As of July 1, 2010 you cannot accept credit cards through a shopping cart that is not PCI compliant.
Dear client,
Recently, we received many questions regarding new PCI compliance requirements and how they are related to X‐Cart. There is a lot of confusion around that so we collected the information below for your review. We will be updating this article with more information as we receive it.
As of July 1, 2010 you cannot accept credit cards through a shopping cart that is not PCI compliant. The truth is, the most shopping cart solutions available today are not PCI compliant and many are not even considering becoming compliant. As of right now, X-Cart shopping cart is not compliant, so this applies to all the merchants using this software.
Most merchant account providers are not going to shut you down on June 1 if you aren’t compliant, but you’ll need to address this as soon as possible. Below are three payment processing scenarios and options to comply:
Scenario 1
A customer adds items to their cart on your site. After they click “checkout” they are redirected outside of your site to off‐site payment processor – like Google checkout or Paypal Standard.
Below is the list of several popular off-site payment methods:
- PayPal Standard and Express Checkout (http://www.PayPal.com)
- Google Checkout (http://checkout.google.com)
- PayFlow Link (http://www.PayPal.com)
- 2Checkout (http://2Checkout.com)
- Authorize.net SIM (not AIM) (http://www.authorize.net)
- CyberSource Hosted Order Page (http://www.CyberSource.com/)
At no point does a customer enter in credit card information while on your website. In this scenario you would need to pass SAQ “A”:
https://www.pcisecuritystandards.org/saq/docs/aoc_saq_a.doc
If your site ever passes, stores, or transmits credit card data then you are not in this category and should read the next section.
Scenario 2
A customer adds items to their cart on your site. When they click “checkout” they remain on your site and fill in their personal information including their credit card information. When the customer clicks submit, the credit card information is sent to a payment processor (like Authorize.net) who returns a unique token id for you to reference. At no point do you ever store the credit card (encrypted or not) or the CVV2 value. By “at no point” I mean never, not for a millisecond, not for 10 minutes until you can process it manually…..never. You may store a masked PAN (4xxxxxxxxxxxxxxx1111). Examples of popular payment gateways that are affected by the new standards are:
- PayPal Website Payments Pro
- Authorize.net AIM
- CyberSource (SOAP Toolkit API)
- PayPal PayFlow Pro
In this scenario you would need to pass SAQ “C”:
https://www.pcisecuritystandards.org/saq/docs/aoc_saq_c.doc
Solution:
If you want to continue to accept credit cards in your store to be able to control design of the payment page, you need to install a module called X-Payments, which is a new interface where customers enter their credit cards into. This add-on is PCI certified and by using it you can pass certification. There are some disadvantages on using that add-on:
- Installation and configuration is not easy
- Adds an extra step to your checkout, because the credit card data page is not inside X-Cart
- It has to be on a server separate from the server with X-cart installed because PCI certified application cannot be on the same server as non-PCI application (X-cart, WordPress and etc)
- As of June 2010 the ‘final’ version of X-Payments was not released yet. You can download the ‘beta’ version, but will have to upgrade it to a final version after release.
- X-Payments can only run on PHP 5.3 which is not supported by many control panels yet.
- In order to use X-Payments, you also need a module called X-Connector. Unfortunately, X-Connector is only available for X-cart version 4.3. Qualiteam said they will release X-Connector for older versions, but there is no release date yet.
- After you get X-Payments installed, you have to configure it, adjust the template to match your design, and test it.
Scenario 3
A customer adds items to their cart on your site. After they click “checkout” they remain on your site and fill in their personal information including their credit card information. When the customer clicks submit, system encrypts the credit card number and save it in the database. You may keep it for 5 minutes until someone can manually try to process it in the cart or you may pass the encrypted card data to a system at your office to be processed. Either way, simply by inserting it into a database you instantly fall under SAQ “D” which is the most complicated certification:
https://www.pcisecuritystandards.org/saq/docs/aoc_saq_d_merchants.doc
Solution:
The only solution is to use X-Payments as described in Scenario 2.
Conclusion
The easiest and fastest way to become fully PCI compliant is to switch to off-site payment method as described in Scenario 1.
If you want to keep using your payment processor and have a greater control over design of the payment page, you may consider X-Payments.
There are 2 ways to do this:
- Get a separate dedicated server for payment processing – this server has to be PCI compliant, be protected by a firewall and located at a quality secured PCI certified data center – this will cost at least $400+/mo -
- Use our shared X-Payment server – we prepared a separate set of servers which do not have any other non-PCI applications installed and run Linux/PHP5.3 compatible with X-Payments. At this time, we offer this service at no monthly or per-transaction charges for our hosted clients but there is a setup fee to have everything installed and configured for your store and annual SSL certificate fee ($30/year). Your X-Payment page will be located on your sub-domain like https://payments.yourstoredomain.com so your customers will not feel like leaving your store.
Note: if you want to become PCI certified (and you do not have much choice), you cannot use a popular “One page checkout” add-on “as is” any longer. BCSE Engineering is working on a custom solution to use it with iframes. If you are interested, please contact http://www.bcsengineering.com for more information.
There is an option to ignore all this PCI mambo-jumbo and continue your business as before. If you do this, you risk losing your merchant account so you will not be able to process credit card orders in your online store and pay heavy fines for non-compliance ($50,000-$200,000).
Note: PCI compliance is your responsibility as a merchant and we will assist you in this matter as much as possible
