Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

 
Closed Thread
   X-Cart forums > News and Announcements
 
Thread Tools
  #1  
Old 03-23-2012, 07:35 AM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Upcoming X-Cart v 4.4.6 (now renamed to 4.5.0) & PCI-DSS requirements

Hello X-Carters,

We would like to inform you about major changes in upcoming X-Cart v 4.4.6 (to be released very soon, in a week or so):

1) Due to PCI-DSS requirements being enforced over last months we have to remove all background (aka "onsite" or "merchant hosted") credit card processing methods from core X-Cart package. See the list of removed methods below.

A merchant that need such credit card payment methods has to use a PA-DSS validated application like our X-Payments or go with "offsite" or "gateway hosted" methods.

2) No credit card data will be stored in X-Cart anymore (due to PCI-DSS requirements again).

3) USPS shipping calculator module will be completely revised and updated to meet the latest USPS APIs requirements.

4) Two new built-in skins.

You are welcome to ask any questions.

List of the credit card processing methods removed from X-Cart since v4.4.6 release:

* ANZ eGate - Merchant-Hosted (cc_anz_mh.php)
* AuthorizeNet - AIM (cc_authorizenet.php)
* Bean Stream (cc_bean.php)
* BluePay (cc_blue.php)
* Caledon (cc_caledon.php)
* CyberSource - SOAP Toolkit API (cc_csrc_soap.php)
* DIBS (cc_ideb.php)
* DirectOne - Direct Interface (cc_directone.php)
* ECHOnline (cc_echo.php)
* ePDQ - MPI XML (cc_epdq_xml.php)
* eProcessingNetwork - Transparent Database Engine (cc_eproc.php)
* eSec - Direct (cc_esec.php)
* eSec - ReDirect (cc_esecd.php)
* eSelect Plus - Direct Post (cc_eselect.php)
* eWAY Merchant Hosted Payment (cc_eway.php)
* First Data Global Gateway - LinkPoint (cc_linkpoint.php)
* GoEmerchant - EZ Payment Gateway Direct (cc_goem.php)
* GoEmerchant - XML Gateway API (cc_goem_xml.php)
* HeidelPay (cc_heidel.php)
* HSBC - XML API integration (cc_hsbc_xml.php)
* Innovative E-Commerce (cc_innec.php)
* iTransact (Process USA) - XML scheme (cc_processusa.php)
* Netbilling gateway - Direct (cc_netbilling.php)
* NetRegistry e-commerce (cc_nrecom.php)
* Ogone - Direct (cc_ogone.php)
* PayFlow - Pro (cc_payflow_pro.php)
* PayPal WPP Direct Payment (ps_paypal_pro_us.php and ps_paypal_pro_uk.php)
* PlugnPay - Remote Auth method (cc_plugnpaycom.php)
* PSiGate - XML Direct (cc_psigate_xml.php)
* RBS WorldPay - Global Gateway (cc_bibit.php)
* Sage Pay Go - Direct protocol (cc_protxdir.php)
* SecurePay - Non-Recurring Interface (cc_securepay.php)
* SkipJack (cc_skipjack.php)
* USA ePay (cc_usaepay.php)
* Virtual Merchant - Merchant Provided Form (cc_virtualmerchant.php)

============================================
FAQs (covering the major questions asked in this forum thread)
============================================

===
Q1:

If a store is not storing credit card information, why must it lose the ability to use Authorize.net AIM?

A1:

X-Cart is not PA-DSS verified application, unfortunately. So, in order to handle, process and transmit cardholder data THROUGH your cart (which X-Cart's Authorize.Net AIM payment module does), you need to use another PA-DSS verified software, even if you are not storing the CC info. Or you can still use Authorize.Net AIM in the following cases:

* via a PA-DSS verified application like X-Payments on top of X-Cart.
NOTE: The web-server environment which hosts X-Payments should be PCI-DSS compatible (you should ensure the hosting provider is PCI-DSS compatible).

* via PCI-DSS certified payment system like CRE Secure's Hosted Payment Page, thus outsourcing all cardholder data functions to third-party.

===
Q2:

I've got several sites that use AIM. What am I supposed to do now that all payment processor modules are being removed from X-Cart?

How do I upgrade them and still use authorize.net?

A2:

You can upgrade to 4.4.6, and use one of the possible solutions:

* Authorize.Net AIM via a PA-DSS verified application like X-Payments.
NOTE: The environment which hosts X-Payments should be PCI-DSS compatible.

* CRE Secure's Hosted Payment Page solution (PCI-DSS certified payment system) which support such payment gateways as Chase Paymentech, Authorize.net, PayPal Payflow PRO, PayPal Website Payments PRO, eProcessing Network, PayLeap, SkipJack, USAePay, FirstData.

* Authorize.Net SIM integrated into X-Cart.

===
Q3:

Does Qualiteam have any plans to release Authorize.Net DPM solution for X-Cart?

A3:

We are considering this option at the moment, but have not made a decision yet.

One of the reasons - different QSAs consider solutions like DPM differently, and it is not clear enough if the merchant using X-Cart + Auth.net DPM solution would need to go with completing:

* SAQ A - addressing requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.

- OR -

* SAQ C - addressing requirements applicable to merchants who process cardholder data via payment applications connected to the Internet, but who do not store cardholder data on any computer system.

We would recommend to consult with your QSA or merchant account provider directly regarding the matter.

NOTE:SAQ C, in contrast to SAQ A, requires merchants to use Payment Applications validated according to PABP/PA-DSS.

===
Q4:

Is X-Payments a PA-DSS validated payment application? And what about X-Cart?

A4:

X-Payments is a PA-DSS validated payment application, but X-Cart is not.

So, in order to meet PCI-DSS merchants should:

1) Outsource all cardholder data processing from X-Cart to an external PCI-DSS compatible system, for example:

* "offsite" or "gateway hosted" payment solutions like Authorize.Net SIM, 2Checkout, PayPal, Checkout by Amazon, SagePay Go (Form integration), etc.
* CRE Secure's Hosted Payment Page PCI-DSS certified payment system
* PCI-DSS compatible hosting + X-Payments PA-DSS validated payment application

= OR =

2) Have their X-Cart application validated according to PA-DSS + have the X-Cart's hosting to be PCI-DSS compatible.

In fact, having the X-Cart software PA-DSS certified and validated is much expensive than the X-Payments's price. Please also note, one X-Payments license allows you to connect up to 10 online stores.

===
Q5:

How many online stores X-Payments installation can be connected to?

A5:

One X-Payments license/installation can be connected up to 10 online stores.

====
To be continued...
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart

Last edited by seyfin : 03-30-2012 at 11:57 PM.

The following 11 users thank seyfin for this useful post:
am2003 (03-23-2012), ambal (03-25-2012), bullfrog (04-02-2012), cflsystems (03-23-2012), chamberinternet (03-23-2012), Dongan (03-23-2012), elmirage001 (03-26-2012), gb2world (03-23-2012), PhilJ (03-23-2012), qualiteam (03-25-2012), totaltec (03-23-2012)
  #2  
Old 03-23-2012, 08:10 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,823
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Wow. The PCI Compliance issue is heating up. Sergey, do have any links or information about you comment that PCI compliance is now being "enforced"?
Thanks for keeping us informed.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
  #3  
Old 03-23-2012, 08:48 AM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

> The PCI Compliance issue is heating up. Sergey, do have any
> links or information about you comment that PCI compliance
> is now being "enforced"?

http://usa.visa.com/download/merchants/payment_application_security_mandates_regions.pdf

Quote:
Phase 1: Newly boarded merchants that use payment application software must use PA-DSS compliant applications or be PCI-DSS compliant. Effective date 7/1/2010
Phase 2: Acquirers must ensure that merchants and agents use PA-DSS compliant payment applications. Effective date 7/1/2012
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart
  #4  
Old 03-23-2012, 08:48 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,190
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

This is major change. Hopefully it will not break anything in XC when 4.4.6 is released. Just a suggestion:

Include a big red text across the screen upon install or upgrade to 4.4.6 that will warn about these changes even if you have to make it with an "agree" checkbox so no one can miss it. Don't count on XC users to read the change log or the forum.

Of course make it look nice and presentable

I know some will find it annoying (me too at some point) but better safe than sorry
__________________
Steve Stoyanov
CFLSystems.com
Web Development

The following 5 users thank cflsystems for this useful post:
am2003 (03-26-2012), ambal (03-25-2012), Ene (03-23-2012), qualiteam (03-25-2012), seyfin (03-23-2012)
  #5  
Old 03-23-2012, 10:01 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

It is indeed being enforced - I have had a number of people come to us who were being penalized $100+/month for non-compliance - and that is just the beginning. If you happen to get hacked and aren't compliant, you are in for a huge amount of liability.

Glad Qualiteam finally taking this matter seriously and not just throwing X-Payments at it. People need to stop storing CC info and using non-compliant carts - it is for the benefit of everyone.

Don't try to lie on your SAQ either, that's an even worse penalty
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development

The following 2 users thank balinor for this useful post:
ambal (03-25-2012), seyfin (03-23-2012)
  #6  
Old 03-23-2012, 11:11 AM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Hello Sergey -

I have an x-cart instance that uses Authorize.net AIM + DPM which has been approved by a compliance officer at the bank being used. Is there any way for you to investigate Authorize.net AIM + DPM and allow it as a method in 4.4.6 if it meets requirements? It seems that you could get an independent opinion from your auditor about the viability of this method and include it or not.

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
  #7  
Old 03-23-2012, 10:07 PM
  seyfin's Avatar 
seyfin seyfin is offline
 

X-Cart team
  
Join Date: May 2004
Posts: 1,223
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
Originally Posted by gb2world
Hello Sergey -

I have an x-cart instance that uses Authorize.net AIM + DPM which has been approved by a compliance officer at the bank being used. Is there any way for you to investigate Authorize.net AIM + DPM and allow it as a method in 4.4.6 if it meets requirements? It seems that you could get an independent opinion from your auditor about the viability of this method and include it or not.

---

Dear Gabriel,

Actually, Advanced Integration Method (AIM) and Direct Post Method (DPM) are two different solutions. Please do not mix up these terms.

Authorize.Net Direct Post Method (DPM) is considered to be a solution that supports you to be PCI Compliant, as all Credit Card handling is done directly through Authorize.net, and no Credit Card data is handled/stored/processed on the merchant (X-Cart) server.

Please check the links below to learn how AIM and PDM solutions work:

* http://developer.authorize.net/api/howitworks/dpm
* http://developer.authorize.net/api/howitworks/aim
__________________
Sincerely yours,
Sergey Fomin
X-Cart team
Chief support group engineer

===

Check this out. Totally revamped X-Cart hosting
http://www.x-cart.com/hosting.html

Follow us:
https://twitter.com/x_cart / https://www.facebook.com/xcart / https://www.instagram.com/xcart

The following user thanks seyfin for this useful post:
gb2world (03-24-2012)
  #8  
Old 03-24-2012, 01:37 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Thanks Sergey. DPM and AIM seem to have enough commonality in their set up that when BCSE built their module to support DPM, they appear to have added it to the existing X-CART AIM module set up. We'll have to ask them the impact on their DPM mod with your removal of the support for the exiting AIM module.

Is there any plan at QT for future support of Authorize.net DPM and/or any other gateways who have a similar transparent redirect method, or will you be leaving that space to the 3rd party developers, and offer only x-payments for customers who require the payment page to remain at the shop's url?

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
  #9  
Old 03-26-2012, 03:30 AM
 
ynotcreative ynotcreative is offline
 

Advanced Member
  
Join Date: Oct 2008
Posts: 65
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

I am sorry, but I don't get this. If a store is not storing credit card information, why must it lose the ability to use Authorizenet AIM? I can understand the denying of use to those storing for subscription payments or the like, but one-off transactions having to now use your $1000 x-payments is beyond possible for small stores. The other option use a butt-ugly payment processor like PayPal, which charges a lot per transaction does not offer any better solution.

Please tell me I am missing a better solution here.
__________________
X-Cart Pro 4.1.10, 4.3.1, 4.2.x, 4.3, 4.4.3, 4.5.5, Platinum 4.6
Add-on: X-Affiliate
Fashion Mosaic
Add-on: X-SpecialOffers
Add-on: X-GiftRegistry
Add-on: X-AOM (Advanced Order Management)
Add-on: X-FancyCategories
Add-on: Custom Multi-currency
  #10  
Old 03-26-2012, 05:33 AM
 
balinor balinor is offline
 

Veteran
  
Join Date: Oct 2003
Location: Connecticut, USA
Posts: 30,253
 

Default Re: Upcoming X-Cart v 4.4.6 & PCI-DSS requirements

Quote:
If a store is not storing credit card information, why must it lose the ability to use Authorizenet AIM?

Because X-Cart is not PA-DSS compliant - and as of last year you need to use a PA-DSS certified cart in order to process transactions THROUGH your cart (which AIM does) even if you are not storing the CC info. You can still use AIM, you just need to use X-Payments on top of X-Cart.
__________________
Padraic Ryan
Ryan Design Studio
Professional E-Commerce Development

The following 2 users thank balinor for this useful post:
ambal (03-26-2012), seyfin (03-26-2012)
Closed Thread
   X-Cart forums > News and Announcements


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 02:57 PM.

   

 
X-Cart forums © 2001-2020