X-Payments & PCI Compliance

[blueedge]

Has anyone used or installed X-Payments and the associated "connector" (http://addons.oscommerce.com/info/7510)?

 

It is my understanding that if an Oscommerce site directly accepts credit cards (not using a third-party payment site, such as PayPal), Trustwave will not deem the site to be PCI compliant. Has anyone had any experience with Trustwave PCI compliance using an OSC site that directly accepts credit cards?

 

However, it seems that an OSC site can be compliant if it uses X-Payments, since X-Payments is PA-DSS compliant and on Trustwave’s list of accepted credit card payment systems.

 

I anxiously await your thoughts and comments.

[♥toyicebear]

Read this>>

[Xpajun]

Read this>>

 

 

That post is a bit dated now Nick - I too am PCI level 4 compliant through Elavon and Trustwave - I think the set up now is different, standard e-commerce is a straightforward five minute job I had the extra questions because I also accept MOTO payments.

 

The emphasis is on storage of card details - if you do this it must be done securely whether the storage is done with electronic or paper form - if you don't store then there is no problem and no need to pay to have non-existant storage checked out.

 

The cost to me was/is £40 per year (about $60?) so a lot cheaper

[♥toyicebear]

For smaller merchants who do not store the cc info, its fairly straight forward and can be done at reasonable costs as Julian mentioned above.

 

Its basically just to use a pci compliant payment gateway provider, run some scans (and of-course pass those scans) and fill out the correct paper work.

[blueedge]

So, if credit cards are accepted on a OSC site, but credit card info is not stored, is it correct that a PA-DSS application, such as X-Payments, is not needed to be PCI compliant and Trustwave approved?

 

In Trustwave’s PCI Self-Assessment, there is a section called POS Application Compliance. In that section it asks “Please enter the POS payment applications you use at your business. You can enter either the vendor or product name in the first box, and TrustKeeper will try to find it. Note: If you do not use any payment applications (for example, you use only standalone swipe terminals, or you use a computer with a virtual terminal), please click "Cancel" to bypass this step.”

 

Under this section there are many choices. One choice is “osCommerce.” If this option is selected, it states “Your application has not been certified as PA-DSS compliant , and therefore it may be insecure. You are required to upgrade your POS. Please contact your vendor or reseller to obtain a PA-DSS compliant version.”

 

To me, POS stands for “Point Of Sale” and would relate to physical checkout, such as with a swipe terminal or a cash register with a built-in card swipe. However, if this truly pertains to a physical checkout, why is osCommerce one of the choices. I would think the osCommerce would just apply to website checkout and not physical checkout.

 

I’m confused. Just trying to do the right thing.

[AlexMulin]

Blueedge,

 

> So, if credit cards are accepted on a OSC site, but credit card info is not stored, is it correct that a PA-DSS application, such as X-Payments, is not needed to be

> PCI compliant and Trustwave approved?

 

No, it is not correct. You still need to use a PA-DSS certified application if your web-site touches credit card info somehow. "Not storing" is not the requirement to not be PA-DSS compliant.

[blueedge]

Thanks, AlexMulin.

 

So,any OSC site where credit card info is entered must use a PA-DSS compliant application, such as X-Payments, correct?

 

I have not read very much about X-Payments on the forums. So, does that mean most store owners use third-party processing or is there an alternative to X-Payments to be PA-DSS compliant?

 

For sites where credit cards are not entered, what are the more-popular third-party payment options?

 

How do others weigh the hassle/liability of processing credit cards on their own site versus the hassle and confusion for the customer by sending the customer to a third-party site to enter credit card info?

[♥toyicebear]

1. If cc info is entered on your site you need to be PA-DSS compliant, but if its simply "entered" and then transmitted through a payment gateway, its fairly easy to be compliant.

 

2. If on the other hand you do store the cc info then the compliance is much more difficult and costly.

 

3. If you use a payment processor where the customer enter the cc info on the payment processors webpages then you do not need to be compliant.

 

 

Popular options for 3 party processors are for instance PayPal, WorldPay and 2Checkout, but many of the popular payment gateway providers (like for instance authorize net) also offer alternative solutions where the customer is sent to input cc info on their secure server and then returned back to your shop (allowing you to use your own merchant account).

[blueedge]

Thanks for the reply, toyicebear.

 

If cc info is entered on your site you need to be PA-DSS compliant, but if its simply "entered" and then transmitted through a payment gateway, its fairly easy to be compliant.

 

Could you explain what you mean by "its fairly easy to be compliant?"

 

As I mentioned earlier:

 

In Trustwave’s PCI Self-Assessment, there is a section called POS Application Compliance. In that section it asks “Please enter the POS payment applications you use at your business. You can enter either the vendor or product name in the first box, and TrustKeeper will try to find it. Note: If you do not use any payment applications (for example, you use only standalone swipe terminals, or you use a computer with a virtual terminal), please click "Cancel" to bypass this step.”

 

Under this section there are many choices. One choice is “osCommerce.” If this option is selected, it states “Your application has not been certified as PA-DSS compliant , and therefore it may be insecure. You are required to upgrade your POS. Please contact your vendor or reseller to obtain a PA-DSS compliant version.”

 

It appears that Trustwave does not view Oscommerce, by itself, to be PA-DSS compliant. So, I don't understand how it is fairly easy to be compliant. How can PA-DSS compliance and Trustwave approval be accomplished?

[♥toyicebear]

1. You setup a oscommerce 2.31 shop

 

2. You run pci compliance scans on it

 

3. You fix any "non-compliance" issues from the scan

 

 

You repeat 2 and 3 until you can run a scan which gives a compliant result.

[AlexMulin]

If cc info is entered on your site you need to be PA-DSS compliant, but if its simply "entered" and then transmitted through a payment gateway, its fairly easy to be compliant.

 

I would be careful stating this. That depends on your business processes, too and on how your QSA understands this requirement. E.g. Authorize.net provides DPM integration that is "enter credit card on your web-site, but do not store it and just submit via HTTPS POST to Authorize.net for processing". Yes, it does PA-DSS compliance easier, but Auth.net doesn't advertise DPM as the solution for PA-DSS compliance. They do not mention PA-DSS on DPM related pages even.

 

In the most of cases "taking credit cards on your web-site" in any form needs you are to use "PA-DSS certified something". It can be X-Payments, it can be CRE Secure or it can be something else. Anyway, you'd better consult with your QSA for exact recommendation. What I do know is that X-Payments is for SAQ C level merchants.

[blueedge]

tpyicebear, I don't mean to be argumentative but I do not believe simply passing a PCI scan makes a site (even an osc 2.3.1 site) PA-DSS compliant. It is my understanding that if you accept credit cards on your site, your site must be PA-DSS compliant and PA-DSS compliance is more than simply passing a PCI scan.

 

I certainly don't mean to imply that I have a firm grasp on this confusing topic. However, based upon my understanding, to be compliant, you either:

 

1. Do NOT allow customers to enter credit card info on the site. Customers are sent to PayPal or elsewhere for payment.

2. Have a PA-DSS compliant process/software in place for customers enter credit card info on the site.

[blueedge]

It can be X-Payments, it can be CRE Secure or it can be something else.

 

AlexMulin, do you have any experience with X-Payments or CRE Secure?

 

Also, in trying to explore the alternatives, do you have any suggestions for the "something else?"

[Xpajun]

There are two basic options for collecting cc information online

 

Option 1 collecting the CC details on your site - the payment page is part of your site (i.e. osC) - an integral part of it

 

Option 2 transferring the customer to a payment gateway for the CC details to be collected and then transferring them back to your site

 

Option 1 means you have to be level 2 or 3 compliant and have checks done to show that while you have the CC details in your storage (even if it is only for a few seconds) those details must be secure

 

Option 2 means that you don't store CC details on your site - the payment gateway is usually level 1 compliant but you have to be level 4 compliant

 

To be level 4 compliant consists of quarterly scans and a yearly questionnaire

 

PayPay is not a payment gateway - they use a third party payment gateway to process CC. If they were a payment gateway you would have to be compliant to use them (may have to be soon anyway)

[wireclothman]

I am looking for some feedback on X-Payments or a similar product.

We like the idea of our customers not having to leave our site to enter their credit card information.

We are working at getting our site to be PCI compliant and one of the requirements is that we need a PA-DSS certified payment application if we want to allow our customers to enter CC info on our site.

OSCommerce is not PA-DSS certified as far as I know.

The ONLY payment application that I have found that meets the requirements above is X-Payments.

 

Does anyone know of any others that meet the requirements above (PA-DSS certified and customer does not have to leave site) AND that is compatible with OSCommerce 2.3.1???

 

Does anyone have any experience with installing X-Payments and getting it to work?

A strange thing that has happened is I contacted the company last week with some questions over the phone and sent them a few emails.

The price of their X-Payments software went up from $389 yesterday to $1,189 today.

Such a huge price leap is quite strange.

 

Please let me know your thoughts.