, it is all the same to them.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
  #116  
Old 04-03-2012, 09:27 AM
 
sjb sjb is offline
 

Advanced Member
  
Join Date: Apr 2007
Location: Wiltshire
Posts: 44
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Hi All,

I have read this thread with great interest and having read it, I am very glad we made the decision several years ago (right at the inception of PCI in the UK) to move customer payments away from our website to our 3rd party Payment Processor (who naturally have the highest level of PCI compliance). By so doing, and following one or two other simple procedures, we became PCI compliant over night.

From talking to our acquiring bank (we work with one of the UKs “big 4”banks) we were their first customer to become PCI compliant in the UK. We were also their first to renew compliance last year.

I can only speak for the UK but our bank does enforce PCI compliance and started doing so 12 months or so ago. They are one of the big 4 UK banks so I guess the others will follow suit, if they are not already.

I only mention all this because we are a very small company but because we were “first up” with our bank, we had some input to our banks processes and also some very good feedback from them. They also put us in touch with some senior bods at MasterCard who were heading up aspects of PCI, as we had many questions that no-one else was yet asking in the UK at the time. In turn we were put in contact with a top PCI consultant from the US (consulting to major brands). His advice is the reason I am posting on this thread and it went along the lines of “unless you are a major business, perhaps along the lines of a famous retailer named after renowned female warriors, you should not be considering hosting payment pages on your store”.

I appreciate this is quite stark advice and many will disagree. However, his reasoning for this advice was that he foresaw years of increasingly onerous legislation and compliance, getting stricter each year. He also foresaw increasingly draconian penalties. He felt that the goal posts would move many times and that store owners would be placed in an increasingly difficult and exposed position. Perhaps I am wrong but itseems to me that his predictions are starting to be borne out.

We made the move immediately after speaking to him and have rested easy ever since. It was not too costly and was reasonably simple to achieve.

To those on this forum who bemoan the 3rd party solution as somehow being detrimental to sales conversions because customers do not like it, or get confused, all I can say is that our experience has been the absolute opposite. Our basket-to-order conversion rate (which we do measure) has increased significantly year-on-year since we made the change. It does of course depend how you implement the changes, how you explain it in your site and how you manage the redirection to the payment processor. But our experience has only been positive. We are a business-to-business site and perhaps for more retail-orientated sites, where customers may be less well informed, the experience will be different, I do not know.

I just wanted to share our experience as a counter-point to some of the posts on here, to give an alternative view that will maybe help some storeowners make the right decision, one way or the other. To host or not to host, that is the question. . . . .
__________________
SJ

B2B Site Owner
X-cart Gold 4.3.1

The following 8 users thank sjb for this useful post:
ambal (04-03-2012), balinor (04-03-2012), elmirage001 (04-03-2012), gb2world (04-03-2012), imageizeverything (06-19-2012), seyfin (04-03-2012), totaltec (04-03-2012), YakMan (04-18-2012)
  #117  
Old 04-03-2012, 11:59 AM
 
joelrhome joelrhome is offline
 

Advanced Member
  
Join Date: Dec 2003
Posts: 89
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

In Case anyone is interested, we have decided to take another approach and work with our cc processor/gateway and create a new module that will work like this:

1. On the One Page Checkout, the customer selects "Credit Card".

2. When they click the Submit Button, the X-Cart Dialog modal box(like the login modal box) opens over top of the Checkout page, where the customer enters their CC info and clicks submit.

3. Upon a successful payment processing, the page is directed to the X-Cart receipt page as normal.

The benefits of this method are:
1. The customer never leaves the site to enter their CC Info.

2. The X-Cart installation is out of scope for PCI and PA DSS Compliance - meaning that you do not need to have your website or web server validated. This is because technically, credit card info only "looks" like it is being entered into X-Cart via a modal box, but in fact it is being entered into a PCI DSS validated middleware. This is a great solution for any size X-Cart site, but especially for small sites that are on shared hosting accounts.

3. We want to make it available at no cost for merchants who switch to our payment processor/gateway (the one we work with). If anyone is interested, PM me for details. They tell me they can match whatever rates people already pay.
__________________
Joel Rhome
x-cart 4.4.X
  #118  
Old 04-03-2012, 12:30 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,190
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

This does sound like a good idea. I wonder how "legal" it is to show the hosted payment page in a popup instead of redirecting the whole browser to it and if this in fact takes the cart out of scope?
__________________
Steve Stoyanov
CFLSystems.com
Web Development
  #119  
Old 04-03-2012, 12:47 PM
 
joelrhome joelrhome is offline
 

Advanced Member
  
Join Date: Dec 2003
Posts: 89
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I had the same question, but according to those I have spoken with, and documentation, the reason that this method takes X-Cart out of scope, is that it is the middleware capturing the cc info, and not even the modal. It isn't quote a "hosted" off site gateway like Authorize.net SIM or Paypal, but rather, it is a patented technology that is Validated. All I know is that the middleware is validated, and those who do the PCI Compliance validation tell me that X-Cart is out of scope this way.
__________________
Joel Rhome
x-cart 4.4.X
  #120  
Old 04-03-2012, 08:27 PM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Guys, have you read this?

PCI Myths
PCI FAQs

You may find it useful.
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart

Last edited by ambal : 04-03-2012 at 09:58 PM.

The following 3 users thank seyfin for this useful post:
balinor (04-04-2012), gb2world (04-03-2012), totaltec (04-03-2012)
Closed Thread
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:25 AM.

   

 
X-Cart forums © 2001-2020