Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

X-Cart and PCI DSS / PA-DSS compliance

 
Reply
   X-Cart forums > News and Announcements
 
Thread Tools
  #21  
Old 04-01-2009, 11:32 PM
  xplorer's Avatar 
xplorer xplorer is offline
 

X-Cart team
  
Join Date: Jul 2004
Posts: 925
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Hi guys!

If the changes to X-Cart 4.0 are not very complex, we will release a patch for it as well. Most likely it will be so.

I will let you know when have more details on the architecture of the payment module.

Thanks!
Reply With Quote
  #22  
Old 04-03-2009, 09:38 AM
 
mfb mfb is offline
 

Member
  
Join Date: Mar 2009
Posts: 22
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by xplorer
Hi guys!

If the changes to X-Cart 4.0 are not very complex, we will release a patch for it as well. Most likely it will be so.

I will let you know when have more details on the architecture of the payment module.

Thanks!
Just joining the conversation now, but do you really mean 4.0 or 4.x? Seems like it should be 4.x to me

Thanks
__________________
My name is Steve
4.2.0
Reply With Quote
  #23  
Old 04-03-2009, 09:40 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

This question was specific to 4.0, but if you look at the top of this thread you'll see it mentions the other 4.x branches.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development
Reply With Quote
  #24  
Old 05-10-2009, 03:21 AM
 
necroflux necroflux is offline
 

Advanced Member
  
Join Date: Feb 2009
Posts: 47
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Mr. Petrov, I applaud you for listening to your users and making the decision to give us 4.x'ers a simple, cost-effective upgrade path into PA-DSS compliance without having to recreate the entire site with v.5. Thanks!

I assume Authorize.net will be supported in this upcoming module?
__________________
-----------------
X-cart version 4.2.1
Reply With Quote
  #25  
Old 05-10-2009, 07:39 AM
 
mfb mfb is offline
 

Member
  
Join Date: Mar 2009
Posts: 22
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by necroflux
Mr. Petrov, I applaud you for listening to your users and making the decision to give us 4.x'ers a simple, cost-effective upgrade path into PA-DSS compliance without having to recreate the entire site with v.5. Thanks!

I assume Authorize.net will be supported in this upcoming module?
I would assume so, as well. I don't know the popularity of other modules, but I believe authorize.net is one of the top ones.
__________________
My name is Steve
4.2.0
Reply With Quote
  #26  
Old 05-18-2009, 01:24 AM
  MattAustin's Avatar 
MattAustin MattAustin is offline
 

Advanced Member
  
Join Date: Jul 2008
Posts: 41
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

I have just found this thread and I am very confused. Is there a simple way of defining who this applies to?
__________________
xcart version 4.1.6 Gold
Linux 2.6.9-67.0.20.ELsmp
www.qvsdirect.com
Reply With Quote
  #27  
Old 05-18-2009, 05:08 AM
  xplorer's Avatar 
xplorer xplorer is offline
 

X-Cart team
  
Join Date: Jul 2004
Posts: 925
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by mfb
I would assume so, as well. I don't know the popularity of other modules, but I believe authorize.net is one of the top ones.

Yes, Authorize.Net is one of the popular payment systems and it is in the list.

Quote:
Originally Posted by MattAustin
I have just found this thread and I am very confused. Is there a simple way of defining who this applies to?

As far as I know if your website neither stores nor collects credit card numbers, it is not a subject for PCI DSS rules. Since it depends on the payment gateway and the integration method you use, please clarify this point with your payment services provider.
Reply With Quote
  #28  
Old 05-30-2009, 08:16 PM
  markvo's Avatar 
markvo markvo is offline
 

Advanced Member
  
Join Date: Sep 2005
Location: Oregon
Posts: 52
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

I have gotten mixed messages from the credit card industry about how your cart will be treated if it "neither stores nor collects credit card information". My sense is that different merchant service providers are trying to figure this out too.

The answer I've been given that made the most sense to me is based on the intent of the whole PCI/PA-DSS compliance thrust. The idea is to identify holes in the credit card processing system where ill intentioned people can gain access to someone else's credit card information and then close the holes. The self-assessment questionnaire is most effective as a way to make site owners aware of the issues. It doesn't provide any real protection. The way a merchant service provider will know whether the the merchant's site doesn't store credit cards is by audit (admittedly the current process is still pretty leaky.) I believe most merchant service providers will require the software audit now (or in the near future) as the industry internalizes PCI-DSS compliance.

The only loophole I could imagine post-July 2010 is that if your site passes PCI-DSS compliance and the audit validates you never see or store credit card information you might be able to avoid the PA-DSS compliance. We'll see what tomorrow brings.
__________________
Mark in Oregon
Xcart Gold version 4.1.8, 4.1.10
Linux
MySQL server 3.23.58
Apache 1.3.27
PHP 4.4.2
Reply With Quote
  #29  
Old 06-01-2009, 07:48 AM
 
TA TA is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 303
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Besides not storing credit card info in your database, you may also run into issues if you process the information on-site. If a purchase takes the customer off-site for processing, you should be okay.
__________________
v4.7.12
v5.4.x (In Dev)
Reply With Quote
  #30  
Old 06-01-2009, 09:23 PM
  markvo's Avatar 
markvo markvo is offline
 

Advanced Member
  
Join Date: Sep 2005
Location: Oregon
Posts: 52
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

I agree that you should be okay if you allow all the credit card info to be handled by your merchant service provider and your shopping cart never sees this information. However, I believe it is the case that cart owners will need to prove this to their merchant service provider. Based on less than rock solid definitiveness, my sense is that ultimately each cart will need to pass the software audit in addition to the self assessment questionnaire. If your volume is high enough you will also need to pass the on-site audit.

There are 2 main benefits of allowing the merchant service provider to handle the entire credit card info trail. We avoid the devastating cost of lost credit card information and, if we're lucky, we might avoid the PA-DSS compliance requirement...TBD

Mark
__________________
Mark in Oregon
Xcart Gold version 4.1.8, 4.1.10
Linux
MySQL server 3.23.58
Apache 1.3.27
PHP 4.4.2
Reply With Quote
Reply
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 08:02 PM.

   

 
X-Cart forums © 2001-2020