Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

cflsystems · #**141** 04-06-2012, 09:07 AM

Quote:

Originally Posted by totaltec

Guys, this might be the solution, not just for PayPal but for other processors as well.

Not really with the way QT implements things like that. Quantum Gateway has iframe payment page and it is implemented in 4.4.x BUT - instead of showing on the checkout page it shows on a separate page after you click on "place order" button.... Why they coded it like this I cannot understand

BCSE · #**142** 04-06-2012, 09:07 AM

Quote:

Originally Posted by cflsystems

Does that means that PP Advanced plan will take XC out of scope and customers stay ON the site for payment?

Yes. That's what I was meaning with my post above about the new methods they are starting to market that have been out for about 6 months for a few people.

They told me it doesn't have to be an iframe. They have 3 methods:
-Embedded - could be iframe
-Lightbox
-popup new browser (not as popular).

I've been told but not confirmed yet that this will be available for 4.4.7 coming out in May. We plan to make an integration for 4.1.x at the minimum and if we get enough request for other old versions of X-cart (4.2.x, 4.3.x, 4.4.0-4.4.6) then we will do those as well. That is unless X-cart plans to backport it but usually they don't for things like this.

Carrie

dmr8448 · #**143** 04-06-2012, 11:05 AM

So does x-cart support the Paypal payments Pro Hosted option?

https://cms.paypal.com/cms_content/GB/en_GB/files/developer/HostedSolution.pdf

ambal · #**144** 04-09-2012, 03:04 AM

Quote:

Originally Posted by dmr8448

So does x-cart support the Paypal payments Pro Hosted option?

https://cms.paypal.com/cms_content/GB/en_GB/files/developer/HostedSolution.pdf

It is going to support it in some time.

DPP · #**145** 04-10-2012, 07:35 PM

longest week of my life.

ambal · #**146** 04-11-2012, 12:26 AM

Quote:

Originally Posted by DPP

longest week of my life.

Someone is having a longer week anyway
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

You'd better be safe now than be someone everyone points at.

dmr8448 · #**147** 04-11-2012, 07:56 AM

Does anyone have recommendations on companies to help with our clients PCI compliance?

aasun · #**148** 04-11-2012, 10:44 AM

SUPER interesting thread. We're a small development company with about 10 x-cart stores/clients. And we manage 100% of the software, development and training for our clients. The only thing we don't do for them is manage their internal manufacturing, production, or fulfillment processes.

I'll admit, it is a bit scary. First, I have to be able to understand all this well enough so that I can:
1. inform my clients and answer their questions with authority
2. provide alternatives that ensure PCI-DSS compliance for their stores and limit their liability
3. be able to implement and manage all of this for them

Aside from custom designs, all these sites are pretty simple/basic in their checkout processes: 1 gateway, all SSL, no credit card data stored, etc.

SO, I'll ask this question (I haven't seen this asked in this thread), and it seems like an obvious question:

What would it take for x-Cart to become PA-DSS validated?

It seems like it would be THE simplest/best solution for a majority of the small x-Cart stores out there that would already be fully PCI-DSS compliant if only x-Cart was PA-DSS validated. Yes?

So, can QT ponder this question and seriously look at what it would take? Even if there were restructuring and changes needed in the code requiring some retooling of my clients' sites (or even a small increase in the license cost of the base x-cart that is PA-DSS validated), I can speak on their behalf and say, "I'd rather make backend updates to my site to meet compliancy requirements than to change my merchant provider or change my customers' checkout experience, or to have to pay large sums to 'tack on an after-thought' solution." (that 'after thought' solution being a third-party bounce-customers-off-of-my-site solution).

aasun · #**149** 04-11-2012, 10:59 AM

I did some searching on the PCI Council site for other shopping cart and store front ends that ARE PA-DSS validated. Right away, I see MivaMerchant, PinnacleCart, and even ZenCart(!) is PA-DSS validated. Here's the link to the current list I'm looking at:

https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true#

These names are frequently brought up by clients when evaluating shopping cart software, and we always steer them to x-cart.

I think QT really needs to get on the ball and provide a core system that is PA-DSS compliant, rather than requiring an expensive add-on, or complex solution to meet this need. I'll be hard pressed to be able to continue to sell x-cart over these other main stream shopping cart solutions, otherwise.

balinor · #**150** 04-11-2012, 11:23 AM

We all pressed them to do that aasun, but they opted to go the X-Payments route instead. They have made it clear that they have no plans to make their core cart compliant, especially after spending so much money getting X-Payments validated.