Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Options for X-Payment
 
Reply
   X-Cart forums > Considering X-Cart > Considering using X-Cart for my project
 
Thread Tools Search this Thread
  #11  
Old 12-24-2010, 11:41 AM
 
BritSteve BritSteve is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 339
 

Default Re: Options for X-Payment

I guess it is up to xcart to dictate what the implementation of x-payments should be in order to keep their product within PS-DSS compliance scope, but it will be Qualiteam's interpretation of the requirements. I don't see that installing x-payments in a sub directory is going to make any difference, it is still on the same server. Installing in a sub directory will probably be easier though, and is perhaps how xcart planned the module as a separate entity.

I haven't seen the x-payments documentation, so maybe someone else can let us know what it says about implementation.

Steve
__________________
Version 4.1.8 & 4.1.9
ezcheckout4.1.x
cdseolinks2
product_metatags41x
shipping_per_product41x

http://www.earthsmagic.com
Reply With Quote
  #12  
Old 12-24-2010, 12:02 PM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

X-Payments:PA-DSS implementation guide

http://help.qtmsoft.com/index.php?title=X-Payments:PA-DSS_implementation_guide#Installation


X-Payments:Installation

http://help.qtmsoft.com/index.php?title=X-Payments:Installation
__________________
X-Cart Gold v4.6.6
Reply With Quote

The following user thanks Steel for this useful post:
ambal (12-26-2010)
  #13  
Old 12-24-2010, 12:52 PM
 
BritSteve BritSteve is offline
 

eXpert
  
Join Date: Apr 2006
Posts: 339
 

Default Re: Options for X-Payment

The installation notes do not specify whether x-payments needs to be on a different server from x-cart, and it looks like you can extract the files into any directory you want.

"2. Decompress the archive to a web accessible directory on your server or your hosting account."

Doesn't really answer the question.

I think the rules appear to be:

If you don't store credit card numbers and complete SAQ-C, then you can have x-cart, x-payments and your database on the same server. There is nothing in the SAQ-C that states that the applications and databases need to be on separate servers. This would probably apply to most x-cart websites, at least I hope so.

If you do store credit card numbers and complete SAQ-D, then you need to have the database on a different server from x-cart, and x-payments can be on the same server as x-cart. I am not totally convinced on this though, 2.2.1 on SAQ-D is not specific as to whether x-payments would be considered a 'primary function'.

There seems to be little guidance from Qualiteam on this, and it would be really helpful if they contacted their certification company to get definitive answers on this rather than having us to speculate on what we need to do to be compliant.

Steve
__________________
Version 4.1.8 & 4.1.9
ezcheckout4.1.x
cdseolinks2
product_metatags41x
shipping_per_product41x

http://www.earthsmagic.com
Reply With Quote

The following user thanks BritSteve for this useful post:
Steel (12-24-2010)
  #14  
Old 12-29-2010, 08:12 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

Dear Alex Mulin,

Qualiteam spent a lot of time and money to develop X-Payments as a shopping cart payment processing solution. The company obviously thought that this type of solution was necessary to promote sales of X-Cart, their other carts, as well as offer a solution for other carts that did not have a PCI PA/DSS solution.

My question is: Why the lack of promotion?

What I see, and what I suspect, is that the rules and solutions are still being sorted out. So, did Qualiteam waste the money it spent on developing and having X-Payments certified?

Seems to me that the company that advised on development and certification and/or Qualiteam stopped short of finishing the job. According to the guidelines (
https://www.pcisecuritystandards.org.../pa-dss_v2.pdf ), the X-Payments PA-DSS Implementation Guide should (i) instruct customers and resellers/integrators on secure product implementation, (ii) document the secure configuration specifics, and (iii) clearly delineate vendor, reseller/integrator, and customer responsibilities for meeting PCI DSS requirements. It should detail how the customer and/or reseller/integrator should enable security settings within the customer' Network, and Qualiteam should also facilitate and support customers' PCI DSS compliance.

My suggestion is that examples are what is missing from the X-Payments solution, and that examples would go a long way to promoting X-Payments as a viable product.

Qualiteam should provide an example set-up and configuration (with specifics) for (i) small e-commerce merchants looking for an inexpensive solution that would qualify for SAQ C, (ii) a VPS example, (iii) a dedicated server example, (iv) an incubator example for web hosts, and (v) any other practical examples.

Merchants, developers, administrators, and web hosts need payment solutions, and I do not see how X-Payments is providing the solution, unless it is through your installation service, but even then, the lack of response by Harry K suggests that Qualiteam may not have fully appraised him of the SAQ requirement.

If Qualiteam wants to promote and sell X-Payments, and I understand that because the rules and solutions are still being sorted out that the company may be subjecting themselves to litigation, but by providing very specific examples that have satisfied PCI PA/DSS requirements, I do not see where this should be a problem, and it would put X-Payments miles ahead of other vague, expensive, over hyped, and non-existent solutions.

Also, in reading other cart message boards looking for how others are solving PCI PA/DSS payment compliance, I am under the impression that the vast majority are ignorant of the requirements and/or in denial. By providing examples, you could also be educating merchants about minimum requirements, and therefore the need for your product as a solution.

Thanks for listening.
__________________
X-Cart Gold v4.6.6
Reply With Quote

The following 3 users thank Steel for this useful post:
ambal (01-04-2011), gb2world (12-29-2010), hramani (01-04-2011)
  #15  
Old 01-04-2011, 05:02 AM
  ambal's Avatar 
ambal ambal is online now
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,104
 

Default Re: Options for X-Payment

Hi Steel,

Thank you for the suggestion. It looks very interesting indeed. However, I must add that we are not in a good position for advising on some aspects of PCI-DSS as we are not an authorized QSA. But you are correct about some examples of correct implementations. I'll re-post your idea about that to X-Payments project leader.

Also, you shouldn't think that we stopped development and promotion of X-Payments. We are awaiting for approval of our application by the PCI-DSS council and publication of X-Payments on their list of PA-DSS validated applications. I hope it will happen soon and once it happens we will publish an announcement about that on our web-sites and this forum. Before that happen we are limited in our options for promoting X-Payments.
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #16  
Old 01-06-2011, 08:19 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

Hello Alex,

Thank you for the reply.

I will venture a guess here that 80% to 95% of merchants (your potential customers) will be lucky if they are able to complete SAQ C.

This whole PCI PA/DSS fiasco is nothing more than a smoke and mirrors operation from top to bottom, where the PCI Council has basically dumped a bucket of several incomplete sets of transmission parts on the floor, imposed some deadlines, and said "you sort it out". It's a Catch22 for any business other than those that can qualify for the SAQ D "tar pit" (thanks Ralph), and for those, they have a fleet of lawyers that will sort it out!

Again, according to the PCI SECURITY STANDARDS COUNCIL guidelines ( https://www.pcisecuritystandards.org.../pa-dss_v2.pdf ), the X-Payments PA-DSS Implementation Guide should (i) instruct customers and resellers/integrators on secure product implementation, (ii) document the secure configuration specifics, and (iii) clearly delineate vendor, reseller/integrator, and customer responsibilities for meeting PCI DSS requirements. It should detail how the customer and/or reseller/integrator should enable security settings within the customer' Network, and Qualiteam should also facilitate and support customers' PCI DSS compliance.

If Qualiteam can not provide basic instructions on whether or not it is ok to place X-Payments in a subdirectory on a shared server (in order to qualify for SAQ C, and be compliant), then how does the company expect to get X-Payments certified?
__________________
X-Cart Gold v4.6.6
Reply With Quote
  #17  
Old 01-10-2011, 06:24 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

Some answers from: http://help.qtmsoft.com/index.php?title=X-Payments:FAQ

Can X-Payments be installed on server where my shopping cart software is hosted or do I need a separate web-server?
Both options are allowed. X-Payments can be set up either together with your shopping cart software or on a separate server (X-Payments uses SSL connection to exchange data with your store).

Can X-Payments be installed on a shared hosting?
Yes, provided that a separate account is used for hosting X-Payments. No other software must be installed and run under this account.

************************************************** ******

So, I suspect that the most secure/practical solution for X-Cart shared hosting set-up is like bcs engineering is proposing, http://www.bcsengineering.com/PCI_PA...f?MMCF_June10b and it looks like a subdirectory configuration with shared hosting is not allowed??

It looks like Emerson also offers a similar solution: https://www.ewdhosting.com/portal/cart.php?gid=15
__________________
X-Cart Gold v4.6.6
Reply With Quote
  #18  
Old 01-10-2011, 10:50 AM
  bigredseo's Avatar 
bigredseo bigredseo is offline
 

X-Man
  
Join Date: Oct 2002
Location: Omaha, NE, USA
Posts: 2,367
 

Default Re: Options for X-Payment

That's how we have it setup on our hosting accounts also. A separate X-Payments hosting account must be purchased and only X-Payments will operate on that account.

It's a HUGE pain in the butt, but there's no other solution out there other than to NOT use X-Payments.
__________________
Conor Treacy - Big Red SEO - @bigredseo
Search Engine Optimization & Internet Marketing - We Bring Your Website Out Of Hiding!
If you can't be found on Google, Bing or Yahoo, you pretty much don't exist on the Internet.
Omaha SEO Office with National & Local SEO Services
Hourly Consulting - great for SEO Disaster Recovery, Audits and DIY Guidance
Reply With Quote
  #19  
Old 09-08-2011, 07:46 AM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

Does anyone have anything to add to this discussion?

Is anyone using X-Payments and been required to submit SAQ and/or other information for compliance?

Connor, is input from you required for a merchant to pass compliance? Do you have to provide some type of compliance statement for the separate X-Payments hosting account?

Will a separate X-Payments hosting account allow for SAQ C compliance, or is everyone just guessing that it will at this point, and it is still up to the merchant account to make that determination? Has anyone had their merchant account reject this configuration?

Thanks for any additional information.
__________________
X-Cart Gold v4.6.6
Reply With Quote
  #20  
Old 09-15-2011, 07:17 PM
 
Steel Steel is offline
 

eXpert
  
Join Date: Dec 2006
Posts: 253
 

Default Re: Options for X-Payment

Hello Alex,

Can you explain the following in more detail?

From X-Payments:FAQ

http://help.qtmsoft.com/index.php?title=X-Payments:FAQ#Can_X-Payments_be_installed_on_server_where_my_shopping_ cart_software_is_hosted_or_do_I_need_a_separate_we b-server.3F

Can X-Payments be installed on a shared hosting?

Yes, provided that a separate account is used for hosting X-Payments. No other software must be installed and run under this account.


Does this mean that a shared hosting X-Cart account, and a shared hosting X-Payments account, operating on the same server with a variety of other shared hosting accounts would qualify for SAQ C compliance? Or, does it require the additional conditions as outlined by BritSteve in post #6?

"According to the documentation, you can only be compliant on a shared server if all of the IP addresses on the server are scanned. This effectively means that all other websites on the shared server must pass the scans and be compliant. If one of the other websites uses an out of date version of something like Wordpress, then you will fail PCI compliance."
__________________
X-Cart Gold v4.6.6
Reply With Quote
Reply
   X-Cart forums > Considering X-Cart > Considering using X-Cart for my project


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 03:05 AM.

   

 
X-Cart forums © 2001-2018