Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

PCI Compliance
 
Reply
   X-Cart forums > Considering X-Cart > Considering using X-Cart for my project
 
Thread Tools Search this Thread
  #41  
Old 06-17-2012, 08:10 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,429
 

Default Re: PCI Compliance

A quarterly scan is required but you can pick any company you want as long as it is one of the approved scanning vendors - https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

It doesn't have to be McAfee
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote

The following user thanks cflsystems for this useful post:
ambal (06-17-2012)
  #42  
Old 06-18-2012, 06:24 AM
 
Manic Manic is offline
 

Senior Member
  
Join Date: Dec 2007
Posts: 127
 

Default Re: PCI Compliance

OK, now I'm finding out I need a separate server to host X-payment or to move my X-cart store to a VPS and have X-payment under the one VPS account in order to be PCI compliant.

Has anybody gone through these issues when installing X-payment.

This is much more complicated than I thought and I am tempted to change out of Paypal Payment Pro to PayPayl Payment Standard. With Standard I don't have to worry about PCI compliance.
__________________
X-Cart Gold 4.1.9
Smart Search (from Altered Cart)
DSEFU Pro
Product Meta Tags Plus
Category Meta Title Control
Latest Additions (BCSE)
Remember Me login
FireTank's Feed Manager
Lightbox (BCSE)
EWD Hosting
Reply With Quote
  #43  
Old 06-18-2012, 09:47 AM
  totaltec's Avatar 
totaltec totaltec is offline
 

X-Guru
  
Join Date: Jan 2007
Location: Louisville, KY USA
Posts: 5,825
 

Default Re: PCI Compliance

Quote:
Originally Posted by Manic
Can you folks tell me if a McAfee scan is absolutely required to be PA/PCI-DSS compliant? This would be another expense if it is required.
"The PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities."

Source: https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

I think removing yourself from scope, rather than becoming compliant is a good option for smaller merchants. The best advice I have heard is to contact your merchant provider. Comply with their requirements, rather than attempting to determine what those requirements are on your own. The PCI council is leaving it up to the merchant account providers to determine and enforce compliance.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey

XcartGuru
X-cart Tutorials | X-cart 5 Tutorials

Check out the responsive template for X-cart.
Reply With Quote

The following user thanks totaltec for this useful post:
elaine (06-18-2012)
  #44  
Old 06-18-2012, 05:37 PM
  gb2world's Avatar 
gb2world gb2world is offline
 

X-Wizard
  
Join Date: May 2006
Location: Austin, TX
Posts: 1,970
 

Default Re: PCI Compliance

Quote:
OK, now I'm finding out I need a separate server to host X-payment or to move my X-cart store to a VPS and have X-payment under the one VPS account in order to be PCI compliant.

@Mani -
(standard disclaimer - I am not a QSA - run all your plans by the compliance officer at your bank and watch their eyes glaze over.)

That is not exactly how I understand the recommendation.

In the FAQ - QT states:
Quote:
Can X-Payments be installed on a shared hosting?
Yes, provided that a separate account is used for hosting X-Payments. No other software must be installed and run under this account.
That does not say a unique VPS is required for X-Payments - it says X-Payments can run in a shared environment, if it is isolated under its own account.

If you have a VPS already, you could create another account different from the account where your store is installed, and use that for X-Payments.

That second account could be set up to use a sub-domain of your main account, for example, secure.mydomain.com, so it would still be branded to your URL, but allow everything else on your site to be outside the PCI-DSS scope.

That wording also does not exclude setting it up in a second hosting account on the shared server.

I would suspect that it is possible for QT or one of the hosting providers, to set up a VPS or dedicated server where they would only host accounts running X-Payments. That server would be set up to pass PCI scans. It would only have accounts running X-Payments. If X-Payments usage requirements are low, they could host many accounts on the same server and hopefully get the hosting cost down. Only X-payments would be allowed to run on that server, and all the unique X-payments instances are isolated by account, meeting the QT recommendation, and actually exceeding it in that no other software is running there. I believe they could set it up so you could point a subdomain with your branding URL with a CNAME or ARECORD to it.

(Eventually - they might sell such accounts preloaded with X-Payments installed, a dedicted IP and SSL ready to go.)

You might try contacting QT and the X-Cart hosting providers like Hands-on, EWD, BCSE, HardHat, and see if this is even possible, and if they would be willing to use you and any others currently using shared hosting as a test case.

You never know - they might see an opportunity with something like that.

(But, for an individual merchant - there are many reasons to already be on a VPS anyway, so you might pursue that first if it can fit your budget.)

---
__________________
X-CART (4.1.9,12/4.2.2-3/4.3.1-2/4.4.1-5)-Gold
(CDSEO, Altered-Cart On Sale, BCSE Preorder Backorder, QuickOrder, X-Payments, BCSE DPM Module)
Reply With Quote
  #45  
Old 06-18-2012, 06:22 PM
 
Manic Manic is offline
 

Senior Member
  
Join Date: Dec 2007
Posts: 127
 

Default Re: PCI Compliance

Yes, EWD Hosting have helped me set up X-Payment hosting.

My main X-cart store will stay put, as is, on a shared hosting.

X-Payment will be hosted on another server, with the bare minimum amount of features on this account so it complies with PCI standards. An SSL certificate will be applied to X-Payment.

Now I'm waiting for Qualiteam to install X-Payment and connect it to the X-cart store. Hope everything will go smoothly.
__________________
X-Cart Gold 4.1.9
Smart Search (from Altered Cart)
DSEFU Pro
Product Meta Tags Plus
Category Meta Title Control
Latest Additions (BCSE)
Remember Me login
FireTank's Feed Manager
Lightbox (BCSE)
EWD Hosting
Reply With Quote

The following 2 users thank Manic for this useful post:
ambal (06-19-2012), Emerson (06-19-2012)
Reply
   X-Cart forums > Considering X-Cart > Considering using X-Cart for my project


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:21 PM.

   

 
X-Cart forums © 2001-2018