Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Options for X-Payment
 
Reply
   X-Cart forums > Considering X-Cart > Considering using X-Cart for my project
 
Thread Tools Search this Thread
  #1  
Old 12-22-2010, 06:01 PM
 
buging buging is offline
 

Member
  
Join Date: Nov 2010
Posts: 14
 

Default Options for X-Payment

hi all,
Im planning to use x-payment. I just have a few clarifications based from my research.

1. on shared hosting, i'll need to have two accounts (and two monthly bills and two SSL certs). one for x-cart and the other for x-payment. is this true?

2. on share hosting, can i just create a separate directory for x-payment to fulfill this? and just have a subdomain for it like payments.mydomain.com? (just one monthly bill plus another SSL cert or use wildcard SSL)

3. If i use a VPS, i assume i can have both x-cart and x-payment on the same server? And use the same SSL cert.

thanks,
Mike
__________________
X-Cart Pro 4.4.1
Reply With Quote
  #2  
Old 12-22-2010, 07:03 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,427
 

Default Re: Options for X-Payment

Install it in a subdirectory - www.yourdomain.com/payment or whatever you wanna call it. That way the url won't change and your site SSL will work just fine
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote

The following user thanks cflsystems for this useful post:
ambal (12-22-2010)
  #3  
Old 12-22-2010, 09:32 PM
 
buging buging is offline
 

Member
  
Join Date: Nov 2010
Posts: 14
 

Default Re: Options for X-Payment

thanks steve!
__________________
X-Cart Pro 4.4.1
Reply With Quote
  #4  
Old 12-23-2010, 01:06 PM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

Hello Steve,

Are you sure about the subdirectory configuration being compliant on a shared hosting server? I am under the impression that this does not meet the PCI PA/DSS requirement.

Although it looks like a viable option, it is not clear to me if even the following meets the requirements:
http://www.bcsengineering.com/PCI_PA_DSS_Compliance_Transition_X-cart.pdf?MMCF_June10b

I suspect PCI PA/DSS is not completely sorted out.

Perhaps Alex Mulin can provide clarification on the requirements for compliance on a shared server as per the team that provided X-Cart with the certification.

Ralph Day, do you have any current thoughts on this.
__________________
X-Cart Gold v4.6.6
Reply With Quote
  #5  
Old 12-23-2010, 01:51 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,427
 

Default Re: Options for X-Payment

You can install in a subdirectory and be compliant, I don't see a problem with that. Your question is more like - can xpayments be installed on shared hosting and be compliant?
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #6  
Old 12-23-2010, 02:13 PM
 
BritSteve BritSteve is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 339
 

Default Re: Options for X-Payment

According to the documentation, you can only be compliant on a shared server if all of the IP addresses on the server are scanned. This effectively means that all other websites on the shared server must pass the scans and be compliant. If one of the other websites uses an out of date version of something like Wordpress, then you will fail PCI compliance.

https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

Page 3.

"11. The ASV must scan Virtual Hosts
It is common practice when using a shared hosting environment that a
single server will host more than one web site. In this case, the
merchant shares the server with the hosting company’s other
customers. This could lead to the merchant’s web site being exploited
through other web sites on the host’s server.
All merchants whose web sites are hosted must request their hosting
provider to scan their entire Internet-facing IP range and demonstrate
compliance while merchants are required to have their own domains
scanned. "

Steve
__________________
Version 4.1.8 & 4.1.9
ezcheckout4.1.x
cdseolinks2
product_metatags41x
shipping_per_product41x

http://www.earthsmagic.com
Reply With Quote

The following 2 users thank BritSteve for this useful post:
ambal (12-24-2010), Steel (12-24-2010)
  #7  
Old 12-23-2010, 09:43 PM
 
hramani hramani is offline
 

Advanced Member
  
Join Date: Mar 2008
Posts: 87
 

Default Re: Options for X-Payment

Quote:
Originally Posted by buging
hi all,
1. on shared hosting, i'll need to have two accounts (and two monthly bills and two SSL certs). one for x-cart and the other for x-payment. is this true?

My exp with Qualiteam on X-Payment installation
Yes this is correct

Quote:
Originally Posted by buging
hi all,
3. If i use a VPS, i assume i can have both x-cart and x-payment on the same server? And use the same SSL cert.


You cannot use same SSL cert.
Answer given to me by QT
Since all sensitive data is sent to X-Payments, it is enough to have the sub domain secure.
But if you wish, you can secure both.
__________________
Harish R
5.3.4.5
Under Development
Reply With Quote
  #8  
Old 12-24-2010, 12:43 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

This discussion is not definitive enough unless the SAQ path is specified.

Perhaps I am way off on this, but I am under the impression that if one accepts the SAQ D path, then having a dedicated server is not a problem.

So, I am making the assumption that the original questions related to: what is the least expensive, most practical solution/configuration for utilizing X-Payments. If this is the question, then odds are that SAQ C will be the chosen compliance path.

From bcs engineering:
http://www.bcsengineering.com/PCI_PA_DSS_Compliance_Transition_X-cart.pdf?MMCF_June10b

Quote:
PCI compliance requires that certified and noncertified processes be run on different servers
(see SAQD section 2.2.1). As a result, certified code (XPayments) cannot run on a machine that is also
running uncertified code (XCart). XPayments must run on a separate server to be fully compliant.
Many companies cannot afford to have a second server that is dedicated to running software such as Xpayments.

As a solution, BCS Engineering is providing XPayments software as a service on a PCIcompliant
system for a much lower cost than a second dedicated host. BCS Engineering'Hosted XPayments
solution is also cheaper than a virtual host. Not all virtual hosts can be considered PCICompliant
and are not all equal. Very cheap virtual hosts can be considered, from a security standpoint,
to be equivalent to a shared hosting solution.

A big part of the confusion seems to relate to interpretation of the PCI rules. What would be most helpful (and seems to be lacking) is for X-Payments to specifically address various configuration options and their associated set-up.

I think the problem is that this is a new frontier, and the first explorers have paid a heavy price for their findings, and are (logically) not willing to share it with others without (in some cases heavy) compensation. The other issue is that no one has all the answers and the solutions are still being tested and sorted out.

Mike, have you made the decision which SAQ hoop you are willing to jump through?

BritSteve, what is your solution?

Harry K, did Qualiteam address the SAQ options/requirement with you?

Is anyone using BCS Engineering'Hosted X-Payments solution?

My question is: What options/solutions are users finding to be the least expensive/most practical for implementing X-Payments in a PCI DSS compliant manner that qualifies for SAQ C?

Thanks
__________________
X-Cart Gold v4.6.6
Reply With Quote
  #9  
Old 12-24-2010, 05:58 AM
 
BritSteve BritSteve is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 339
 

Default Re: Options for X-Payment

It gets very complicated.

SAQ-D v2, whic was updated in October 28th 2010, says the following.

"2.2.1 (a) Is only one primary function implemented per server, to
prevent functions that require different security levels
from co-existing on the same server?
(For example, web servers, database servers, and DNS
should be implemented on separate servers.)"

This is slightly different from the previous version which just said
"2.2.1. Is only one primary function implemented per server?"

So in the new version, they tried to clarify the requirements, and they specifically state that a database needs to be on a separate server, but they don't say anything about payment applications.

You need to consider that other carts that are now PCI compliant, do not have a separate payments system. The payments part is included in the main cart, and the cart is compliant. So this does suggest that a payment section or module does not need to be on a separate server. This is still open to interpretation though.

But, you only need to complete SAQ-D if you are storing credit card numbers. If you don't, then you fall back to SAQ-C.

There are major differences between SAQ-C and SAQ-D. For SAQ-D, one of them is that you will have to conduct an intrusion detection once a year. This means that a white hat hacker will try to break into your system and get credit card numbers from your server. This intrusion test will cost you between $5k and $30k.

I don't think anyone here stores credit card numbers, the cost and work involved in implementing SAQ-D makes it very difficult to pass.

Now SAQ-C does not have the same requirements as SAQ-D, and there is no mention of having to have separate servers for anything else, so if you qualify for SAQ-C, i.e. do not store credit card numbers, then you can have the web application, database and any other sub-system on the same server.

So, if you are not storing credit card numbers, look at the much smaller SAQ-C, and is doesn't say that you need more than one server, so x-payments can live on the same server as x-cart. I disagree with BCSE on this one unless you are storing credit card numbers, which should not be anyone here.

See my previous post above for the rules on shared servers and scanning, so you can't be PCI compliant without having all websites on your shared server scanned and given a passing grade. However, I am not sure if this would apply to VPS, and maybe one of the hosts here can weigh in with their opinion on whether VPS servers need to be scanned.

Steve
__________________
Version 4.1.8 & 4.1.9
ezcheckout4.1.x
cdseolinks2
product_metatags41x
shipping_per_product41x

http://www.earthsmagic.com
Reply With Quote
  #10  
Old 12-24-2010, 11:29 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

BritSteve, thanks for the PCI new version notice.

A couple bits and pieces:

https://www.pcisecuritystandards.org/merchants/
Quote:
Note that enforcement of merchant compliance is managed by the individual payment brands and not by the Council √ the same is true for non-compliance penalties.

https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf
Quote:
Software vendors are required to provide a PA-DSS Implementation Guide to instruct their customers and resellers/integrators on secure product implementation, to document the secure configuration specifics mentioned throughout this document, and to clearly delineate vendor, reseller/integrator, and customer responsibilities for meeting PCI DSS requirements. It should detail how the customer and/or reseller/integrator should enable security settings within the customer'
Network.
Payment applications, when implemented according to the PA-DSS Implementation Guide, and when implemented into a PCI DSS-compliant environment, should facilitate and support customers' PCI DSS compliance.

So, does the X-Payments PA-DSS Implementation Guide state that it is OK to install X-Payments in a subdirectory, and that this configuration can qualify for SAQ C? I do not find it, and this seems to be SMO.
__________________
X-Cart Gold v4.6.6
Reply With Quote
Reply
   X-Cart forums > Considering X-Cart > Considering using X-Cart for my project


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 05:02 PM.

   

 
X-Cart forums © 2001-2018