PCI PA-DSS Compliance for X-Cart (Important and Urgent!)

by | Uncategorized

June 2010

Dear client,

Recently, we received many questions regarding new PCI compliance
requirements and how they are related to X‐Cart. There is a lot of confusion
around that so we collected the information below for your review. We will be
updating this article with more information as we receive it.

As of July 1, 2010 you cannot accept credit cards through a shopping cart
that is not PCI compliant. The truth is, the most shopping cart solutions
available today are not PCI compliant and many are not even considering becoming
compliant. As of right now, X-Cart shopping cart is not compliant, so this
applies to all the merchants using this software. If you are not sure which
software you are using, please contact support@finestshops.com and we will
verify for you.

Most merchant account providers are not going to shut you down on June 1 if
you aren’t compliant, but you’ll need to address this as soon as possible. Below
are three payment processing scenarios and options to comply:

Scenario 1

A customer adds items to their cart on your site. After they click “checkout”
they are redirected outside of your site to off‐site payment processor – like
Google checkout or Paypal Standard.
Below is the list of several popular off-site payment methods:

At no point does a customer enter in credit card information while on your
website. In this scenario you would need to pass SAQ “A”:


https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf

If your site ever passes, stores, or transmits credit card data then you are
not in this category and should read the next section.

Scenario 2

A customer adds items to their cart on your site. When they click “checkout”
they remain on your site and fill in their personal information including their
credit card information. When the customer clicks submit, the credit card
information is sent to a payment processor (like Authorize.net) who returns a
unique token id for you to reference. At no point do you ever store the credit
card (encrypted or not) or the CVV2 value. By “at no point” I mean never, not
for a millisecond, not for 10 minutes until you can process it
manually…..never. You may store a masked PAN (4xxxxxxxxxxxxxxx1111). Examples
of popular payment gateways that are affected by the new standards are:

  • PayPal Website Payments Pro
  • Authorize.net AIM
  • CyberSource (SOAP Toolkit API)
  • PayPal PayFlow Pro

In this scenario you would need to pass SAQ “C”:


https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf

Solution:

If you want to continue to accept credit cards in your store to be able to
control design of the payment page, you need to install a module called
X-Payments, which is a new interface where customers enter their credit cards
into. This add-on is PCI certified and by using it you can pass certification.
There are some disadvantages on using that add-on:

  • Installation and configuration is not easy
  • Adds an extra step to your checkout, because the credit card data page
    is not inside X-Cart
  • As of June 2010 the ‘final’ version of X-Payments was not released yet.
    You can download the ‘beta’ version, but will have to upgrade it to a final
    version after release.
  • X-Payments can only run on PHP 5.3 which is not supported by many
    control panels and applications yet.
  • You have to patch your X-cart to work on PHP 5.3 because versions before 4.3 do not support it.
  • In order to use X-Payments, you also need a module called X-Connector.
    Unfortunately, X-Connector is only available for X-cart version 4.3.
    Qualiteam said they will release X-Connector for older versions, but there
    is no release date yet. (UPDATE: X-Connector is available for 4.0, 4.1 and 4.2 for $75)
  • After you get X-Payments installed, you have to configure it, adjust the
    template to match your design, and test it.

Scenario 3

A customer adds items to their cart on your site. After they click “checkout”
they remain on your site and fill in their personal information including their
credit card information. When the customer clicks submit, system encrypts the
credit card number and save it in the database. You may keep it for 5 minutes
until someone can manually try to process it in the cart or you may pass the
encrypted card data to a system at your office to be processed. Either way,
simply by inserting it into a database you instantly fall under SAQ “D” which is
the most complicated certification:


https://www.pcisecuritystandards.org/saq/docs/aoc_saq_d_merchants.doc

Solution:

The only solution is to use X-Payments as described in Scenario 2 with addition of this point:

  • X-Payments has to be on a server separate from the server with X-cart
    installed
    because PCI certified application cannot be on the same server as
    non-PCI
    application (X-cart, WordPress and etc) if you save credit card numbers in the database.

Conclusion

A. The easiest and fastest way to become fully PCI compliant is to switch to
off-site payment method as described in Scenario 1.

B. If you want to keep using your payment processor and have a greater control
over design of the payment page, you have to use X-Payments.

There are 2 ways to do this:

  • If you do not save credit cards in the database, you can install X-Payments in your X-cart folder and use it as a bridge for payment processing
  • If you have to save credit cards in the database or use some software which is not compatible with PHP 5.3 required for X-Payments you have to put X-Payments on a separate server:
    • You can get a separate dedicated server for payment processing – this server has to
      be PCI compliant, be protected by a firewall and located at a quality secured
      PCI certified data center – this will cost at least $400+/mo
    • Use our shared X-Payments server – we prepared a separate set of servers which
      do not have any other non-PCI applications installed and run Linux/PHP5.3
      compatible with X-Payments. Your X-Payment page will be located on your sub-domain like
      https://payments.yourstoredomain.com so your customers will not feel like
      leaving your store. Please contact sales for more information:
      sales@finestshops.com

Note: if you want to become PCI certified (and you do not have much choice) and do not want to use off-site payment method,
you cannot use a popular “One page checkout” add-on “as is” any longer. BCSE
Engineering is working on a custom solution to use it with iframes. If you are
interested, please contact
http://www.bcsengineering.com for more information.

There is an option to ignore all this PCI mambo-jumbo and continue your
business as before. If you do this, you risk losing your merchant account so you
will not be able to process credit card orders in your online store and pay
heavy fines for non-compliance ($50,000-$200,000). Note: PCI compliance is your
responsibility as a merchant and we will assist you in this matter as much as
possible. If you need more information about PCI certification or have any questions,
please contact us at
sales@finestshops.com or
http://www.myStoreHelp.com

We will be updating this article with more information as we receive it. If
you have any information to add, please email it to
sales@finestshops.com or post as a
comment below.

To your success,

FinestShops Team
Your e-Commerce Outsourcing Company

Main

P.S. We are not PCI experts and collected this information from the forums and available documentations. Information presented in the article and answers below may not be accurate. Please contact your merchant account provider for the detailed requirements and procedures.

Copyright 2010 FINESTSHOPS INC. All trademarks are properties of their respective owners.

eCommerce Optimization Best Practices, Delivered Twice a Month

Get a new actionable item to optimize your eCommerce website every second week.

Promo