https://www.x-payments.com/help/api.php?action=feedcontributions&feedformat=atom&user=Alex+MulinX-Payments Help - User contributions [en]2026-05-01T00:40:46ZUser contributionsMediaWiki 1.31.5https://www.x-payments.com/help/?title=X-Payments:Using_X-Payments_with_Zoey&diff=1316X-Payments:Using X-Payments with Zoey2018-02-01T08:26:45Z<p>Alex Mulin: </p>
<hr />
<div>__NOTOC__<br />
A Zoey store can be connected to [[X-Payments:User_manual|X-Payments]] web-based payment application to process payments from customers and save their credit card data in a PCI DSS compliant way. <br />
<br />
This section provides information on how to connect and use X-Payments with your Zoey store.<br />
<br />
==What's New==<br />
<br />
:* [[X-Payments:What%27s_New_in_X-Payments_Connector_for_Zoey | What's New in X-Payments Connector for Zoey]]<br />
<br />
<br />
==Connecting Zoey to X-Payments==<br />
Connecting your Zoey store to X-Payments includes two consecutive steps:<br />
:* [[X-Payments:Configure the connection to your Zoey store in the X-Payments back end | Configure the connection to your Zoey store in the X-Payments back end]] (Instructions for X-Payments 2.1.1 and later)<br />
:* [[X-Payments:Configure the connection to X-Payments in the Zoey store Control Panel | Configure the connection to X-Payments in the Zoey store Control Panel]] (Zoey Connector 1.8.4 or later )<br />
<br />
==Video tutorials (outdated)==<br />
<br />
:* [[X-Payments:Video_Tutotials_on_Using_X-Payments_with_Zoey | Video Tutotials on Using X-Payments with Zoey]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=1129X-Payments:PA-DSS implementation guide for X-Cart Payments 32017-11-24T10:29:40Z<p>Alex Mulin: /* Communication */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name - X-Cart Payments.<br /><br />
Product version - 3.1.x.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| Alex Mulin<br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
| Alex Mulin<br />
| 05/17/2017<br />
| 02<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.1, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
<br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==New patches and updates delivery==<br />
<br />
New patches, updates, installation instructions and MD5 checksum files are delivered via secure HelpDesk system located at https://secure.x-cart.com using "File Area" section in users accounts there. <br />
We send newsletters about new patches and updates originating from x-cart.com domain name via verified and well-known email delivery system.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:Getting_started&diff=1056X-Payments:Getting started2017-09-25T07:58:39Z<p>Alex Mulin: </p>
<hr />
<div><noinclude>{{XP_manual_TOC}}</noinclude><br />
<br />
'''To begin accepting payments with X-Payments''':<br />
<br />
# [[X-Payments:Installation | Install]] X-Payments.{{Note1 | <b>Note</b>: Installation of X-Payment is not needed if you are using the [https://www.x-payments.com/ X-Payments Hosted] solution.}}<br />
# Log in to the X-Payments back end.<br /><br />X-Payments 3: Before you can log in as administrator, you need to set up a method for two-factor user authentication. For details, see [[X-Payments:Two-factor_authentication | Two-factor authentication (X-Payments 3)]].<br /><br />X-Payments 2.2 and earlier: To log in as administrator, you will need PIN codes. For instructions on logging in to the X-Payments admin back end, watch the video:<br /><youtube>uaIC0wjgBjQ</youtube><br />For more information on PIN codes in X-Payments, see [[X-Payments:Managing PIN codes | Managing PIN codes (X-Payments 2.2 and earlier)]].<br />
# Go to the '[[X-Payments:General_settings | General settings]]' page and adjust the general settings and preferences for your X-Payments installation.<br />
# On the '[[X-Payments:User_manual#Payment_Configurations | Payment Configurations]]' page, configure and enable one or more payment modules you want to use.<br />
# On the '[[X-Payments:User_manual#Online_Stores | Online Stores]]' page, add your store to the list of online stores that you will use with X-Payments and enable it. On the 'Online store details' page for your store, be sure to specify the payment configurations that you will use with this specific store (NB: You will not be able to connect the store to X-Payments without it).<br />
# Open the details of your store for viewing and copy or make note of the connection details needed to connect the store to X-Payments: the configuration bundle, store ID and a set of encryption keys.<br />
# Connect your store to X-Payments.<br />For manuals of X-Payments connectors, see: [[Template:XP_connector_manuals|XP connector manuals]].<br />
# To be able to use 3D-Secure payer authentication service (Verified by VISA, MasterCard Secure Code), [[X-Payments:3D-Secure_settings | configure CardinalCommerce module]] in X-Payments.<br />
# If you are going to grant access to the X-Payments back end to other users, go to the '[[X-Payments:Managing_users | Users]]' section and [[X-Payments:Managing_users | create new user accounts]].<br />{{Note1|It is impossible to create another user with full administrator privileges. Such operations as managing users and managing encryption keys are available only to the root admin user, the one whose profile was created during the installation.}}<br />
# If you are going to store cardholder data, generate [[X-Payments:Encryption_keys | cardholder data encryption keys]].<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=1009X-Payments:PA-DSS implementation guide for X-Cart Payments 32017-07-19T12:36:46Z<p>Alex Mulin: /* Product versioning methodology */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name - X-Cart Payments.<br /><br />
Product version - 3.1.x.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| Alex Mulin<br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
| Alex Mulin<br />
| 05/17/2017<br />
| 02<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.1, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
<br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==New patches and updates delivery==<br />
<br />
New patches, updates, installation instructions and MD5 checksum files are delivered via secure HelpDesk system located at https://secure.x-cart.com using "File Area" section in users accounts there. <br />
We send newsletters about new patches and updates originating from x-cart.com domain name via verified and well-known email delivery system.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=1008X-Payments:PA-DSS implementation guide for X-Cart Payments 32017-07-19T12:18:38Z<p>Alex Mulin: /* Logging */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name - X-Cart Payments.<br /><br />
Product version - 3.1.x.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| Alex Mulin<br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
| Alex Mulin<br />
| 05/17/2017<br />
| 02<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.1, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
<br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=1007X-Payments:PA-DSS implementation guide for X-Cart Payments 32017-07-19T12:18:00Z<p>Alex Mulin: </p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name - X-Cart Payments.<br /><br />
Product version - 3.1.x.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| Alex Mulin<br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
| Alex Mulin<br />
| 05/17/2017<br />
| 02<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
<br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:X-Payments-Hosted-FAQ&diff=993X-Payments:X-Payments-Hosted-FAQ2017-05-31T09:24:54Z<p>Alex Mulin: /* What do I need to put as "Callback IP"? */</p>
<hr />
<div>===What do I need to put as "Callback IP"?===<br />
<br />
If you use the X-Payments Hosted solution at "*.x-checkout.com" domain you should use IP address '''98.142.211.162''' (if your account is based on X-Payments v1.x or v2.x) or '''104.200.146.25''' (if X-Payments v3.x).<br />
<br />
If you use X-Payments Hosted at "*.xpayments.com" domain you need to specify '''52.36.122.200'''.<br />
<br />
===How to configure an FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===<br />
<br />
X-Payments 3.x does not support FTP connections. You can use XP 3.x admin back-end to access skins and logs in this version.<br />
<br />
The instructions below are valid only for X-Payments versions 2.x and earlier.<br />
<br />
To establish an FTP connection, you should use the details from the email received when your account was created:<br />
<br />
:* host: yourdomain.x-checkout.com <br /><br />
:* user: skins@yourdomain.x-checkout.com <br /><br />
:* password: the one that you've received <br /><br />
<br />
Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.<br />
<br />
Instructions for FileZilla FTP Client:<br />
<br />
# Start FileZilla<br />
# Go to File -> Site Manager<br />
# Click New site<br />
# Enter the connection settings:<br />
#* Host: yourdomain.x-checkout.com <br /><br />
#* Port: leave blank <br /><br />
#* Protocol: FTP - File Transfer Protocol <br /><br />
#* Encryption: Require explict FTP over TLS <br /><br />
#* Logon type: Normal <br /><br />
#* user: skins@yourdomain.x-checkout.com <br /><br />
#* password: the one that you've received <br />[[File:Filezilla.png]]<br /><br />
# Click the Connect button<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:X-Payments-Hosted-FAQ&diff=992X-Payments:X-Payments-Hosted-FAQ2017-05-31T08:26:18Z<p>Alex Mulin: /* What do I need to put as "Callback IP"? */</p>
<hr />
<div>===What do I need to put as "Callback IP"?===<br />
<br />
If you use the X-Payments Hosted solution at "*.x-checkout.com" domain you should use IP address '''98.142.211.162''' if your account is based on X-Payments v1.x or v2.x or '''104.200.146.25''' if X-Payments v3.x<br />
If you use X-Payments Hosted at "*.xpayments.com" domain you need to specify '''52.36.122.200'''.<br />
<br />
===How to configure an FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===<br />
<br />
X-Payments 3.x does not support FTP connections. You can use XP 3.x admin back-end to access skins and logs in this version.<br />
<br />
The instructions below are valid only for X-Payments versions 2.x and earlier.<br />
<br />
To establish an FTP connection, you should use the details from the email received when your account was created:<br />
<br />
:* host: yourdomain.x-checkout.com <br /><br />
:* user: skins@yourdomain.x-checkout.com <br /><br />
:* password: the one that you've received <br /><br />
<br />
Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.<br />
<br />
Instructions for FileZilla FTP Client:<br />
<br />
# Start FileZilla<br />
# Go to File -> Site Manager<br />
# Click New site<br />
# Enter the connection settings:<br />
#* Host: yourdomain.x-checkout.com <br /><br />
#* Port: leave blank <br /><br />
#* Protocol: FTP - File Transfer Protocol <br /><br />
#* Encryption: Require explict FTP over TLS <br /><br />
#* Logon type: Normal <br /><br />
#* user: skins@yourdomain.x-checkout.com <br /><br />
#* password: the one that you've received <br />[[File:Filezilla.png]]<br /><br />
# Click the Connect button<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=Blog&diff=977Blog2017-04-26T12:34:22Z<p>Alex Mulin: Created page with "X-Payments blog"</p>
<hr />
<div>X-Payments blog</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:X-Payments-Hosted-FAQ&diff=976X-Payments:X-Payments-Hosted-FAQ2017-04-20T13:25:53Z<p>Alex Mulin: /* How to configure an FTP client to connect to the yourdomain.x-checkout.com to access skins and logs? */</p>
<hr />
<div>===What do I need to put as "Callback IP"?===<br />
<br />
If you use the X-Payments Hosted solution at "*.x-checkout.com" domain you should use IP address '''98.142.211.162''' if your account is based on X-Payments v1.x or v2.x or '''104.200.146.25''' if X-Payments v3.x<br />
If you use X-Payments Hosted at "*.xpayments.com" domain you need to specify 52.36.122.200.<br />
<br />
===How to configure an FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===<br />
<br />
X-Payments 3.x does not support FTP connections. You can use XP 3.x admin back-end to access skins and logs in this version.<br />
<br />
The instructions below are valid only for X-Payments versions 2.x and earlier.<br />
<br />
To establish an FTP connection, you should use the details from the email received when your account was created:<br />
<br />
:* host: yourdomain.x-checkout.com <br /><br />
:* user: skins@yourdomain.x-checkout.com <br /><br />
:* password: the one that you've received <br /><br />
<br />
Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.<br />
<br />
Instructions for FileZilla FTP Client:<br />
<br />
# Start FileZilla<br />
# Go to File -> Site Manager<br />
# Click New site<br />
# Enter the connection settings:<br />
#* Host: yourdomain.x-checkout.com <br /><br />
#* Port: leave blank <br /><br />
#* Protocol: FTP - File Transfer Protocol <br /><br />
#* Encryption: Require explict FTP over TLS <br /><br />
#* Logon type: Normal <br /><br />
#* user: skins@yourdomain.x-checkout.com <br /><br />
#* password: the one that you've received <br />[[File:Filezilla.png]]<br /><br />
# Click the Connect button<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:X-Payments-Hosted-FAQ&diff=975X-Payments:X-Payments-Hosted-FAQ2017-04-20T13:22:52Z<p>Alex Mulin: </p>
<hr />
<div>===What do I need to put as "Callback IP"?===<br />
<br />
If you use the X-Payments Hosted solution at "*.x-checkout.com" domain you should use IP address '''98.142.211.162''' if your account is based on X-Payments v1.x or v2.x or '''104.200.146.25''' if X-Payments v3.x<br />
If you use X-Payments Hosted at "*.xpayments.com" domain you need to specify 52.36.122.200.<br />
<br />
===How to configure an FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===<br />
<br />
X-Payments 3.x does not support FTP connections. The instructions below are valid only for X-Payments versions 2.x and earlier.<br />
<br />
To establish an FTP connection, you should use the details from the email received when your account was created:<br />
<br />
:* host: yourdomain.x-checkout.com <br /><br />
:* user: skins@yourdomain.x-checkout.com <br /><br />
:* password: the one that you've received <br /><br />
<br />
Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.<br />
<br />
Instructions for FileZilla FTP Client:<br />
<br />
# Start FileZilla<br />
# Go to File -> Site Manager<br />
# Click New site<br />
# Enter the connection settings:<br />
#* Host: yourdomain.x-checkout.com <br /><br />
#* Port: leave blank <br /><br />
#* Protocol: FTP - File Transfer Protocol <br /><br />
#* Encryption: Require explict FTP over TLS <br /><br />
#* Logon type: Normal <br /><br />
#* user: skins@yourdomain.x-checkout.com <br /><br />
#* password: the one that you've received <br />[[File:Filezilla.png]]<br /><br />
# Click the Connect button<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex Mulinhttps://www.x-payments.com/help/?title=X-Payments:How_It_Works&diff=895X-Payments:How It Works2016-12-20T11:04:13Z<p>Alex “Ambal” Mulin: </p>
<hr />
<div><noinclude>{{XP_manual_TOC}}</noinclude><br />
<br />
==X-Payments flow via diagram==<br />
:[[File:XP-diagram.png|700px|border]]<br />
<br />
===API Call===<br />
<br />
1) Store initiates an API call to X-Payments to create a payment (Created payments can be [[X-Payments:User_manual#Viewing_Payments|viewed]] on the 'Payments' page in X-Payments back end). At this step store sends to X-Payments all information about the customer (billing and shipping address) and the products being purchased (product quantities and cost). In addition to that, store instructs X-Payments as to which payment configuration should be used.<br />
<br />
<br />
2) X-Payments validates this initial request from the store: checks whether the requested [[X-Payments:User_manual#Payment_Configurations|payment configuration]] is [[X-Payments:Managing store connections#Editing Online Store Details|active]], whether the payment currency passed on to X-Payments by the store matches the currency specified in the respective payment configuration in X-Payments, and makes some other internal checks; for instance, a check is conducted to ensure that the template files for the page where customers enter cardholder data have not been modified without approval by X-Payments admin. If everything is fine, X-Payments returns a [[X-Payments:API#Response_specification | payment "token"]] to the store (The token serves as a temporary identifier of the payment in X-Payments; it is generated as a result of the API call and is removed after the customer is redirected back to the store when the payment is completed). If a problem is detected, no token is sent to the store, and an internal error is generated in X-Payments. Detailed information about such errors can be found in the X-Payments and X-Cart logs:<br /><br />
* X-Payments: See the <u><xpay-dir>/var/log/api/YYYY-MM-DD/</u> directory<br />
* X-Cart: See the <u><xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php</u> file<br />
<br />
===Payment===<br />
<br />
3) Customer is redirected to the X-Payments secure page where the form for entering credit card details is located. If the iframe is used, this redirect is not visible to customer, as the form is embedded into the checkout page.<br />
<br />
<br />
4) Customer enters credit card details and submits the form. These details are sent to the payment gateway along with other data previously received by X-Payments (address details, products being purchased, etc).<br />
<br />
<br />
5) Payment gateway operates with the bank to charge the card (or authorize the funds in case of an "auth only" transaction) and sends back to X-Payments the information about the transaction.<br />
<br />
The log of communication between X-Payments and the payment gateway can be found in the <u><xpay-dir>/var/log/payment/YYYY-MM-DD/</u> directory.<br />
<br />
===Callback from gateway (PayPal) to X-Payments===<br />
<br />
6) Some payment gateways also send back to X-Payments an additional "callback" request. This "callback" request provides detailed information about the transaction and also helps to validate/confirm the transaction. Currently only PayPal Payments PRO operates in X-Payments in such a way. As an additional protection, X-Payments allows you to specify the IP addresses from which the gateway's callback requests can be received. Provided with a list of trusted Call-back IPs for PayPal, X-Payments will only accept "callback" requests coming from PayPal's server and ignore all other requests coming from anywhere else, should such requests be made. The list of PayPal's IP addresses can be found here: https://ppmts.custhelp.com/app/answers/detail/a_id/92<br />
If you wish to use this additional protection, you can enter the necessary IP addresses into [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments#PayPalPaymentsProPayPalAPIconfsettings|PayPal payment configuration settings]] in X-Payments back end.<br />
<br />
The log of payment gateway callback request processing is saved to the <u><xpay-dir>/var/log/callback/YYYY-MM-DD/</u> directory.<br />
<br />
===Invoice===<br />
<br />
7) Customer is redirected back to the store where the Invoice page is displayed.<br />
If the transaction is declined by the payment gateway for some reason, the error page is displayed. Additional information about the reasons of the transaction being declined can be found in the X-Payments admin back end on the 'Payment details' page.<br />
<br />
<br />
===Callback from X-Payments to the store===<br />
<br />
8) Detailed information about the payment is sent to the store via a "callback" request.<br />
The same functionality ("callback" requests) is used to notify the store if the payment has been changed via X-Payments admin back end; for example, if a secondary transaction took place ('Capture' or 'Void' for an authorized transaction, 'Refund' for a charge).<br />
<br />
X-Cart allows additional protection for callback requests from X-Payments: thus you can specify the IP addresses for X-Payments callbacks in X-Payments connector module settings: http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector. X-Cart will accept only those callback requests that come from the specified IP addresses, others will be ignored.<br />
<br />
'''Important''': On some server configurations the IP address from which the callback request comes may not match the IP of the server where X-Payments is installed as illustrated below:<br />
<br />
:[[File:XP-diagram1.png|700px|border]]<br />
<br />
Even if X-Payments is installed on the 172.18.0.3 IP address, and is accessible via web by it, the outgoing request is received from the "proxy" of 172.18.0.0. So, it is recommended to verify the IP address for outgoing HTTPS connections with your hosting provider.<br />
<br />
{{Note|If you use the '''X-Payments Hosted''' plan, you should use IP address '''98.142.211.162''' if your X-Payments account is v1.x or v2.x based or '''104.200.146.25''' if v3.x based.}}<br />
<br />
The log of the X-Payments callback requests processing is saved to the following locations:<br /><br />
* X-Cart: See the <u><xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php</u> file if any error occurred.<br />
* X-Payments: See the <u><xpay-dir>/var/log/payment/YYYY-MM-DD/</u> directory for the initial Authorize or Sale (Authorize and Capture at the same time or Auto settle) transaction and <u><xpay-dir>/var/log/admin/YYYY-MM-DD/</u> directory for the secondary Capture, Void or Refund transaction.<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:FAQ&diff=870X-Payments:FAQ2016-11-22T10:15:14Z<p>Alex “Ambal” Mulin: /* How to enable the use of TLS/SSL SMTP */</p>
<hr />
<div><noinclude>{{Template:XP manual TOC}}</noinclude><br />
==General==<br />
<br />
===What is the X-Cart Payments service?===<br />
<br />
X-Cart Payments is a SaaS (Software as a Service) solution allowing online merchants to use "on-site" or "merchant-hosted" credit card payment methods, like "Authorize.Net AIM", "SagePay - Direct integration", "FirstData Global Gateway - API", "PayPal Payments Pro - Direct Payment", and [[X-Payments:User_manual#Appendix_A._Supported_payment_gateways | many others]] in their integrated shopping carts.<br />
<br />
The service includes:<br />
* An account on a PCI DSS compliant web-hosting;<br />
* An SSL certificate;<br />
* A pre-installed and configured X-Payments application.<br />
<br />
X-Payments (aka X-Cart Payments) is a PA-DSS validated application, a secure bridge between integrated shopping cart software and payment gateways. The application is hosted on a reliable and PCI DSS compliant web-hosting and is secured with SSL. It helps merchants to facilitate their overall PCI DSS compliance and to accept credit card payments securely.<br />
<br />
Besides, X-Cart Payments makes it possible to accept credit card payments right on the checkout page in X-Cart (using the so-called [http://help.x-cart.com/index.php?title=X-Cart:IFrame_One-Step_Checkout_for_X-Payments iFrame One-Step Checkout] feature), while still providing a PCI DSS compliant payment solution for merchants. In other words, customers can pay without ever leaving your website and being redirected to the payment gateway site, in contrast to "off-site" payment methods like "PayPal Payments Standard", "Authorize.Net SIM", "SagePay - Form integration", "FirstData Global Gateway - Connect", etc. This can reassure customers and increase the conversion rates eventually, according to a [http://www.getelastic.com/single-vs-two-page-checkout/ research conducted by Getelastic.com].<br />
<br />
Read more about X-Cart Payments on our website:<br />
* http://www.x-cart.com/extensions/modules/xpayments.html<br />
* http://www.x-cart.com/blog/new-xpayments-plans-introduced.html<br />
<br />
===Which shopping cart software is compatible with X-Payments?===<br />
<br />
X-Payments provides a [[X-Payments:API | web-based API]] allowing your store to submit or retrieve data. The shopping cart software you use for your store must support this API, which means you have to get an appropriate connector mod.<br />
<br />
See the following pages for more info:<br />
<br />
* [https://www.x-payments.com/help/X-Payments:Managing_store_connections#Connecting_an_Online_store How to connect an online store with X-Payments]<br />
* [[X-Payments:API | X-Payments:API]]<br />
* [http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector X-Payments Connector]<br />
<br />
===How can I obtain an X-Payments license===<br />
<br />
X-Payments can be purchased at [http://www.x-cart.com/xpayments-pricing.html X-Cart website].<br />
<br />
===How many stores can be connected to a single X-Payments installation?===<br />
<br />
See details at [http://www.x-cart.com/xpayments-pricing.html X-Payments plans page]<br />
<br />
===Can I transfer my X-Payments license and the software to a third party?===<br />
<br />
It is possible for paid X-Payments downloadable licenses, but you need to get our written consent according to the terms and conditions of the [http://www.qtmsoft.com/xpayments-la.html license agreement].<br />
<br />
==Installation and configuration==<br />
<br />
===Why did you include PHP 5.3.0 into the '''X-Payments system''' '''requirements'''? It's relatively new, and many hosts aren't running it yet.===<br />
<br />
According to PCI DSS '''Requirements''' (paragraph 6.1),<br />
<br />
''>> 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.''<br />
<br />
For PHP "the latest vendor-supplied security patches" means "the latest PHP version", because they do not supply patches. When we started to develop X-Payments, there were two stable versions of PHP available: 5.2.10 and 5.3.0. By the summer of 2010, the time PCI DSS compliance becomes a must, PHP 5.3.x will probably be as widely spread as 5.2.x now. That is why we decided to use some nice improvements of PHP 5.3.0.<br />
<br />
===Can you tell me exactly what it is in v5.3.0 that's so necessary for X-Payments?===<br />
<br />
The PHP development team has [http://www.php.net/archive/2010.php#id2010-12-16-1 announced] the end of support for PHP 5.2; therefore, 5.3 is going to be the earliest PHP version out there. We have used the newest features available in PHP 5.3 to make our software more current and eliminate the need to design and then certify it all over. Thus, PHP 5.3 features a more appropriate implementation of the Singleton pattern and allows to implement widget operations in the viewer using <tt>__invoke</tt>. It also offers numerous other functions that are handy but not available in PHP older than 5.3; for instance, array_replace, array_replace_recursive, etc.<br />
<br />
===Can X-Payments be set up together with old [http://help.x-cart.com/index.php?title=X-Cart:Subscriptions Subscriptions] add-on module to automatically bill subscribers on a regular basis?===<br />
<br />
No, it cannot. X-Cart's old [http://help.x-cart.com/index.php?title=X-Cart:Subscriptions Subscriptions] module is not compatible with X-Payments, and it is not PCI complaint.<br />
The proper way is to use the new X-Payments Subscriptions module for [http://www.x-cart.com/extensions/modules/xpayments_subscriptions.html X-Cart 4] and [http://www.x-cart.com/extensions/addons/x-payments-subscriptions-and-installements.html X-Cart 5.]<br />
<br />
===Why is it not possible to use blank database passwords in X-Payments configuration? That's not a problem for a production copy, but my test system doesn't use passwords usually===<br />
<br />
According to PA-DSS '''requirements''' (paragraph 3.2),<br />
<br />
''>> 3.2 Access to PCs, servers, and databases with payment applications must require a unique user ID and secure authentication.''<br />
<br />
This means that a password must be used to access the database as well. X-Payments doesn't have a test mode, and all the '''requirements''' are checked on the fly as if it were a production copy. X-Payments won't start until all the '''requirements''' are met. That is how we guarantee that the software meets PA-DSS '''requirements'''. If there were a test mode, we would have to add another level of checking, and each such level decreases the security of the software "in the field". That is why we decided to go without some cool features but keep the high level of security.<br />
<br />
===Can X-Payments be installed on server where my shopping cart software is hosted or do I need a separate web-server?===<br />
<br />
Both options are allowed. X-Payments can be set up either together with your shopping cart software provided it is run in a separate PCI compliant hosting space/account or on a separate server (X-Payments uses SSL connection to exchange data with your store).<br />
<br />
===Can X-Payments be installed on a shared hosting?===<br />
<br />
Yes, provided that a separate account is used to host X-Payments. No other software must be installed and run under this account.<br />
<br />
===Can I configure X-Payments to allow my customers to enter their billing address when entering their credit card data?===<br />
<br />
No, you cannot. To edit the billing address, a customer has to go back to the store and edit the billing address in the customer profile at the store.<br />
<br />
===How do I create a different skin for the page where customers enter their cardholder data?===<br />
<br />
To create a different template for the page where your customers enter their cardholder data, you should work with the directories <u><xpayments>/lib/XPay/Templates/</u> and <u><xpayments>/public/templates/</u> .<br />
<br />
* To add a new template, create a file <u><xpayments>/lib/XPay/Templates/<new_template_name>.html</u> and put the HTML code for the new template into the file. Make sure you only put the code between the tags <body> and </body> as it will be automatically included into the general HTML code of the file <u><xpayments>/lib/XPay/Skin/Payment/Home.php</u>. After that you will be able to select the new template from the 'Template' drop-down box at the 'Online store details' page.<br />
<br />
* If you want to use a different CSS style, place the CSS code into the file <u><xpayments>/public/templates/<new_template_name>.css</u>, and it will be linked automatically during the page generation.<br />
<br />
* If you want to use a different set of images, copy the images to the directory <u><xpayments>/public/templates/<new_template_name>/directory</u>.<br />
<br />
===Is it possible to configure X-Payments to have my sales processed manually?===<br />
<br />
No, it is not possible since X-Payments does not allow storing credit card numbers.<br />
<br />
===How can I manually decrypt the LinkPoint key, which is returned encrypted by default?===<br />
<br />
Use the '''openssl''' program in the command line:<br />
<br />
<pre><br />
openssl rsa -in oldkey.pem -out newkey.pem<br />
</pre><br />
<br />
* <tt>oldkey.pem</tt> - name of the encrypted key file provided by LinkPoint<br />
* <tt>newkey.pem</tt> - name of the unencrypted key file to be uploaded to the server<br />
<br />
{{Note1|<b>Notes:</b><br /><br />
<b>1. </b>When prompted to enter a password, enter the one you have received from Link Point. If you are prompted to enter a password again, just press '''Enter''' to leave the output key with no password.<br /><br />
<br /><br />
<b>2. </b>Be sure to set secure permissions on that file once you upload it (generally, the secure permissions are "600").<br /><br />
<br /><br />
<b>3. </b>Be sure to remove the unencrypted key from your local PC.}}<br />
<br />
===My payment method does not appear in the list after a successful import. What should I do?===<br />
<br />
Chances are you want to use PayPal as your payment method. If this is so, you need to [index.php?title=X-Payments:PayPal follow a few additional steps] to get PayPal to work with X-Payments.<br />
<br />
===I'm executing the cron.php script in a browser, but nothing happens===<br />
<br />
If the script is run not in the command line interface (like in a browser in our case), its execution is interrupted due to security reasons.<br />
<br />
To run the script successfully, execute it from the command line and use a PHP interpreter version 5.3.0 or better. You can use SSH access to execute the script.<br />
<br />
===I need cron.php to send me emails when cronjobs are executed===<br />
<br />
If you use Enterprise/Downloadable X-Payments, and your hosting can send emails every time an X-Payments job is executed, you can add a certain code to crontab settings for X-Payments cron.php to make cron send you emails; for example:<br />
<br />
cd /home/checkout/public_html/ && /usr/bin/php-cli cron.php; echo "X-Payments Cron Job was launched";<br />
<br />
Moreover, you can email the results of cron jobs execution to yourself by making a line like the following:<br />
<br />
cd /home/checkout/public_html/ && /usr/bin/php-cli cron.php; cat /var/log/cron/YYYY-MM-DD/errors.php;<br />
<br />
Just be sure to replace YYYY-MM-DD with a code that defines the current date on your server.<br />
<br />
===I'm the admin and my account got locked===<br />
<br />
This could happen when a user exceeds the allowed number of unsuccessful access attempts. The account is automatically locked for the period of time specified in the 'General settings' section.<br />
<br />
If this is the case, you should wait until the specified dangerous activity blocking period passes, and try to sign in again.<br />
<br />
By default, X-Payments limits the number of unsuccessful login attempts to the maximum of 6 and does not allow new login attempts for 30 minutes (this is controlled via Settings -> General settings -> Dangerous activity blocking period).<br />
<br />
===I lost my password. What do I need to do?===<br />
<br />
# Go to <pre>https://<your_xp_domain_name>/admin.php?target=login</pre><br />
# Click the 'Forgot password' link on the login page. An email message will be sent to you with a link containing your profile confirmation token.<br />
# Follow the link to reset the password.<br />
<br />
If the profile confirmation token has expired for some reason (e.g. you missed the email message and did not click the link in time), and you cannot set a new password for your account, just use the 'Forgot password' link on the login page again.<br />
<br />
===Where can I find my X-Payments logs?===<br />
<br />
X-Payments logs and X-Cart logs related to X-Payments can be found as follows:<br />
<br />
On the X-Payments end: See the <xpay-dir>/var/log/ directory. If you are using an X-Payment Hosted account, you can see this folder as "var/log" in your X-Payments FTP account.<br />
<br />
On the X-Cart 4 end: See the <xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php files<br />
<br />
===How to increase PayPal Payflow Pro "TIMEOUT" value===<br />
<br />
In the file <xpay_dir>/lib/XPay/Module/PaypalWPPPEDirectPayment.php, locate the line # 249:<br />
<br />
<source><br />
$bouncerData->setTimeout(45);<br />
</source><br />
<br />
and change 45 to some other value in seconds (a number between 30..60 is recommended)<br />
<br />
===How to enable the use of TLS/SSL SMTP===<br />
<br />
In the file <xpdir>/config/config.ini.php, locate the line:<br />
<br />
host="smtp.yourmailservice.com"<br />
<br />
and replace it with the following:<br />
<br />
host="ssl://smtp.yourmailservice.com"<br />
<br />
===How to configure Elavon Converge/Virtual Merchant - Merchant Provided Form===<br />
<br />
Suggested X-Payments settings:<br />
<br />
* set Initial transaction to auth & capture<br />
* merchantID is the same as elavon "accountID"<br />
* get the userid from elavon <br />
* get the PIN from elavon<br />
<br />
Then setup myvirtualmerchant settings:<br />
<br />
terminal > advanced > system setup<br />
<br />
* Use HTTP Referrers [ unchecked ]<br />
* Auto Pend HTTP Transactions [x]<br />
* Auto Settlement [x]<br />
<br />
EVERYTHING else is empty<br />
<br />
PS:<br />
Many thanks to [https://forum.x-cart.com/showpost.php?p=366912&postcount=4 carpeperdiem for sharing]!<br />
<br />
==X-Payments Hosted FAQ==<br />
<br />
{{X-Payments:X-Payments-Hosted-FAQ}}<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:System_requirements_for_X-Payments_3&diff=840X-Payments:System requirements for X-Payments 32016-10-21T13:07:06Z<p>Alex “Ambal” Mulin: /* PHP configuration */</p>
<hr />
<div><noinclude>{{XP_manual_TOC}}</noinclude><br />
<br />
For hassle-free installation and performance of X-Payments, your server must meet the following requirements:<br />
<br /><br />
==Operating system==<br />
A Unix-based operating system (Linux, FreeBSD, etc)<br />
<br /><br />
==PHP configuration==<br />
<br />
'''PHP version:'''<br />
<br />
: PHP v 5.5.30 or later (versions 7.0.3 or later are recommended)<br />
<br />
'''php.ini settings:'''<br />
<br />
:Mandatory:<br />
<br />
:* safe_mode = off;<br />
:* magic_quotes_sybase = off;<br />
:* sql.safe_mode = off;<br />
:* ini_set = on;<br />
:* memory_limit >= 16M;<br />
<br />
:Recommended:<br />
<br />
:* disable_functions = NULL<br />
:* max_execution_time >= 30;<br />
:* memory_limit >= 32M;<br />
:* max_input_time >= 30;<br />
:* sendmail_from = username@example.com; (An email address that service email messages will be sent from)<br />
:* precision = 14 (the default value set in the php.ini file).<br />
<br />
'''PHP extensions:'''<br />
<br />
:* Core;<br />
:* PCRE;<br />
:* HASH;<br />
:* PDO with the MySQL driver;<br />
:::'''''Important note about PDO extension:'''''<br />X-Payments requires the PDO extension, as well as the MySQL PDO driver, to be installed as a <u>shared module</u>. In other words your php.ini file needs to be updated so that the PDO extensions will be loaded automatically when PHP runs:<br /><br />
::::extension=php_pdo.so<br /><br />
::::extension=php_pdo_mysql.so<br /><br />
:::X-Payments will not install if you use a different PHP configuration (i.e. when PHP is compiled with the necessary PDO extensions like '--enable-pdo=shared' and '--with-pdo-mysql=shared'). In this case, please change the configuration as advised above (install both extensions as a shared module).<br />
:::See also: http://php.net/manual/en/pdo.installation.php<br />
:* mcrypt (To encrypt general data through the AES encryption algorithm);<br />
:* XML DOM (To parse XML data);<br />
:* cURL (To send secure HTTPS requests; cURL version 7.39.0 or better is recommended);<br />
:* OpenSSL (To encrypt cardholder's data and API requests);<br />
:* SOAP (Required for the Firstdata e4 payment gateway);<br />
:* Reflection;<br />
:* SimpleXML;<br />
:* calendar;<br />
:* ctype;<br />
:* date;<br />
:* fileinfo;<br />
:* filter;<br />
:* gd;<br />
:* json;<br />
:* libxml;<br />
:* mbstring;<br />
:* pcre;<br />
:* posix;<br />
:* spl;<br />
:* standard;<br />
:* xmlwriter.<br />
<br />
<br />
'''Miscellaneous:'''<br />
:* The crontab on the server where X-Payments is installed must be configured to periodically run the script cron.php (needed for data cleaning tasks and subscriptions). For more info, see [[X-Payments:Installation#XPCronPhp|Running the cron.php script]].<br />
:* Use SMTP server (with SMTP Authentication option enabled) instead the PHP function mail() to send email;<br />
:* Allow the PHP function fsockopen to ensure correct performance of SMTP mailer.<br />
<br />
{{Note|If you need detailed help on PHP configuration settings, please refer to http://www.php.net .}}<br />
<br /><br />
<br />
==MySQL configuration==<br />
<br />
'''MySQL version:'''<br />
<br />
:* MySQL versions 5.6 or later (5.7 is recommended).<br />
<br />
'''MySQL user privileges:'''<br />
<br />
:Basic level privileges<br />
<br />
:* select_priv;<br />
:* insert_priv;<br />
:* update_priv;<br />
:* delete_priv;<br />
:* lock_tables_priv;<br />
:* index_priv;<br />
<br />
:Privileges for the software installation and upgrade<br />
<br />
:* create_priv;<br />
:* drop_priv;<br />
:* alter_priv.<br />
<br />
'''MySQL user limitations:'''<br />
<br />
:* MAX_QUESTIONS - no limitations;<br />
:* MAX_UPDATES - no limitations;<br />
:* MAX_QUERIES_PER_HOUR - no limitations;<br />
:* MAX_USER_CONNECTIONS - no limitations.<br />
:* max_allowed_packet - from 8 MB to 16 MB (recommended);<br />
:* wait_timeout - from 7200 to 28800 (recommended).<br />
<br />
'''InnoDB:'''<br />
:* Must be enabled. Make sure there is no "skip-innodb" in my.cnf.<br />
<br /><br />
==Apache configuration==<br />
<br />
Apache is the recommended web server for X-Payments. The settings described below refer to Apache only.<br />
<br />
'''Distributed configuration file:'''<br />
<br />
:* AccessFileName .htaccess; (The filename must always be .htaccess);<br />
:* AllowOverride = ALL; (You must have sufficient permissions to change the settings of the web directory through the .htaccess file).<br />
<br />
'''PHP running mode:'''<br />
<br />
:If PHP interpreter is compiled as CGI, it must have the --enable-force-cgi-redirect option (without --enable-discard-path) enabled. This allows you to avoid the trouble with setting 755 permissions on PHP scripts and registering #!/usr/bin/php.<br />
<br />
'''Apache modules:'''<br />
<br />
:Mandatory<br />
<br />
:* mod_dir; (For correct operation of DirectoryIndex)<br />
:* mod_access; (For correct operation of Deny From All and Allow From All)<br />
:* mod_auth; (For correct HTTP authentication)<br />
<br />
:Recommended<br />
<br />
:* mod_expires; (To setup file caching)<br />
:* mod_gzip / mod_deflate. (For page compression)<br />
<br /><br />
==HTTPS settings==<br />
<br />
HTTPS must be enabled.<br />
<br /><br /><br />
==Secure Shell access==<br />
<br />
For some operations, you will need to have secure shell access to the server where X-Payments is installed. These operations include:<br />
<br />
:* [[X-Payments:Codebook_regeneration|Codebook regeneration]]<br />
:* [[X-Payments:User_manual#Managing_PIN-codes|PIN-codes generation]]<br />
<br />
If shell access is not allowed, the necessary actions can be performed with the help of the PHP shell_exec() function. You'll need to create a script shell.php like the following:<br />
<br />
<pre><br />
<?php<br />
<br />
$cmd = 'SHELL COMMAND';<br />
<br />
echo shell_exec $cmd . '2>&1';<br />
<br />
?><br />
</pre><br />
(Be sure to replace SHELL COMMAND with the actual command that needs to be executed).<br />
<br />
Upload this script onto the server where X-Payments is installed and allow it in the <xp-dir>/.htaccess file by adding the following lines:<br />
<br />
<pre><br />
<Files ~ "shell.php"><br />
Order deny,allow<br />
Allow from all<br />
</Files><br />
</pre><br />
<br />
Then open this file in the web browser.<br />
<br />
{{Note1|'''Important''': Right after the operation has been completed, remove the shell.php file and restore the original <xp-dir>/.htaccess file.}}<br />
<br /><br />
<br />
==System parameters==<br />
<br />
'''Network settings:'''<br />
<br />
:* X-Payments must use the IPv4 protocol;<br />
:* Outgoing TCP connections must be opened to ports 25, 80 and 443;<br />
:* External domains must be allowed at both system and PHP levels, that is the PHP functions gethostbyaddr and gethostbyname must work without any limitations;<br />
:* Domains hosted on a localhost server must be resolved to an external IP address if the server is behind NAT.<br />
<br />
'''Disk space:'''<br />
<br />
:* 15 MB for a fresh application installation;<br />
:* From 5 MB for the database. Exact amount of disk space required for the database depends on the number of transactions.<br />
<br /><br />
==Shopping cart software==<br />
<br />
Your shopping cart software must support [[X-Payments:API]]. This can be achieved by installing an appropriate X-Payments connector. <br /><br />
More info about the connectors is available here:<br /><br />
{{XP_connector_manuals}}<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:FAQ&diff=818X-Payments:FAQ2016-08-22T10:32:18Z<p>Alex “Ambal” Mulin: /* Which shopping cart software is compatible with X-Payments? */</p>
<hr />
<div><noinclude>{{Template:XP manual TOC}}</noinclude><br />
==General==<br />
<br />
===What is X-Cart Payments service?===<br />
<br />
X-Cart Payments is a SaaS (Software as a Service) allowing on-line merchants to use "on-site" or "merchant-hosted" credit card payment methods, like "Authorize.Net AIM", "SagePay - Direct integration", "FirstData Global Gateway - API", "PayPal Payments Pro - Direct Payment", and [[X-Payments:User_manual#Appendix_A._Supported_payment_gateways | more others]] in their integrated shopping carts.<br />
<br />
The service includes:<br />
* Account on a PCI DSS compliant web-hosting<br />
* SSL certificate<br />
* Pre-installed and configured X-Payments application<br />
<br />
X-Payments (aka X-Cart Payments) is a PA-DSS validated application, a secure bridge between integrated shopping cart software and payment gateways. The application is hosted on a reliable and PCI DSS compliant web-hosting and secured with SSL. It helps merchants to facilitate their overall PCI DSS compliance and to accept credit card payments securely.<br />
<br />
Besides, X-Cart Payments makes it possible to accept credit card payments right on X-Cart checkout page (using so called [http://help.x-cart.com/index.php?title=X-Cart:IFrame_One-Step_Checkout_for_X-Payments iFrame One-Step Checkout] feature), while still providing a PCI DSS compliant payment solution for merchants. In other words, customers can pay without ever leaving your web-site and being redirected to the payment gateway site, as comparing to the "off-site" payment methods like "PayPal Payments Standard", "Authorize.Net SIM", "SagePay - Form integration", "FirstData Global Gateway - Connect", etc. This can reassure customers and increase conversion rates eventually, according to a [http://www.getelastic.com/single-vs-two-page-checkout/ research conducted by Getelastic.com].<br />
<br />
Read more about X-Cart Payments at our web-site:<br />
* http://www.x-cart.com/extensions/modules/xpayments.html<br />
* http://www.x-cart.com/blog/new-xpayments-plans-introduced.html<br />
<br />
===Which shopping cart software is compatible with X-Payments?===<br />
<br />
X-Payments provides [[X-Payments:API | web-based API]] allowing your store to submit or retrieve data. The shopping cart software you use for your store must support this API thus you have to get an appropriate connector mod.<br />
<br />
See the following pages for more info:<br />
<br />
* [https://www.x-payments.com/help/X-Payments:Managing_store_connections#Connecting_an_Online_store How to connect an online store with X-Payments]<br />
* [[X-Payments:API | X-Payments:API]]<br />
* [http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector X-Payments Connector]<br />
<br />
===How can I obtain X-Payments license===<br />
<br />
X-Payments can be purchased at [http://www.x-cart.com/xpayments-pricing.html X-Cart website].<br />
<br />
===How many stores can be connected to a single X-Payments installation?===<br />
<br />
See details at [http://www.x-cart.com/xpayments-pricing.html X-Payments plans page]<br />
<br />
===Can I transfer my X-Payments license and the software to a third party?===<br />
<br />
It is possible for paid X-Payments downloadable licenses, but you need to get our written consent according to the terms and conditions of the [http://www.qtmsoft.com/xpayments-la.html license agreement].<br />
<br />
==Installation and configuration ==<br />
<br />
===Why did you include PHP 5.3.0 into the '''X-Payments system''' '''requirements'''? It's relatively new, and many hosts aren't running it yet.===<br />
<br />
According to PCI DSS '''Requirements''' (paragraph 6.1),<br />
<br />
''>> 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.''<br />
<br />
For PHP "the latest vendor-supplied security patches" means "the latest PHP version", because they do not supply patches. When we started to develop X-Payments, there were two stable versions of PHP available: 5.2.10 and 5.3.0. By summer 2010, the time PCI DSS compliance becomes a must, PHP 5.3.x will probably be as widely spread as 5.2.x now. That is why we decided to use some nice improvements of PHP 5.3.0.<br />
<br />
===Can you tell me exactly what it is in v5.3.0 that's so necessary for X-Payments?===<br />
<br />
The PHP development team has [http://www.php.net/archive/2010.php#id2010-12-16-1 announced] the end of support for PHP 5.2; therefore, 5.3 is going to be the earliest PHP version out there. We have used the newest features available in PHP 5.3 to make our software more current and eliminate the need to design and then certify it all over. Thus, PHP 5.3 features a more appropriate implementation of the Singleton pattern and allows to implement widget operations in the viewer using <tt>__invoke</tt>. It also offers numerous other functions that are handy but not available in PHP older than 5.3; for instance, array_replace, array_replace_recursive, etc.<br />
<br />
===Can X-Payments be set up together with old [http://help.x-cart.com/index.php?title=X-Cart:Subscriptions Subscriptions] add-on module to automatically bill subscribers on a regular basis?===<br />
<br />
No, it can't. X-Cart's old [http://help.x-cart.com/index.php?title=X-Cart:Subscriptions Subscriptions] module is not compatible with X-Payments and it is not PCI complaint.<br />
The right way is to use new X-Payments Subscriptions module for [http://www.x-cart.com/extensions/modules/xpayments_subscriptions.html X-Cart 4] and [http://www.x-cart.com/extensions/addons/x-payments-subscriptions-and-installements.html X-Cart 5.]<br />
<br />
===Why is it not possible to use blank database passwords in X-Payments configuration? That's not a problem for a production copy, but my test system doesn't use passwords usually===<br />
<br />
According to PA-DSS '''requirements''' (paragraph 3.2),<br />
<br />
''>> 3.2 Access to PCs, servers, and databases with payment applications must require a unique user ID and secure authentication.''<br />
<br />
This means that a password must be used to access the database as well. X-Payments doesn't have a test mode, and all the '''requirements''' are checked on the fly as if it were a production copy. X-Payments won't start until all the '''requirements''' are met. That is how we guarantee that the software meets PA-DSS '''requirements'''. If there were a test mode, we would have to add another level of checking, and each such level decreases the security of software "in the field". That is why we decided to go without some cool features, but keep high security level.<br />
<br />
===Can X-Payments be installed on server where my shopping cart software is hosted or do I need a separate web-server?===<br />
<br />
Both options are allowed. X-Payments can be set up either together with your shopping cart software provided it is run in a separate PCI compliant hosting space/account or on a separate server (X-Payments uses SSL connection to exchange data with your store).<br />
<br />
===Can X-Payments be installed on a shared hosting?===<br />
<br />
Yes, provided that a separate account is used for hosting X-Payments. No other software must be installed and run under this account.<br />
<br />
===Can I configure X-Payments to allow my customers enter their billing address when entering their credit card data?===<br />
<br />
No, you cannot. To edit the billing address, a customer should go back to the store and edit the billing address in the customer profile at the store.<br />
<br />
===How do I create a different skin for the page where customers enter cardholder data?===<br />
<br />
To create a different template for the page where customers enter cardholder data, you should work with directories <u><xpayments>/lib/XPay/Templates/</u> and <u><xpayments>/public/templates/</u> .<br />
<br />
* To add a new template, create a file <u><xpayments>/lib/XPay/Templates/<new_template_name>.html</u> and put the HTML code for the new template into the file. Make sure you only put the code between the tags <body> and </body> as it will be automatically included into the general HTML-code of the file <u><xpayments>/lib/XPay/Skin/Payment/Home.php</u>. After that you will be able to select the new template from the 'Template' drop-down box at the 'Online store details' page.<br />
<br />
* If you want to use a different CSS style, place the CSS code into the file <u><xpayments>/public/templates/<new_template_name>.css</u>, and it will be linked automatically during the page generation.<br />
<br />
* If you want to use a different set of images, copy the images to the directory <u><xpayments>/public/templates/<new_template_name>/directory</u>.<br />
<br />
===Is it possible to configure X-Payments to have my sales processed manually?===<br />
<br />
No, it's not possible since X-Payments does not allow storing credit card numbers.<br />
<br />
===How can I manually decrypt the LinkPoint key, returned encrypted by default?===<br />
<br />
Use the '''openssl''' program in the command line:<br />
<br />
<pre><br />
openssl rsa -in oldkey.pem -out newkey.pem<br />
</pre><br />
<br />
* <tt>oldkey.pem</tt> - name of the encrypted key file provided by LinkPoint<br />
* <tt>newkey.pem</tt> - name of the unencrypted key file to be uploaded to the server<br />
<br />
{{Note1|<b>Notes:</b><br /><br />
<b>1. </b>When prompted to enter a password, enter the one you have received from Link Point. If you are prompted to enter a password again, just press '''Enter''' to leave the output key with no password.<br /><br />
<br /><br />
<b>2. </b>Be sure to set secure permissions on that file once you upload it (generally, secure permissions are "600").<br /><br />
<br /><br />
<b>3. </b>Be sure to remove the unencrypted key from your local PC.}}<br />
<br />
===My payment method does not appear in the list after successful import. What should I do?===<br />
<br />
Chances are you want to use PayPal as your payment method. If this is so, you need to [index.php?title=X-Payments:PayPal follow a few additional steps] to get PayPal to work with X-Payments.<br />
<br />
===I'm executing the cron.php script in a browser, but nothing happens===<br />
<br />
In case the script is run not in the command line interface (like in a browser in our case), its execution is interrupted due to security reasons.<br />
<br />
To run the script successfully, execute it from the command line and use PHP interpreter version 5.3.0 or above. You can use SSH access to execute the script.<br />
<br />
===I need cron.php to send me emails when cronjobs are executed===<br />
<br />
If you use Enterprise/Downloadable X-Payments and your hosting can send emails every time X-Payments job is executed you can add certain code to crontab settings for X-Payments cron.php to make cron send you emails, e.g.<br />
<br />
cd /home/checkout/public_html/ && /usr/bin/php-cli cron.php; echo "X-Payments Cron Job was launched";<br />
<br />
Moreover, you email yourself results of cron jobs execution by making a line like<br />
<br />
cd /home/checkout/public_html/ && /usr/bin/php-cli cron.php; cat /var/log/cron/YYYY-MM-DD/errors.php;<br />
<br />
Just subscritute YYYY-MM-DD with a code that defines current date on your server.<br />
<br />
===I'm the admin and my account got locked===<br />
<br />
This could happen when a user exceeds the allowed number of unsuccessful access attempts. The account is automatically locked for the period of time specified in the 'General settings' section.<br />
<br />
If this is the case, you should wait until the specified dangerous activity blocking period passes, and try to sign in again.<br />
<br />
By default, X-Payments limits number of unsuccessful login attempts by 6 max and does not allow new login attempts for 30 minutes (this is controlled at Settings -> General settings -> Dangerous activity blocking period).<br />
<br />
===I lost my password. What do I need to do?===<br />
<br />
* Go to <pre>https://<your_xp_domain_name>/admin.php?target=login</pre><br />
* click the 'Forgot password' link on the login page<br />
* you'll receive a new email containing link with the profile confirmation token<br />
* follow it to set the password<br />
<br />
If the profile confirmation token is expired for some reason (e.g. you missed the email message and didn't click the link in time) and you cannot set the password to your account, just use the 'Forgot password' link again to set up the password.<br />
<br />
===Where can I find X-Payments logs?===<br />
<br />
X-Payments logs and X-Cart logs related to X-Payments are located at<br />
<br />
At X-Payments side: See the <xpay-dir>/var/log/ directory. If you are using an X-Payment Hosted account you can see this folder as "var/log" in your X-Payments FTP account.<br />
<br />
At X-Cart 4 side: See the <xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php files<br />
<br />
===How to increase PayPal Payflow Pro "TIMEOUT" value===<br />
<br />
<br />
In file <xpay_dir>/lib/XPay/Module/PaypalWPPPEDirectPayment.php in line # 249:<br />
<br />
<source><br />
$bouncerData->setTimeout(45);<br />
</source><br />
<br />
change 45 to some value in seconds (a number between 30..60 is recommended)<br />
<br />
===How to enable use of TLS/SSL SMTP===<br />
<br />
In <xpdir>/config/config.ini.php file instead of:<br />
<br />
host="smtp.yourmailservice.com"<br />
<br />
make as below:<br />
<br />
host="ssl://smtp.yourmailservice.com"<br />
<br />
==X-Payments Hosted FAQ==<br />
<br />
{{X-Payments:X-Payments-Hosted-FAQ}}<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=712X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-07-01T13:40:04Z<p>Alex “Ambal” Mulin: /* Hardware and software */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name - X-Cart Payments.<br /><br />
Product version - 3.0.x.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
<br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=686X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-30T08:32:54Z<p>Alex “Ambal” Mulin: /* Communication */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=685X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-26T09:46:02Z<p>Alex “Ambal” Mulin: /* Communication */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0)<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function. <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=684X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-26T09:44:17Z<p>Alex “Ambal” Mulin: /* Communication */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0)<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function or will be notifying users depending on the allow_insecure_protocol parameter set in the config.ini.php file (disabled by default). <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=683X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-26T09:40:40Z<p>Alex “Ambal” Mulin: /* Data protection */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0)<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 123, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function or will be notifying users depending on the allow_insecure_protocol parameter set in the config.ini.php file (disabled by default). <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=678X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-26T09:25:12Z<p>Alex “Ambal” Mulin: </p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2056 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0)<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 123, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function or will be notifying users depending on the allow_insecure_protocol parameter set in the config.ini.php file (disabled by default). <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=677X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-26T09:23:38Z<p>Alex “Ambal” Mulin: </p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2056 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks. <br />
<br /><br /><br />
X-Cart Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Cart Payments 3.0, logs can be viewed via the X-Cart Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Cart Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0)<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Cart Payments payment application uses ports 80, 123, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Cart Payments will not function or will be notifying users depending on the allow_insecure_protocol parameter set in the config.ini.php file (disabled by default). <br />
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Cart Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PA-DSS_implementation_guide_for_X-Cart_Payments_3&diff=676X-Payments:PA-DSS implementation guide for X-Cart Payments 32016-05-26T09:17:58Z<p>Alex “Ambal” Mulin: /* Introduction */</p>
<hr />
<div>==Introduction==<br />
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.<br />
<br /><br /><br />
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard – Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].<br />
<br /><br /><br />
The document provides instructions on how to implement the application in a PCI DSS compliant manner.<br />
<br /><br /><br />
Full product name – X-Cart Payments.<br /><br />
Product version – 3.0.х.<br />
<br /><br /><br />
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.<br />
<br /><br /><br />
This PA-DSS Implementation Guide should be updated:<br />
:* at least annually;<br />
:* after changes in the payment application (if required);<br />
:* after changes in the PCI DSS and PA-DSS standards.<br />
<br /><br />
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.<br />
<br /><br /><br />
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.<br />
<br /><br /><br />
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' <br /><br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 10%;"| '''Author'''<br />
! scope="col" style="width: 10%;"| '''Date'''<br />
! scope="col" style="width: 10%;"| '''Number'''<br />
! scope="col" style="width: 60%;"| '''Change description'''<br />
|- style="vertical-align:top;"<br />
| <br />
| 05/17/2016<br />
| 01<br />
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1<br />
|- <br />
|}<br />
<br /><br /><br />
<br />
==Data protection==<br />
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext.<br /><br /><br />
Cardholder data includes:<br />
:* Primary Account Number (PAN) <br />
:* Cardholder Name <br />
:* Expiration Date <br />
:* Service Code <br />
<br /><br />
Sensitive authentication data (SAD) includes: <br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
<br /><br />
X-Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2056 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Payments periodic tasks. <br />
<br /><br /><br />
X-Payments may not be configured to store permanently in the database the following types of data: <br />
:* Full PAN<br />
:* Full track data (magnetic-stripe data or equivalent on a chip) <br />
:* CAV2/CVC2/CVV2/CID <br />
:* PINs/PIN blocks <br />
Merchants and/or developers implementing X-Payments should not attempt to customize this as a feature.<br />
<br /><br /> <br />
The payment application masks PAN on display (except for the moment when the user enters the card number).<br />
X-Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.<br />
<br /><br /><br />
<br />
==Data Collected while Testing==<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments: <br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access.<br />
#* Only collect a limited amount of data (no more than is needed to solve the problem).<br />
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Sensitive authentication data must be securely deleted immediately after use.<br />
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.<br />
<br /><br /><br />
==Authentication and access==<br />
The X-Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.<br />
There are no built-in/default user accounts in X-Payments. You must carefully control access to X-Payments. Follow these rules: <br />
:* Restrict the number of employees who have access to X-Payments to only those who have a business need.<br />
:* Always provide unique usernames for each person who needs access.<br />
:* Do not use system-default usernames and/or passwords.<br />
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.<br />
<br /><br />
To set password lifetime:<br />
# Log in to X-Cart Payments.<br />
# Go to Settings -> General Settings.<br />
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.<br />
The following related rules apply:<br />
:* The minimum password length is 8 characters.<br />
:* A password must contain both numbers and lower- and uppercase characters.<br />
:* The last 4 passwords must be unique.<br />
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.<br />
:* A user is logged off after an inactivity period of 15 minutes.<br />
<br /><br /><br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords: <br />
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);<br />
:* For FTP access to the Web server;<br />
:* For Remote Desktop Connection to the Web server (if available);<br />
:* To connect to the MySQL server that contains your store data.<br />
<br /><br />
Linux authentication mechanism is used for login in the servers with running X-Payments.<br />
Accounts for access to the operating system are managed by the Linux administrator.<br />
For Linux operating system accounts, you must configure the following attributes of the password policy:<br />
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;<br />
:* changes to user passwords at least once every 90 days;<br />
:* require a minimum length of at least seven characters;<br />
:* contain both numeric and alphabetic characters;<br />
:* do not use last four passwords used previously;<br />
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).<br />
<br /><br />
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:<br />
:* something you know, such as a password or a passphrase;<br />
:* something you have, such as a token device or a smart card;<br />
:* something you are, such as a biometric.<br />
<br /><br /><br />
<br />
== Logging==<br />
Audit trails are automatically enabled with the default installation of X-Payments. Users do not have the ability to disable or change the logging parameters of X-Payments. X-Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.<br />
The log files are created in the var/log/ directory. In X-Payments 3.0, logs can be viewed via the X-Payments admin back end. <br />Make sure you restrict access to the log files by business need-to-know. <br />
The following types of activity are logged: <br />
:* All actions taken by any individual with root or administrative privileges.<br />
:* Successes and failures of all individual accesses to application sections and functions.<br />
:* Initialization of the audit logs.<br />
:* User sign in and sign out.<br />
<br /><br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log. <br />
Each log event includes: <br />
:* Type of event;<br />
:* Date and time of event;<br />
:* Username and IP address;<br />
:* Success or failure indication;<br />
:* Action which led to the event;<br />
:* Component which led to the event.<br />
<br /><br />
There is also a meta-log which contains information about other log files being created.<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should: <br />
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;<br />
:* record any file writing operations related to X-Cart Payments files.<br />
<br /><br /><br />
<br />
==Communication==<br />
LAN channel or other available connection method can be used as a communication channel.<br />
X-Payments payment application supports the following data formats:<br />
{| class="wikitable" width=90%<br />
|-<br />
| scope="col" style="width: 20%;"| '''Protocol'''<br />
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server <br />
|- style="vertical-align:top;"<br />
| '''Data transmission method'''<br />
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission – (data stream is transmitted in the body of the request that is sent from client to server)<br />
|- style="vertical-align:top;"<br />
| '''Data format'''<br />
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0)<br />
|- style="vertical-align:top;"<br />
| '''Port'''<br />
| X-Payments payment application uses ports 80, 123, 443 <br />
|- <br />
|}<br />
<br /><br /><br />
'''Network traffic encryption'''<br /><br />
X-Payments uses encryption, such as TLS or IPSEC, for: <br />
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
:* providing remote web-based access to the application.<br />
<br /><br />
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC. <br />
<br /><br />
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br /><br /><br />
'''Enable TLS'''<br /><br />
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS. <br />
:* Your web server must be configured to use TLS v1.1 or v1.2 protocols with strong encryption (128-bit or longer key is required).<br />
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.<br />
<br /><br />
If a web server does not have TLS enabled, X-Payments will not function or will be notifying users depending on the allow_insecure_protocol parameter set in the config.ini.php file (disabled by default). <br />
X-Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.<br />
The connection of servers with X-Payments payment application to the Internet must be protected by a firewall. In X-Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.<br />
<br /><br /><br />
'''Wireless communications'''<br /><br />
If you use wireless networking to access X-Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements. <br />
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.<br />
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.<br />
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).<br />
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.<br />
::* Restrict access based on media access code (MAC) address.<br />
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br /><br /><br />
'''Remote access'''<br /><br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page. <br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following: <br />
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).<br />
:* Allow connections only from specific (known) IP/MAC addresses.<br />
:* Use strong authentication or complex passwords for logins.<br />
:* Enable encrypted data transmission.<br />
:* Enable account lockout after a certain number of failed login attempts.<br />
:* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed.<br />
:* Enable any logging or auditing functions.<br />
:* Restrict access to customer passwords to authorized reseller/integrator personnel.<br />
:* Establish customer passwords according to PCI DSS requirements.<br />
Qualiteam does not provide software updates via remote access on an automated basis. <br />
<br /><br /><br />
<br />
==Hardware and software==<br />
The following requirements must be met for X-Payments payment application self-service terminals:<br /><br />
'''Operating System'''<br /><br />
Linux Ubuntu 16 or later <br /><br />
'''DBMS'''<br /><br />
My SQL 5.6 or later <br /><br />
'''Software'''<br /><br />
PHP 5.5 or later <br /><br />
Apache 2.4 or later<br />
<br /><br /><br />
==Product versioning methodology==<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Version number changes'''<br />
! scope="col" style="width: 45%;"| '''Software changes'''<br />
! scope="col" style="width: 15%;"| '''Description'''<br />
! scope="col" style="width: 15%;"| '''PA-DSS changes'''<br />
|- style="vertical-align:top;"<br />
| Version number does not change<br />
| Change of the software name<br />Change of the vendor name<br />
| Changes not related to the software development process<br />
| Administrative<br />
|- style="vertical-align:top;"<br />
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)<br />
| - Changes to the user interface <br />- Changes to the database schema <br />- Changes to supported payment gateway integrations / Addition of new payment gateway integrations<br />
| Сhanges that have no impact on the PA-DSS requirements compliance or Payment Application security<br />
| No Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*<br />
| Software changes satisfy the following conditions:<br />- Fewer than 4 sections of the standard (from 1 to 12) involved;<br />- Fewer than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- Less than a half of the software functions (or code) modified;<br />- Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products.<br />- Addition/removal of supported payment processors.<br />- Recompilation of the source code using a new compiler or different compiler settings.<br />- Changes of the software versioning policy.<br />- Changes of the software not related to security.<br />
| - Changes in the software affecting payment card data mechanisms.<br />- Changes addressing the identified vulnerabilities of the application.<br />- Changes related to the completion of the annual cycle of development (if there are other changes).<br />
| Low Impact<br />
|- style="vertical-align:top;"<br />
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*<br />
| Software changes satisfy the following conditions:<br />- 4 or more sections of the standard (from 1 to 12) involved;<br />- More than a half of all the requirements of the standard (sections 1 to 12) involved;<br />- More than a half of the software functions (or code) modified;<br />- Addition of new supported platforms/OS versions. <br />
| Major changes in the software architecture, global alterations of code<br />
| High Impact<br />
|}<br />
<br /><br />
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.<br />
<br /><br /><br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:API&diff=675X-Payments:API2016-05-25T10:29:00Z<p>Alex “Ambal” Mulin: /* API versions supported */</p>
<hr />
<div>== API versions supported ==<br />
<br />
'''API v1.1''': X-Payments 1.0.2-1.0.5 <br /><br />
'''API v1.2''': X-Payments 1.0.6, 2.0.0, 2.0.1 <br /><br />
'''API v1.3''': X-Payments 2.1.0, 2.1.1 <br /><br />
'''API v1.4''': X-Payments 2.1.2 (Nov 2014), 2.1.3 (Feb 2015)<br /><br />
'''API v1.5''': X-Payments 2.2 (June 2015)<br /><br />
'''API v1.6''': X-Payments 3.x (June 2016)<br />
<br />
==Samples==<br />
<br />
While we are doing an addition to our API docs I suggest to use function xpc_api_request from <br />
X-Cart 4 file modules/XPayments_Connector/xpc_func.php as a sample.<br />
<br />
Especially function xpc_request_test() to make a test call.<br />
<br />
==API requests==<br />
<br />
All API requests are made to the '''httрs://<xpayments_url>/api.php''' URL.<br />
Only HTTPS protocol is used.<br />
A request is an XML document that is encrypted using RSA method with a key generated by X-Payments.<br />
<br />
'''Request/Response encryption'''<br />
<br />
* Encryption method used: RSA;<br />
* Key length: 2048 bit;<br />
* A private key is created with a 32 character password;<br />
* The password is generated randomly;<br />
* The number of password characters varies from 33 to 127.<br />
<br />
For each online store X-Payments generates 2 pairs of keys:<br />
<br />
# a public and a private key to encrypt requests/responses from the online store to X-Payments;<br />
# a public and a private key to encrypt requests/responses from X-Payments to the online store.<br />
<br />
So when the online store sends a request to X-Payments, this request is encrypted using the public key from the first pair, X-Payments decrypts it using the private key of the first pair. Then X-Payments response is encrypted using the public key of the second pair, and the online store decrypts this response using the private key of the second pair.<br />
<br />
To ensure full-featured two-way commumication between X-Payments and an online store, you need to copy tree values from the X-Payments interface:<br />
:* Public key from the first pair (Online store → X-Payments),<br />
:* Private key from the second pair (X-Payments → Online store),<br />
:* Private key password,<br />
and have them stored on the side of the online store by an appropriate X-Payments connector.<br />
<br />
<br />
'''Encryption algorithm:'''<br />
<br />
# An empty string is created for pre-prepared data.<br />
# A 32-character salt-block is formed of random characters from 33 to 255.<br />
# The length of the salt-block in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The salt-block length string and the salt-block are added to the pre-prepared data.<br />
# MD5 digital signature is taken from the data. The signature is formed as a HEX (32-character string).<br />
# The length of the digital signature in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The digital signature length string and the digital signature are added to the pre-prepared data.<br />
# The length of the data string in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The data string length string and the data string are added to the pre-prepared data.<br />
# The string of pre-prepared data is divided into 128 bite chunks.<br />
# Each chunk is encrypted using a public key.<br />
# Each chunk is encoded with base64.<br />
# Chunks are glued together using a line feed character (0x0a).<br />
# API prefix is added to the glued chunks.<br />
<br />
===cURL as a means of sending requests===<br />
<br />
Using libcurl v.7.10 and above is recommended.<br />
<br />
TTL should be specified depending on the performance of the server where X-Payments is installed. The recommended value is 120 seconds.<br />
<br />
It is recommended to use SSL v.3 and above.<br />
<br />
===Data types===<br />
<br />
Data types used:<br />
<br />
* string - a UTF-8 string;<br />
* email - an email address no longer than 255 characters;<br />
* URL - a URL address no longer than 255 characters;<br />
* currency - a floating point number denoting a certain sum of money. The mantissa size is the same as the payment currency mantissa size, but not longer than 3. All the exceeding characters will be truncated.<br />
* integer - an integer number.<br />
<br />
ISO 4217 Alpha-3 in the upper register is always used as the payment currency code.<br />
<br />
ISO 639-1 Alpha-2 in the lower register is always used as the language code.<br />
<br />
==Payment configurations list request==<br />
<br />
Returns a list of payment configurations that are configured, enabled, and assigned to this online store/shopping cart.<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment_confs<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br /><br />
<br />
===Request example===<br />
<br />
<pre><br />
<api_version>1.5</api_version><br />
<target>payment_confs</target><br />
<action>get</action><br />
</pre><br />
<br /><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | payment_module<br />
| colspan="1" | container<br />
| colspan="1" | <br />
|-<br />
| colspan="1" | payment_module/name<br />
| colspan="1" | string<br />
| colspan="1" | Name of the payment configuration, as set by the X-Payments admin<br />
|-<br />
| colspan="1" | payment_module/id<br />
| colspan="1" | integer<br />
| colspan="1" | Identifier of the payment configuration (autoincrement)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes<br />
| colspan="1" | container<br />
| colspan="1" | <br />
|-<br />
| colspan="1" | payment_module/transactionTypes/sale<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration allows "Sale" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/auth<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration allows "Authorize only" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/capture<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Capture" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/capturePart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Capture" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/captureMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Capture" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/void<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Void" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/voidPart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Void" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/voidMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Void" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refund<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Refund" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refundPart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Refund" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refundMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Refund" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/getInfo<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows to receive information from the payment gateway ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/accept<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Accept" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/decline<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Decline" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/test<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Test" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo<br />
| colspan="1" | container<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/authExp<br />
| colspan="1" | integer<br />
| colspan="1" | How many days the transaction can stay in the Authorized status before being declined automatically<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/captMinLimit<br />
| colspan="1" | float<br />
| colspan="1" | Minimum capture limit allowed by the payment gateway. Presented as a part of 1 (0 - no minimum limit, 0.2 - minimum 20% of authorized total, 0.5 - 50% of authorized total, etc.)<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/captMaxLimit<br />
| colspan="1" | <br />
| colspan="1" | Maximum capture limit allowed by the payment gateway. Presented as a part of 1 (0 - no maximum limit, 0.5 - 50% of authorized total, 1 - 100% of authorized total, etc.)<br />
|-<br />
| colspan="1" | payment_module/moduleName<br />
| colspan="1" | string<br />
| colspan="1" | Default X-Payments name of the payment configuration<br />
|-<br />
| colspan="1" | payment_module/settingsHash<br />
| colspan="1" | string<br />
| colspan="1" | MD5 hash of the payment configuration settings<br />
|-<br />
| colspan="1" | payment_module/currency<br />
| colspan="1" | string<br />
| colspan="1" | 3-characters code of currency (ISO 4217). API v1.3 and later.<br />
|-<br />
| colspan="1" | payment_module/canSaveCards<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration supports tokenization, i.e. customers' credit card can be saved on the payment gateway ("Y" - supports, "N" - doesn't support). API v1.3 and later.<br />
|-<br />
| colspan="1" | payment_module/class<br />
| colspan="1" | string<br />
| colspan="1" | Service field of the class name. It is unique for a payment module so it can be used to detect a certain payment gateway. E.g. XPay_Module_SagePayDirect for SagePay, XPay_Module_AuthorizeNet for Authorize.Net AIM, etc. API v1.4 and later.<br />
|-<br />
| colspan="1" | payment_module/isTestMode<br />
| colspan="1" | string<br />
| colspan="1" | Indicates if the payment configuration is configured in test mode ("Y" - test mode, "N" - live mode). API v1.4 and later.<br />
|}<br />
<br /><br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<payment_module type="cell"><br />
<name>First Data Global Gateway e4(SM) Web Service API</name><br />
<id>1</id><br />
<transactionTypes><br />
<sale>1</sale><br />
<auth>1</auth><br />
<capture>1</capture><br />
<capturePart>1</capturePart><br />
<captureMulti></captureMulti><br />
<void>1</void><br />
<voidPart></voidPart><br />
<voidMulti></voidMulti><br />
<refund>1</refund><br />
<refundPart>1</refundPart><br />
<refundMulti>1</refundMulti><br />
<getInfo></getInfo><br />
<accept></accept><br />
<decline></decline><br />
<test></test><br />
</transactionTypes><br />
<authCaptureInfo><br />
<authExp>30</authExp><br />
<captMinLimit>0</captMinLimit><br />
<captMaxLimit>1</captMaxLimit><br />
</authCaptureInfo><br />
<moduleName>First Data Payeezy Gateway (ex- Global Gateway e4)</moduleName><br />
<settingsHash>d41d8cd98f00b204e9800998ecf8427e</settingsHash><br />
<currency>USD</currency><br />
<canSaveCards>Y</canSaveCards><br />
<class>XPay_Module_FirstDataE4</class><br />
<isTestMode>Y</isTestMode><br />
</payment_module><br />
<payment_module type="cell"><br />
<name>Chase Paymentech</name><br />
<id>2</id><br />
<transactionTypes><br />
<sale>1</sale><br />
<auth>1</auth><br />
<capture>1</capture><br />
<capturePart>1</capturePart><br />
<captureMulti></captureMulti><br />
<void>1</void><br />
<voidPart></voidPart><br />
<voidMulti></voidMulti><br />
<refund>1</refund><br />
<refundPart>1</refundPart><br />
<refundMulti></refundMulti><br />
<getInfo></getInfo><br />
<accept></accept><br />
<decline></decline><br />
<test></test><br />
</transactionTypes><br />
<authCaptureInfo><br />
<authExp>30</authExp><br />
<captMinLimit>0</captMinLimit><br />
<captMaxLimit>1</captMaxLimit><br />
</authCaptureInfo><br />
<moduleName>Chase Paymentech</moduleName><br />
<settingsHash>d41d8cd98f00b204e9800998ecf8427e</settingsHash><br />
<currency>USD</currency><br />
<canSaveCards>Y</canSaveCards><br />
<class>XPay_Module_Chase</class><br />
<isTestMode>Y</isTestMode><br />
</payment_module><br />
</data><br />
</pre><br />
<br /><br />
<br />
==Test connection request==<br />
Use this request to test the connection between the store and X-Payments. It can also help to detect the version of the X-Payments installation and the API version supported by X-Payments.<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal connect<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal test<br />
|-<br />
| colspan="1" | testCode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Any string<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br /><br />
<br />
===Request example===<br />
<br />
<pre><br />
<testCode>123</testCode><br />
<api_version>1.5</api_version><br />
<target>connect</target><br />
<action>test</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | hashCode<br />
| colspan="1" | string<br />
| colspan="1" | MD5 hash of the sent code<br />
|-<br />
| colspan="1" | error<br />
| colspan="1" | string<br />
| colspan="1" | Error code (if any)<br />
|-<br />
| colspan="1" | error_message<br />
| colspan="1" | string<br />
| colspan="1" | Error message<br />
|-<br />
| colspan="1" | is_error_message<br />
| colspan="1" | string<br />
| colspan="1" | Flag indicating the error message presence <br />
|-<br />
| colspan="1" | version<br />
| colspan="1" | string<br />
| colspan="1" | X-Payments version<br />
|}<br />
<br /><br />
<br />
===Response example===<br />
<br />
Example of a good response:<br />
<pre><br />
<data><br />
<hashCode>202cb962ac59075b964b07152d234b70</hashCode><br />
<error></error><br />
<error_message></error_message><br />
<is_error_message></is_error_message><br />
<version>2.2.0</version><br />
</data><br />
</pre><br />
<br />
Example of a response with an error:<br />
<pre><br />
<data><br />
<error>506</error><br />
<error_message>Your X-Payments connector module supports API version "1.9". This X-Payments supports the following API versions only: "1.1, 1.2, 1.3, 1.4, 1.5, 1.6".</error_message><br />
<is_error_message></is_error_message><br />
</data><br />
</pre><br />
<br /><br />
<br />
==Payment initialisation request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal init<br />
|-<br />
| colspan="1" | confId<br />
| colspan="1" | Y<br />
| colspan="1" | integer<br />
| colspan="1" | Payment module configuration ID<br />
|-<br />
| colspan="1" | refId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Order ID in the online store<br />
|-<br />
| colspan="1" | returnUrl<br />
| colspan="1" | Y<br />
| colspan="1" | URL, 255<br />
| colspan="1" | URL of the page to redirect the customer after payment<br />
|-<br />
| colspan="1" | callbackUrl<br />
| colspan="1" | Y<br />
| colspan="1" | URL, 255<br />
| colspan="1" | URL to which X-Payments sends background requests with service information<br />
|-<br />
| colspan="1" | language<br />
| colspan="1" | N<br />
| colspan="1" | code of ISO 639-1 (Alpha-2)<br />
| colspan="1" | Language code. If not specified - en<br />
|-<br />
| colspan="1" | cart<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with addresses description<br />
|-<br />
| colspan="1" | cart/billingAddress<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with the billing address description<br />
|-<br />
| colspan="1" | cart/billingAddress/firstname<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/lastname<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/company<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/address<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/city<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/state<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/country<br />
| colspan="1" | Y<br />
| colspan="1" | string, 2<br />
| colspan="1" | ISO 3166-1 alpha-2 Country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2<br />
|-<br />
| colspan="1" | cart/billingAddress/zipcode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/email<br />
| colspan="1" | Y<br />
| colspan="1" | emai, 255l<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/phone<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/fax<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with the shipping address description<br />
|-<br />
| colspan="1" | cart/shippingAddress/firstname<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/lastname<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/company<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/address<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/city<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/state<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/country<br />
| colspan="1" | Y<br />
| colspan="1" | string, 2<br />
| colspan="1" | ISO 3166-1 alpha-2 Country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2<br />
|-<br />
| colspan="1" | cart/shippingAddress/zipcode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/email<br />
| colspan="1" | Y<br />
| colspan="1" | email, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/phone<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/fax<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/items<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with product description<br />
|-<br />
| colspan="1" | cart/items/sku<br />
| colspan="1" | Y<br />
| colspan="1" | string, 64<br />
| colspan="1" | SKU (product code)<br />
|-<br />
| colspan="1" | cart/items/name<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" | Product name<br />
|-<br />
| colspan="1" | cart/items/price<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | Product item price<br />
|-<br />
| colspan="1" | cart/items/quantity<br />
| colspan="1" | N<br />
| colspan="1" | integer<br />
| colspan="1" | Ordered number of products. If not specified - 1<br />
|-<br />
| colspan="1" | cart/login<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" | Unique customer ID in the online store (login, username, userid, etc.)<br />
|-<br />
| colspan="1" | cart/currency<br />
| colspan="1" | N<br />
| colspan="1" | string, 3<br />
| colspan="1" | Payment currency code (ISO 4217 Alpha-3). If not specified, default payment configuration currency is used<br />
|-<br />
| colspan="1" | cart/shippingCost<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Shipping cost. By default - 0<br />
|-<br />
| colspan="1" | cart/taxCost<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Tax amount. By default - 0<br />
|-<br />
| colspan="1" | cart/discount<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Discount amount. By default - 0<br />
|-<br />
| colspan="1" | cart/totalCost<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | Total payment amount. Must equal to a sum of cart/items/price * cart/items/quantity + cart/shippingCost + cart/taxCost - cart/discount<br />
|-<br />
| colspan="1" | cart/description<br />
| colspan="1" | -<br />
| colspan="1" | string, 65536<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/merchantEmail<br />
| colspan="1" | Y<br />
| colspan="1" | email, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/forceTransactionType<br />
| colspan="1" | -<br />
| colspan="1" | one of values: A or S or empty <br />A - authorize <br />S - sale<br />
| colspan="1" | A flag of forced Sale or Authorize operation. Overrides the setting from the payment configuration. If the value is empty or the field is omitted, the operation is performed according to the payment configuration settings.<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|-<br />
| colspan="1" | template <br />(''supported by API 1.3 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | The name of a template in X-Payments requested by the store. Forces the use of the specified template for the payment. If the string passed in this field does not match any template available in X-Payments, it will be ignored.<br />
|-<br />
| colspan="1" | saveCard <br />(''supported by API 1.3 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | Customer's choice at checkout (“Y” if customer would like to save the card)<br />
|-<br />
| colspan="1" | cart/kountCustomerUniq <br />(''supported by API 1.6 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string, 32<br />
| colspan="1" | This field is a unique customer identifier in the Kount system, which is send as a UNIQ field.<br />
|}<br />
<br /><br />
'''List of template names in X-Payments 2.1.x (API v1.3)''':<br />
:* '''default''': A template for the separate page. Used if the payment form is displayed on a separate page of your checkout process (not iframe).<br />
:* '''fast''': Iframe for X-Cart 4 Fast Lane Checkout. Used for X-Cart 4 with the Fast Lane Checkout module. The payment form is displayed at the last step of the checkout process.<br />
:* '''lite''': Iframe for X-Cart 4 One Page Checkout. Used for X-Cart 4 with the One Page Checkout module. The payment form is displayed in the payment section at checkout.<br />
:* '''magento_iframe''': Iframe for Magento. Use this template for Magento and iframe.<br />
:* '''mobile''': Template for mobile devices. Used with the X-Cart Mobile module.<br />
:* '''xc5''': Iframe for X-Cart 5. Used for X-Cart 5 and iframe.<br />
<br />
===Request example===<br />
<br />
<pre><br />
<confId>8</confId><br />
<refId>1120</refId><br />
<cart><br />
<login>customer</login><br />
<billingAddress><br />
<firstname>John</firstname><br />
<lastname>Smith</lastname><br />
<address>10 Main street</address><br />
<city>Fillmore</city><br />
<state>UT</state><br />
<country>US</country><br />
<zipcode>84631</zipcode><br />
<company>IQ testing</company><br />
<email>bit-bucket@x-cart.com</email><br />
<phone>927348572</phone><br />
<fax></fax><br />
</billingAddress><br />
<shippingAddress><br />
<firstname>John</firstname><br />
<lastname>Smith</lastname><br />
<address>10 Main street</address><br />
<city>Fillmore</city><br />
<state>UT</state><br />
<country>US</country><br />
<zipcode>84631</zipcode><br />
<company>IQ testing</company><br />
<email>bit-bucket@x-cart.com</email><br />
<phone>927348572</phone><br />
<fax></fax><br />
</shippingAddress><br />
<items type="cell"><br />
<sku>SKU17513</sku><br />
<name>Three Stone Princess Cut Diamond Ring</name><br />
<price>399.99</price><br />
<quantity>1</quantity><br />
</items><br />
<currency>USD</currency><br />
<shippingCost>15</shippingCost><br />
<taxCost>0</taxCost><br />
<discount>0</discount><br />
<totalCost>414.99</totalCost><br />
<description>Order(s) #1120</description><br />
<merchantEmail>bit-bucket@x-cart.com</merchantEmail><br />
<forceTransactionType></forceTransactionType><br />
</cart><br />
<returnUrl>https://example.com/xcart/payment/cc_xpc.php</returnUrl><br />
<callbackUrl>https://example.com/xcart/payment/cc_xpc.php</callbackUrl><br />
<language>ru</language><br />
<target>payment</target><br />
<action>init</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | token<br />
| colspan="1" | string,32<br />
| colspan="1" | Temporary payment token, expires immediately after the customer has submitted the cardholder data form<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | string,32<br />
| colspan="1" | A unique payment ID. Is used for all further requests to this payment through the API.<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<token>41b2ef3b34698d4f6ed73151ae7307d2</token><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Redirecting a customer to the cardholder data entering page==<br />
<br />
A POST form is created that sends data to the URL <XPayments_web_root>/payment.php; the form contains the following fields:<br />
<br />
* target - has the value "main";<br />
* token - uses the value from the token field received in the response to the payment initialisation request.<br />
<br />
Request protocol - HTTPS <br /><br />
The form must be sent by the POST method. All data must also be sent as POST variables.<br />
<br />
==Payment information request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get_info<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | refresh<br />
| colspan="1" | N<br />
| colspan="1" | 0 или 1<br />
| colspan="1" | A flag specifying that the data in X-Payments must be overwritten by the data from the payment gateway. By default - 0<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<refresh>0</target><br />
<target>payment</target><br />
<action>get_info</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Payment status codes|Payment status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Human readable message containing the payment status<br />
|-<br />
| colspan="1" | isFraudStatus<br />
| colspan="1" | 0 or 1<br />
| colspan="1" | Means that the payment is blocked by the gateway, because the customer has not passed the gateway security check<br />
|-<br />
| colspan="1" | currency<br />
| colspan="1" | string, 3<br />
| colspan="1" | Payment currency code<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | currency<br />
| colspan="1" | Payment total<br />
|-<br />
| colspan="1" | authorized<br />
| colspan="1" | currency<br />
| colspan="1" | Authorized payment total<br />
|-<br />
| colspan="1" | chargedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Charged payment total<br />
|-<br />
| colspan="1" | capturedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Captured amount of the authorized amount<br />
|-<br />
| colspan="1" | capturedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized and can be captured<br />
|-<br />
| colspan="1" | voidedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized but voided<br />
|-<br />
| colspan="1" | voidedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized and can be voided<br />
|-<br />
| colspan="1" | refundedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded<br />
|-<br />
| colspan="1" | refundedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded<br />
|-<br />
| colspan="1" | fraudAuthorized<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the authorized amount that was blocked by the gateway because the customer had not passed the gateway security check<br />
|-<br />
| colspan="1" | fraudCharged<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the charged amount that was blocked by the gateway because the customer had not passed the gateway security check<br />
|-<br />
| colspan="1" | authorizeInProgress<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the authorized amount that is being handled by the gateway<br />
|-<br />
| colspan="1" | chargeInProgress<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the charged amount that is being handled by the gateway<br />
|-<br />
| colspan="1" | transactionInProgress<br />
| colspan="1" | 0 или 1<br />
| colspan="1" | Are there any payment transactions handled by the gateway?<br />
|-<br />
| colspan="1" | capturedAmountAvailMin<br />
| colspan="1" | currency<br />
| colspan="1" | Minimum amount that can be captured from the authorized amount<br />
|-<br />
| colspan="1" | capturedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be captured from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | capturedAmountAvailMinGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Minimum amount that can be captured from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | voidedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be voided from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | refundedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | lastMessage<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Last gateway message<br />
|-<br />
| colspan="1" | error<br />
| colspan="1" | string, 128<br />
| colspan="1" | Error code<br />
|-<br />
| colspan="1" | error_message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Error message<br />
|}<br />
<br />
{{Note|Fields ending in "Gateway" contain amounts that can be used in transactions through the gateway. For example, if a sum of $100 was authorized, and then a capture transaction was emulated for $100, the next refund operation will be available in the emulation mode only. The value of the refundedAmountAvailGateway field will be equal to 0.}}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>2</status><br />
<message>Payment is authorized</message><br />
<isFraudStatus></isFraudStatus><br />
<currency>USD</currency><br />
<amount>414.99</amount><br />
<authorized>414.99</authorized><br />
<chargedAmount>0.00</chargedAmount><br />
<capturedAmount>0.00</capturedAmount><br />
<capturedAmountAvail>414.99</capturedAmountAvail><br />
<voidedAmount>0.00</voidedAmount><br />
<voidedAmountAvail>414.99</voidedAmountAvail><br />
<refundedAmount>0.00</refundedAmount><br />
<refundedAmountAvail>0.00</refundedAmountAvail><br />
<fraudAuthorized>0.00</fraudAuthorized><br />
<fraudCharged>0.00</fraudCharged><br />
<authorizeInProgress>0.00</authorizeInProgress><br />
<chargeInProgress>0.00</chargeInProgress><br />
<transactionInProgress></transactionInProgress><br />
<capturedAmountAvailMin>0.00</capturedAmountAvailMin><br />
<capturedAmountAvailGateway>414.99</capturedAmountAvailGateway><br />
<capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway><br />
<voidedAmountAvailGateway>414.99</voidedAmountAvailGateway><br />
<refundedAmountAvailGateway>0.00</refundedAmountAvailGateway><br />
<txnId>8e67e0da23ce7ed451b2c1adbbd7373c</txnId><br />
<lastMessage>Success</lastMessage><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Detailed payment and transaction information request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get_additional_info<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | A unique payment ID received in the payment initialisation request response<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>get_additional_info</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | payment<br />
| colspan="1" | container<br />
| colspan="1" | Payment information request response<br />
|-<br />
| colspan="1" | transactions<br />
| colspan="1" | container<br />
| colspan="1" | Transaction list<br />
|-<br />
| colspan="1" | transactions/date<br />
| colspan="1" | integer, 11<br />
| colspan="1" | Transaction date (Unix timestamp)<br />
|-<br />
| colspan="1" | transactions/action<br />
| colspan="1" | string, 255<br />
| colspan="1" | Transaction name<br />
|-<br />
| colspan="1" | transactions/status<br />
| colspan="1" | string, 255<br />
| colspan="1" | Transaction status<br />
|-<br />
| colspan="1" | transactions/message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|-<br />
| colspan="1" | transactions/total<br />
| colspan="1" | string, 32<br />
| colspan="1" | Transaction amount and currency<br />
|-<br />
| colspan="1" | transactions/txnid<br />
| colspan="1" | string, 255<br />
| colspan="1" | Gateway transaction unique ID<br />
|-<br />
| colspan="1" | transactions/payment_status<br />
| colspan="1" | string, 255<br />
| colspan="1" | The payment status after the transaction<br />
|-<br />
| colspan="1" | transactions/fields<br />
| colspan="1" | container<br />
| colspan="1" | Transaction additional fields list<br />
|-<br />
| colspan="1" | transactions/fields/name<br />
| colspan="1" | string, 255<br />
| colspan="1" | Field name<br />
|-<br />
| colspan="1" | transactions/fields/name<br />
| colspan="1" | string, 255<br />
| colspan="1" | Field value<br />
|-<br />
| colspan="1" | payment/cardValidation <br />(API 1.5 and later)<br />
| colspan="1" | container<br />
| colspan="1" | container for Address validation system (AVS)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_z <br />(API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS ZIP-code ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_c (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS cardholder name ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_a (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS street address ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/cvv (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for CVV/CVV2/CVD ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/maskedCardData (API 1.5 and later)<br />
| colspan="1" | container<br />
| colspan="1" | container for Credit Card details (which are allowed to store and display by PA-DSS)<br />
|-<br />
| colspan="1" | payment/maskedCardData/first6 (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | First six digits of the credit card number<br />
|-<br />
| colspan="1" | payment/maskedCardData/last4 (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Last four digits of the credit card number<br />
|-<br />
| colspan="1" | payment/maskedCardData/type (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card type: VISA, MC, AMEX, etc<br />
|-<br />
| colspan="1" | payment/maskedCardData/expire_month (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card expiration month<br />
|-<br />
| colspan="1" | payment/maskedCardData/expire_year (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card expiration year<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<payment><br />
<status>2</status><br />
<message>Payment is authorized</message><br />
<isFraudStatus>1</isFraudStatus><br />
<currency>USD</currency><br />
<amount>10.61</amount><br />
<authorized>10.61</authorized><br />
<chargedAmount>0.00</chargedAmount><br />
<capturedAmount>0.00</capturedAmount><br />
<capturedAmountAvail>10.61</capturedAmountAvail><br />
<voidedAmount>0.00</voidedAmount><br />
<voidedAmountAvail>10.61</voidedAmountAvail><br />
<refundedAmount>0.00</refundedAmount><br />
<refundedAmountAvail>0.00</refundedAmountAvail><br />
<fraudAuthorized>0.00</fraudAuthorized><br />
<fraudCharged>0.00</fraudCharged><br />
<authorizeInProgress>0.00</authorizeInProgress><br />
<chargeInProgress>0.00</chargeInProgress><br />
<advinfo><br />
<Message></Message><br />
<Response code>1</Response><br />
<txn_id>6583</txn_id><br />
<Authorization number>ET154399</Authorization><br />
<AVS>5: Cardholder name incorrect, billing address and postal code match</AVS><br />
<Bank message>Approved</Bank><br />
<Bank response code>100</Bank><br />
<CVV2>M: CVV2 / CVC2/CVD Match.</CVV2><br />
<Processing status>Transaction Normal</Processing><br />
<Transarmor Token>8393008475641111</Transarmor><br />
<[Kount] 702650>Distance from Device to Billing &gt; 1000km</[Kount] 702650><br />
<[Kount] 702656>Billing Country not equal to BIN Country (Visa/MC)</[Kount] 702656><br />
<[Kount] 702662>Billing Country not equal to Device Country</[Kount] 702662><br />
<[Kount] Auto>R</[Kount] Auto><br />
<[Kount] Errors></[Kount] Errors><br />
<[Kount] Score>26</[Kount] Score><br />
<[Kount] Transaction ID>3Z7903KDCTT0</[Kount] Transaction ID><br />
<[Kount] Warnings></[Kount] Warnings><br />
</advinfo><br />
<transactionInProgress></transactionInProgress><br />
<capturedAmountAvailMin>0.00</capturedAmountAvailMin><br />
<capturedAmountAvailGateway>10.61</capturedAmountAvailGateway><br />
<capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway><br />
<voidedAmountAvailGateway>10.61</voidedAmountAvailGateway><br />
<refundedAmountAvailGateway>0.00</refundedAmountAvailGateway><br />
<cardValidation><br />
<avs_z>1</avs_z><br />
<avs_c>2</avs_c><br />
<avs_a>1</avs_a><br />
<cvv>1</cvv><br />
</cardValidation><br />
<maskedCardData><br />
<first6>411111</first6><br />
<last4>1111</last4><br />
<type>VISA</type><br />
<expire_month>03</expire_month><br />
<expire_year>2020</expire_year><br />
</maskedCardData><br />
</payment><br />
<transactions type="cell"><br />
<date>1438098759</date><br />
<action>Authorize</action><br />
<status>Success</status><br />
<message>Transaction Normal</message><br />
<total>10.61 USD</total><br />
<txnid>57629270</txnid><br />
<fields type="cell"><br />
<name>Authorization number</name><br />
<value>ET154399</value><br />
</fields><br />
<fields type="cell"><br />
<name>AVS</name><br />
<value>5: Cardholder name incorrect, billing address and postal code match</value><br />
</fields><br />
<fields type="cell"><br />
<name>Bank message</name><br />
<value>Approved</value><br />
</fields><br />
<fields type="cell"><br />
<name>Bank response code</name><br />
<value>100</value><br />
</fields><br />
<fields type="cell"><br />
<name>CVV2</name><br />
<value>M: CVV2 / CVC2/CVD Match.</value><br />
</fields><br />
<fields type="cell"><br />
<name>Processing status</name><br />
<value>Transaction Normal</value><br />
</fields><br />
<fields type="cell"><br />
<name>Transarmor Token</name><br />
<value>8393008475641111</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702650</name><br />
<value>Distance from Device to Billing &gt; 1000km</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702656</name><br />
<value>Billing Country not equal to BIN Country (Visa/MC)</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702662</name><br />
<value>Billing Country not equal to Device Country</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Auto</name><br />
<value>R</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Score</name><br />
<value>26</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Transaction ID</name><br />
<value>3Z7903KDCTT0</value><br />
</fields><br />
<payment_status>Charged</payment_status><br />
</transactions><br />
<error></error><br />
<error_message></error_message><br />
<is_error_message></is_error_message><br />
<version>2.2.0</version><br />
</data><br />
</pre><br />
<br />
<br /><br />
''The following pertains to API 1.5 and later:''<br /><br />
If the transaction was checked by Kount antifraud screening service, the "advinfo" and "tansaction/fields" containers contain information of kount results. The field names related to Kount start with the [Kount] prefix. The information can be extracted as follows:<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1"| [Kount] %%%%%, where %%%%% is some number<br />
| colspan="1"| triggered rule, the number is the number of this rule<br />
|-<br />
| colspan="1"| [Kount] Auto<br />
| colspan="1"| The status of the transaction in Kount ("R" - review, "D" - declined, "A" - approved)<br />
|-<br />
| colspan="1"| [Kount] Errors<br />
| colspan="1"| list of errors (if any)<br />
|-<br />
| colspan="1"| [Kount] Warnings: <br />
| colspan="1"| list of warnings (if any)<br />
|-<br />
| colspan="1"| [Kount] Score<br />
| colspan="1"| Risk score<br />
|-<br />
| colspan="1"| [Kount] Transaction ID<br />
| colspan="1"| Transaction ID in Kount, can be used to display the direct link to the transaction in Kount, https://awc.test.kount.net/workflow/detail.html?id=%%%%%% for test mode or https://awc.kount.net/workflow/detail.html?id=%%%%%%, where %%%%% should be replaced with the transaction ID<br />
|}<br />
<br /><br />
<br />
==Capture authorized transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string,128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal capture<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | The amount to capture from the previously authorized transaction. By default equals the amount of the authorized transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
<br />
=== Request example ===<br />
<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>capture</action><br />
</pre><br />
<br />
===Response example===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
Response example <pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Void authorized transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal void<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | Amount to void of the authorized transaction. By default equals to the amount of the authorized transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>void</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Refund captured transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal capture<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | Amount to be refunded to the customer of the previously captured transactions. By default equals to the amount of captured transactions<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>refund</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Blocked by gateway transaction accept request (Accept)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal accept<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>accept</action><br />
</pre><br />
<br />
===Response example===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
Response example <pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Blocked by gateway transaction decline request (Decline)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal decline<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>decline</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
<br />
==Charge again transaction request (Tokenization)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal recharge<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID which references the token that will be used to identify the payment on the side of the payment gateway<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | The amount for which the "saved" card is to be charged using the token from the previous successful transaction<br />
|-<br />
| colspan="1" | description<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Description of the transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|-<br />
| colspan="1" | refId (supported by API 1.4 and later)<br />
| colspan="1" | N<br />
| colspan="1" | string, 128<br />
| colspan="1" | Order ID in the online store<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<description>Recurring payment for the new issue of Playboy</description><br />
<target>payment</target><br />
<action>recharge</action><br />
<api_version>1.2</api_version><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | data<br />
| colspan="1" | array<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[status]<br />
| colspan="1" | integer<br />
| colspan="1" | Status of the new payment (See [[#Payment status codes|Payment status codes]])<br />
|-<br />
| colspan="1" | data[transaction_id]<br />
| colspan="1" | string<br />
| colspan="1" | ID of the created payment for further references (capture/void/refund etc)<br />
|-<br />
| colspan="1" | data[error]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[error_message]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[is_error_message]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|}<br />
<br /><br /><br />
<br />
==Callback request with service payment information==<br />
<br />
This is a background request that X-Payments sends to the store after a payment has been completed and it’s result (accepted, declined, etc) has been received from the payment gateway. The request is sent via HTTP POST to the callbackURL defined in the Payment initialisation request. Once this request has been sent, the customer is redirected back to the store.<br />
<br />
===POSTed data===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Value'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | callback<br />
| colspan="1" | fixed string<br />
| colspan="1" | Identifies the callback request<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string (MD5 hash)<br />
| colspan="1" | A unique ID of the payment on the side of X-Payments<br />
|-<br />
| colspan="1" | updateData<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string<br />
| colspan="1" | Encrypted response from X-Payments<br />
|}<br />
<br />
X-Payments does not expect a response from the store for this request; however, if the HTTP status of the response is not 200 OK, the request is considered failed, and a special notification is sent to the X-Payments admin. The store needs to decrypt the encrypted part of the response and update the order on its side accordingly. Once the updateData value has been decrypted, it is an XML document with the same structure as the [[X-Payments:API#Response_specification_2|response for Payment information request]].<br />
<br /><br /><br />
<br />
==Check cart callback request==<br />
<br />
After the customer has submitted credit card data, right before sending this data to the payment gateway, X-Payments connects to the store to verify the cart total and contents.<br />
<br />
The HTTP POST request is sent to the '''callbackURL''' defined in the '''Payment initialisation request'''.<br />
<br />
===POSTed data===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Value'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | check_cart<br />
| colspan="1" | fixed string<br />
| colspan="1" | Identifies the check-cart callback request<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string (MD5 hash)<br />
| colspan="1" | A unique ID of the payment on the side of X-Payments<br />
|-<br />
| colspan="1" | refId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string<br />
| colspan="1" | Order ID (or any other reference) in the online store<br />
|}<br />
<br /><br />
As of API v1.3, the store must respond to this callback request. The response must be an encrypted XML document (i.e. the same way as for other communication between the store and X-Payments).<br />
<br />
===Encrypted response for check-cart callback request===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | Y<br />
| colspan="1" | fixed string<br />
| colspan="1" | Should be “cart-changed” or "cart-not-changed"<br />
|-<br />
| colspan="1" | cart<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with cart/order description. See [[X-Payments:API#Request_specification|Payment initialisation request specification]] for details. This container must be included for "status = cart-changed" and is not necessary for "status = cart-not-changed"<br />
|-<br />
| colspan="1" | saveCard<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | Whether the customer has chosen to save their card for future use (“Y” if the customer would like to save the card)<br />
|}<br />
<br /><br /><br />
<br />
==Communication between X-Payments iframe and the store==<br />
<br />
===Communication structure===<br />
Communication between the online store (parent frame) and X-Payments (iframe) is implemented with the help of the javascript Window.postMessage method. Notifictions to both the sides represent stringified JSON formatted texts that consist of a service message (string) and an optional list of parameters:<br />
:* '''height''': height of the iframe<br />
:* '''error''': human readable message<br />
:* '''type''': message type. X-Payments sends it as 2, which indicates that the online store should re-initialize the payment. In API v1.3 no other values are supported.<br />
<br />
===Messages sent from the online store to X-Payments===<br />
'''Submit payment form'''<br /><br />
X-Payments’ iframe does not have a Submit button, so instead of it the payment form should be submitted from the parent window by any kind of “Submit order” or “Place order” button at checkout. At the same time, the special message '''submitPaymentForm''' with no parameters should be sent.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'submitPaymentForm',<br />
:::params: {}<br />
}<br />
-----------------------------------------------------------<br />
<br />
<br /><br /><br />
===Messages sent from X-Payments to the online store===<br />
'''Iframe is loaded and ready'''<br /><br />
The message ready notifies the parent window that the payment form is ready. The actual height of the iframe is included in the parameters, so the parent window (checkout page) can perform the necessary adjustments.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'ready',<br />
:::params: {<br />
::::::height: $(document).height()<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Payment form submitted with an error'''<br /><br />
The message '''paymentFormSubmitError''' with no parameters is sent in the case of any validation error. This may be the case, for example, if the customer’s credit card expiration date is in the past, or the credit card number does not match the card type (e.g. VISA, MasterCard), or when a required field has not been submitted (e.g. CVV2). Once the message '''paymentFormSubmitError''' with no parameters has been received, the store should not proceed to the next step of the checkout process, but should expect the payment form to be submitted again.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Internal error'''<br /><br />
The '''paymentFormSubmitError''' message with a special set of parameters is used to notify the store if something is wrong outside X-Payments, and X-Payments cannot do anything about it (for example, if the payment gateway has sent an unknown/unexpected piece of data).<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {<br />
::::::height: $(document).height(),<br />
::::::error: 'Internal error',<br />
::::::type: '2'<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Session is expired'''<br /><br />
For security reasons the length of the session is limited to 15 minutes. After this period the store has to re-initialize the payment. In this case X-Payments sends the '''paymentFormSubmitError''' message with the “Payment session expired” error.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {<br />
::::::height: $(document).height(),<br />
::::::error: 'Payment session expired',<br />
::::::type: '2'<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Payment form in Iframe is submitted''' (supported by API v1.4 and later)<br /><br />
The message '''paymentFormSubmit''' notifies the parent window that the payment form has been submitted from the X-Payments side; for example, if a customer clicks the Enter key inside the iframe. Once the store receives this message, it should operate in the same way as though the customer has clicked the Place order button at checkout.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmit',<br />
:::params: {}<br />
}<br />
<br />
-----------------------------------------------------------<br />
<br /><br /><br />
<br />
==Appendix A. Status codes.==<br />
<br />
===Payment status codes===<br />
: 1 - New<br />
: 2 - Authorized<br />
: 3 - Declined<br />
: 4 - Charged<br />
: 5 - Refunded<br />
: 6 - Partially refunded<br />
<br />
===Operation status codes===<br />
: 0 - transaction failed<br />
: 1 - transaction is successful<br />
: 2 - transaction is successful and is duplicate<br />
<br />
<br />
<br />
==See also==<br />
<br />
* [http://lu53.crtdev.local/%7Emixon/google-cache-w.php?q=/index.php?title=X-Cart:X-Payments_Connector X-Cart:X-Payments Connector]<br />
<br />
[[Category:X-Payments Developer Guide]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:API&diff=674X-Payments:API2016-05-25T10:28:42Z<p>Alex “Ambal” Mulin: /* API versions supported */</p>
<hr />
<div>== API versions supported ==<br />
<br />
'''API v1.1''': X-Payments 1.0.2-1.0.5 <br /><br />
'''API v1.2''': X-Payments 1.0.6, 2.0.0, 2.0.1 <br /><br />
'''API v1.3''': X-Payments 2.1.0, 2.1.1 <br /><br />
'''API v1.4''': X-Payments 2.1.2 (Nov 2014), 2.1.3 (Feb 2015)<br /><br />
'''API v1.5''': X-Payments 2.2 (June 2015)<br /><br />
'''API v1.6''': X-Payments 3.x (June 2016)<br /><br /><br />
<br />
==Samples==<br />
<br />
While we are doing an addition to our API docs I suggest to use function xpc_api_request from <br />
X-Cart 4 file modules/XPayments_Connector/xpc_func.php as a sample.<br />
<br />
Especially function xpc_request_test() to make a test call.<br />
<br />
==API requests==<br />
<br />
All API requests are made to the '''httрs://<xpayments_url>/api.php''' URL.<br />
Only HTTPS protocol is used.<br />
A request is an XML document that is encrypted using RSA method with a key generated by X-Payments.<br />
<br />
'''Request/Response encryption'''<br />
<br />
* Encryption method used: RSA;<br />
* Key length: 2048 bit;<br />
* A private key is created with a 32 character password;<br />
* The password is generated randomly;<br />
* The number of password characters varies from 33 to 127.<br />
<br />
For each online store X-Payments generates 2 pairs of keys:<br />
<br />
# a public and a private key to encrypt requests/responses from the online store to X-Payments;<br />
# a public and a private key to encrypt requests/responses from X-Payments to the online store.<br />
<br />
So when the online store sends a request to X-Payments, this request is encrypted using the public key from the first pair, X-Payments decrypts it using the private key of the first pair. Then X-Payments response is encrypted using the public key of the second pair, and the online store decrypts this response using the private key of the second pair.<br />
<br />
To ensure full-featured two-way commumication between X-Payments and an online store, you need to copy tree values from the X-Payments interface:<br />
:* Public key from the first pair (Online store → X-Payments),<br />
:* Private key from the second pair (X-Payments → Online store),<br />
:* Private key password,<br />
and have them stored on the side of the online store by an appropriate X-Payments connector.<br />
<br />
<br />
'''Encryption algorithm:'''<br />
<br />
# An empty string is created for pre-prepared data.<br />
# A 32-character salt-block is formed of random characters from 33 to 255.<br />
# The length of the salt-block in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The salt-block length string and the salt-block are added to the pre-prepared data.<br />
# MD5 digital signature is taken from the data. The signature is formed as a HEX (32-character string).<br />
# The length of the digital signature in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The digital signature length string and the digital signature are added to the pre-prepared data.<br />
# The length of the data string in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The data string length string and the data string are added to the pre-prepared data.<br />
# The string of pre-prepared data is divided into 128 bite chunks.<br />
# Each chunk is encrypted using a public key.<br />
# Each chunk is encoded with base64.<br />
# Chunks are glued together using a line feed character (0x0a).<br />
# API prefix is added to the glued chunks.<br />
<br />
===cURL as a means of sending requests===<br />
<br />
Using libcurl v.7.10 and above is recommended.<br />
<br />
TTL should be specified depending on the performance of the server where X-Payments is installed. The recommended value is 120 seconds.<br />
<br />
It is recommended to use SSL v.3 and above.<br />
<br />
===Data types===<br />
<br />
Data types used:<br />
<br />
* string - a UTF-8 string;<br />
* email - an email address no longer than 255 characters;<br />
* URL - a URL address no longer than 255 characters;<br />
* currency - a floating point number denoting a certain sum of money. The mantissa size is the same as the payment currency mantissa size, but not longer than 3. All the exceeding characters will be truncated.<br />
* integer - an integer number.<br />
<br />
ISO 4217 Alpha-3 in the upper register is always used as the payment currency code.<br />
<br />
ISO 639-1 Alpha-2 in the lower register is always used as the language code.<br />
<br />
==Payment configurations list request==<br />
<br />
Returns a list of payment configurations that are configured, enabled, and assigned to this online store/shopping cart.<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment_confs<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br /><br />
<br />
===Request example===<br />
<br />
<pre><br />
<api_version>1.5</api_version><br />
<target>payment_confs</target><br />
<action>get</action><br />
</pre><br />
<br /><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | payment_module<br />
| colspan="1" | container<br />
| colspan="1" | <br />
|-<br />
| colspan="1" | payment_module/name<br />
| colspan="1" | string<br />
| colspan="1" | Name of the payment configuration, as set by the X-Payments admin<br />
|-<br />
| colspan="1" | payment_module/id<br />
| colspan="1" | integer<br />
| colspan="1" | Identifier of the payment configuration (autoincrement)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes<br />
| colspan="1" | container<br />
| colspan="1" | <br />
|-<br />
| colspan="1" | payment_module/transactionTypes/sale<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration allows "Sale" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/auth<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration allows "Authorize only" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/capture<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Capture" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/capturePart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Capture" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/captureMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Capture" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/void<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Void" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/voidPart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Void" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/voidMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Void" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refund<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Refund" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refundPart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Refund" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refundMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Refund" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/getInfo<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows to receive information from the payment gateway ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/accept<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Accept" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/decline<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Decline" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/test<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Test" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo<br />
| colspan="1" | container<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/authExp<br />
| colspan="1" | integer<br />
| colspan="1" | How many days the transaction can stay in the Authorized status before being declined automatically<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/captMinLimit<br />
| colspan="1" | float<br />
| colspan="1" | Minimum capture limit allowed by the payment gateway. Presented as a part of 1 (0 - no minimum limit, 0.2 - minimum 20% of authorized total, 0.5 - 50% of authorized total, etc.)<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/captMaxLimit<br />
| colspan="1" | <br />
| colspan="1" | Maximum capture limit allowed by the payment gateway. Presented as a part of 1 (0 - no maximum limit, 0.5 - 50% of authorized total, 1 - 100% of authorized total, etc.)<br />
|-<br />
| colspan="1" | payment_module/moduleName<br />
| colspan="1" | string<br />
| colspan="1" | Default X-Payments name of the payment configuration<br />
|-<br />
| colspan="1" | payment_module/settingsHash<br />
| colspan="1" | string<br />
| colspan="1" | MD5 hash of the payment configuration settings<br />
|-<br />
| colspan="1" | payment_module/currency<br />
| colspan="1" | string<br />
| colspan="1" | 3-characters code of currency (ISO 4217). API v1.3 and later.<br />
|-<br />
| colspan="1" | payment_module/canSaveCards<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration supports tokenization, i.e. customers' credit card can be saved on the payment gateway ("Y" - supports, "N" - doesn't support). API v1.3 and later.<br />
|-<br />
| colspan="1" | payment_module/class<br />
| colspan="1" | string<br />
| colspan="1" | Service field of the class name. It is unique for a payment module so it can be used to detect a certain payment gateway. E.g. XPay_Module_SagePayDirect for SagePay, XPay_Module_AuthorizeNet for Authorize.Net AIM, etc. API v1.4 and later.<br />
|-<br />
| colspan="1" | payment_module/isTestMode<br />
| colspan="1" | string<br />
| colspan="1" | Indicates if the payment configuration is configured in test mode ("Y" - test mode, "N" - live mode). API v1.4 and later.<br />
|}<br />
<br /><br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<payment_module type="cell"><br />
<name>First Data Global Gateway e4(SM) Web Service API</name><br />
<id>1</id><br />
<transactionTypes><br />
<sale>1</sale><br />
<auth>1</auth><br />
<capture>1</capture><br />
<capturePart>1</capturePart><br />
<captureMulti></captureMulti><br />
<void>1</void><br />
<voidPart></voidPart><br />
<voidMulti></voidMulti><br />
<refund>1</refund><br />
<refundPart>1</refundPart><br />
<refundMulti>1</refundMulti><br />
<getInfo></getInfo><br />
<accept></accept><br />
<decline></decline><br />
<test></test><br />
</transactionTypes><br />
<authCaptureInfo><br />
<authExp>30</authExp><br />
<captMinLimit>0</captMinLimit><br />
<captMaxLimit>1</captMaxLimit><br />
</authCaptureInfo><br />
<moduleName>First Data Payeezy Gateway (ex- Global Gateway e4)</moduleName><br />
<settingsHash>d41d8cd98f00b204e9800998ecf8427e</settingsHash><br />
<currency>USD</currency><br />
<canSaveCards>Y</canSaveCards><br />
<class>XPay_Module_FirstDataE4</class><br />
<isTestMode>Y</isTestMode><br />
</payment_module><br />
<payment_module type="cell"><br />
<name>Chase Paymentech</name><br />
<id>2</id><br />
<transactionTypes><br />
<sale>1</sale><br />
<auth>1</auth><br />
<capture>1</capture><br />
<capturePart>1</capturePart><br />
<captureMulti></captureMulti><br />
<void>1</void><br />
<voidPart></voidPart><br />
<voidMulti></voidMulti><br />
<refund>1</refund><br />
<refundPart>1</refundPart><br />
<refundMulti></refundMulti><br />
<getInfo></getInfo><br />
<accept></accept><br />
<decline></decline><br />
<test></test><br />
</transactionTypes><br />
<authCaptureInfo><br />
<authExp>30</authExp><br />
<captMinLimit>0</captMinLimit><br />
<captMaxLimit>1</captMaxLimit><br />
</authCaptureInfo><br />
<moduleName>Chase Paymentech</moduleName><br />
<settingsHash>d41d8cd98f00b204e9800998ecf8427e</settingsHash><br />
<currency>USD</currency><br />
<canSaveCards>Y</canSaveCards><br />
<class>XPay_Module_Chase</class><br />
<isTestMode>Y</isTestMode><br />
</payment_module><br />
</data><br />
</pre><br />
<br /><br />
<br />
==Test connection request==<br />
Use this request to test the connection between the store and X-Payments. It can also help to detect the version of the X-Payments installation and the API version supported by X-Payments.<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal connect<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal test<br />
|-<br />
| colspan="1" | testCode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Any string<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br /><br />
<br />
===Request example===<br />
<br />
<pre><br />
<testCode>123</testCode><br />
<api_version>1.5</api_version><br />
<target>connect</target><br />
<action>test</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | hashCode<br />
| colspan="1" | string<br />
| colspan="1" | MD5 hash of the sent code<br />
|-<br />
| colspan="1" | error<br />
| colspan="1" | string<br />
| colspan="1" | Error code (if any)<br />
|-<br />
| colspan="1" | error_message<br />
| colspan="1" | string<br />
| colspan="1" | Error message<br />
|-<br />
| colspan="1" | is_error_message<br />
| colspan="1" | string<br />
| colspan="1" | Flag indicating the error message presence <br />
|-<br />
| colspan="1" | version<br />
| colspan="1" | string<br />
| colspan="1" | X-Payments version<br />
|}<br />
<br /><br />
<br />
===Response example===<br />
<br />
Example of a good response:<br />
<pre><br />
<data><br />
<hashCode>202cb962ac59075b964b07152d234b70</hashCode><br />
<error></error><br />
<error_message></error_message><br />
<is_error_message></is_error_message><br />
<version>2.2.0</version><br />
</data><br />
</pre><br />
<br />
Example of a response with an error:<br />
<pre><br />
<data><br />
<error>506</error><br />
<error_message>Your X-Payments connector module supports API version "1.9". This X-Payments supports the following API versions only: "1.1, 1.2, 1.3, 1.4, 1.5, 1.6".</error_message><br />
<is_error_message></is_error_message><br />
</data><br />
</pre><br />
<br /><br />
<br />
==Payment initialisation request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal init<br />
|-<br />
| colspan="1" | confId<br />
| colspan="1" | Y<br />
| colspan="1" | integer<br />
| colspan="1" | Payment module configuration ID<br />
|-<br />
| colspan="1" | refId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Order ID in the online store<br />
|-<br />
| colspan="1" | returnUrl<br />
| colspan="1" | Y<br />
| colspan="1" | URL, 255<br />
| colspan="1" | URL of the page to redirect the customer after payment<br />
|-<br />
| colspan="1" | callbackUrl<br />
| colspan="1" | Y<br />
| colspan="1" | URL, 255<br />
| colspan="1" | URL to which X-Payments sends background requests with service information<br />
|-<br />
| colspan="1" | language<br />
| colspan="1" | N<br />
| colspan="1" | code of ISO 639-1 (Alpha-2)<br />
| colspan="1" | Language code. If not specified - en<br />
|-<br />
| colspan="1" | cart<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with addresses description<br />
|-<br />
| colspan="1" | cart/billingAddress<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with the billing address description<br />
|-<br />
| colspan="1" | cart/billingAddress/firstname<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/lastname<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/company<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/address<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/city<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/state<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/country<br />
| colspan="1" | Y<br />
| colspan="1" | string, 2<br />
| colspan="1" | ISO 3166-1 alpha-2 Country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2<br />
|-<br />
| colspan="1" | cart/billingAddress/zipcode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/email<br />
| colspan="1" | Y<br />
| colspan="1" | emai, 255l<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/phone<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/fax<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with the shipping address description<br />
|-<br />
| colspan="1" | cart/shippingAddress/firstname<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/lastname<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/company<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/address<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/city<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/state<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/country<br />
| colspan="1" | Y<br />
| colspan="1" | string, 2<br />
| colspan="1" | ISO 3166-1 alpha-2 Country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2<br />
|-<br />
| colspan="1" | cart/shippingAddress/zipcode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/email<br />
| colspan="1" | Y<br />
| colspan="1" | email, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/phone<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/fax<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/items<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with product description<br />
|-<br />
| colspan="1" | cart/items/sku<br />
| colspan="1" | Y<br />
| colspan="1" | string, 64<br />
| colspan="1" | SKU (product code)<br />
|-<br />
| colspan="1" | cart/items/name<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" | Product name<br />
|-<br />
| colspan="1" | cart/items/price<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | Product item price<br />
|-<br />
| colspan="1" | cart/items/quantity<br />
| colspan="1" | N<br />
| colspan="1" | integer<br />
| colspan="1" | Ordered number of products. If not specified - 1<br />
|-<br />
| colspan="1" | cart/login<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" | Unique customer ID in the online store (login, username, userid, etc.)<br />
|-<br />
| colspan="1" | cart/currency<br />
| colspan="1" | N<br />
| colspan="1" | string, 3<br />
| colspan="1" | Payment currency code (ISO 4217 Alpha-3). If not specified, default payment configuration currency is used<br />
|-<br />
| colspan="1" | cart/shippingCost<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Shipping cost. By default - 0<br />
|-<br />
| colspan="1" | cart/taxCost<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Tax amount. By default - 0<br />
|-<br />
| colspan="1" | cart/discount<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Discount amount. By default - 0<br />
|-<br />
| colspan="1" | cart/totalCost<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | Total payment amount. Must equal to a sum of cart/items/price * cart/items/quantity + cart/shippingCost + cart/taxCost - cart/discount<br />
|-<br />
| colspan="1" | cart/description<br />
| colspan="1" | -<br />
| colspan="1" | string, 65536<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/merchantEmail<br />
| colspan="1" | Y<br />
| colspan="1" | email, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/forceTransactionType<br />
| colspan="1" | -<br />
| colspan="1" | one of values: A or S or empty <br />A - authorize <br />S - sale<br />
| colspan="1" | A flag of forced Sale or Authorize operation. Overrides the setting from the payment configuration. If the value is empty or the field is omitted, the operation is performed according to the payment configuration settings.<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|-<br />
| colspan="1" | template <br />(''supported by API 1.3 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | The name of a template in X-Payments requested by the store. Forces the use of the specified template for the payment. If the string passed in this field does not match any template available in X-Payments, it will be ignored.<br />
|-<br />
| colspan="1" | saveCard <br />(''supported by API 1.3 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | Customer's choice at checkout (“Y” if customer would like to save the card)<br />
|-<br />
| colspan="1" | cart/kountCustomerUniq <br />(''supported by API 1.6 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string, 32<br />
| colspan="1" | This field is a unique customer identifier in the Kount system, which is send as a UNIQ field.<br />
|}<br />
<br /><br />
'''List of template names in X-Payments 2.1.x (API v1.3)''':<br />
:* '''default''': A template for the separate page. Used if the payment form is displayed on a separate page of your checkout process (not iframe).<br />
:* '''fast''': Iframe for X-Cart 4 Fast Lane Checkout. Used for X-Cart 4 with the Fast Lane Checkout module. The payment form is displayed at the last step of the checkout process.<br />
:* '''lite''': Iframe for X-Cart 4 One Page Checkout. Used for X-Cart 4 with the One Page Checkout module. The payment form is displayed in the payment section at checkout.<br />
:* '''magento_iframe''': Iframe for Magento. Use this template for Magento and iframe.<br />
:* '''mobile''': Template for mobile devices. Used with the X-Cart Mobile module.<br />
:* '''xc5''': Iframe for X-Cart 5. Used for X-Cart 5 and iframe.<br />
<br />
===Request example===<br />
<br />
<pre><br />
<confId>8</confId><br />
<refId>1120</refId><br />
<cart><br />
<login>customer</login><br />
<billingAddress><br />
<firstname>John</firstname><br />
<lastname>Smith</lastname><br />
<address>10 Main street</address><br />
<city>Fillmore</city><br />
<state>UT</state><br />
<country>US</country><br />
<zipcode>84631</zipcode><br />
<company>IQ testing</company><br />
<email>bit-bucket@x-cart.com</email><br />
<phone>927348572</phone><br />
<fax></fax><br />
</billingAddress><br />
<shippingAddress><br />
<firstname>John</firstname><br />
<lastname>Smith</lastname><br />
<address>10 Main street</address><br />
<city>Fillmore</city><br />
<state>UT</state><br />
<country>US</country><br />
<zipcode>84631</zipcode><br />
<company>IQ testing</company><br />
<email>bit-bucket@x-cart.com</email><br />
<phone>927348572</phone><br />
<fax></fax><br />
</shippingAddress><br />
<items type="cell"><br />
<sku>SKU17513</sku><br />
<name>Three Stone Princess Cut Diamond Ring</name><br />
<price>399.99</price><br />
<quantity>1</quantity><br />
</items><br />
<currency>USD</currency><br />
<shippingCost>15</shippingCost><br />
<taxCost>0</taxCost><br />
<discount>0</discount><br />
<totalCost>414.99</totalCost><br />
<description>Order(s) #1120</description><br />
<merchantEmail>bit-bucket@x-cart.com</merchantEmail><br />
<forceTransactionType></forceTransactionType><br />
</cart><br />
<returnUrl>https://example.com/xcart/payment/cc_xpc.php</returnUrl><br />
<callbackUrl>https://example.com/xcart/payment/cc_xpc.php</callbackUrl><br />
<language>ru</language><br />
<target>payment</target><br />
<action>init</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | token<br />
| colspan="1" | string,32<br />
| colspan="1" | Temporary payment token, expires immediately after the customer has submitted the cardholder data form<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | string,32<br />
| colspan="1" | A unique payment ID. Is used for all further requests to this payment through the API.<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<token>41b2ef3b34698d4f6ed73151ae7307d2</token><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Redirecting a customer to the cardholder data entering page==<br />
<br />
A POST form is created that sends data to the URL <XPayments_web_root>/payment.php; the form contains the following fields:<br />
<br />
* target - has the value "main";<br />
* token - uses the value from the token field received in the response to the payment initialisation request.<br />
<br />
Request protocol - HTTPS <br /><br />
The form must be sent by the POST method. All data must also be sent as POST variables.<br />
<br />
==Payment information request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get_info<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | refresh<br />
| colspan="1" | N<br />
| colspan="1" | 0 или 1<br />
| colspan="1" | A flag specifying that the data in X-Payments must be overwritten by the data from the payment gateway. By default - 0<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<refresh>0</target><br />
<target>payment</target><br />
<action>get_info</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Payment status codes|Payment status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Human readable message containing the payment status<br />
|-<br />
| colspan="1" | isFraudStatus<br />
| colspan="1" | 0 or 1<br />
| colspan="1" | Means that the payment is blocked by the gateway, because the customer has not passed the gateway security check<br />
|-<br />
| colspan="1" | currency<br />
| colspan="1" | string, 3<br />
| colspan="1" | Payment currency code<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | currency<br />
| colspan="1" | Payment total<br />
|-<br />
| colspan="1" | authorized<br />
| colspan="1" | currency<br />
| colspan="1" | Authorized payment total<br />
|-<br />
| colspan="1" | chargedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Charged payment total<br />
|-<br />
| colspan="1" | capturedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Captured amount of the authorized amount<br />
|-<br />
| colspan="1" | capturedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized and can be captured<br />
|-<br />
| colspan="1" | voidedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized but voided<br />
|-<br />
| colspan="1" | voidedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized and can be voided<br />
|-<br />
| colspan="1" | refundedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded<br />
|-<br />
| colspan="1" | refundedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded<br />
|-<br />
| colspan="1" | fraudAuthorized<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the authorized amount that was blocked by the gateway because the customer had not passed the gateway security check<br />
|-<br />
| colspan="1" | fraudCharged<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the charged amount that was blocked by the gateway because the customer had not passed the gateway security check<br />
|-<br />
| colspan="1" | authorizeInProgress<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the authorized amount that is being handled by the gateway<br />
|-<br />
| colspan="1" | chargeInProgress<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the charged amount that is being handled by the gateway<br />
|-<br />
| colspan="1" | transactionInProgress<br />
| colspan="1" | 0 или 1<br />
| colspan="1" | Are there any payment transactions handled by the gateway?<br />
|-<br />
| colspan="1" | capturedAmountAvailMin<br />
| colspan="1" | currency<br />
| colspan="1" | Minimum amount that can be captured from the authorized amount<br />
|-<br />
| colspan="1" | capturedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be captured from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | capturedAmountAvailMinGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Minimum amount that can be captured from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | voidedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be voided from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | refundedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | lastMessage<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Last gateway message<br />
|-<br />
| colspan="1" | error<br />
| colspan="1" | string, 128<br />
| colspan="1" | Error code<br />
|-<br />
| colspan="1" | error_message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Error message<br />
|}<br />
<br />
{{Note|Fields ending in "Gateway" contain amounts that can be used in transactions through the gateway. For example, if a sum of $100 was authorized, and then a capture transaction was emulated for $100, the next refund operation will be available in the emulation mode only. The value of the refundedAmountAvailGateway field will be equal to 0.}}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>2</status><br />
<message>Payment is authorized</message><br />
<isFraudStatus></isFraudStatus><br />
<currency>USD</currency><br />
<amount>414.99</amount><br />
<authorized>414.99</authorized><br />
<chargedAmount>0.00</chargedAmount><br />
<capturedAmount>0.00</capturedAmount><br />
<capturedAmountAvail>414.99</capturedAmountAvail><br />
<voidedAmount>0.00</voidedAmount><br />
<voidedAmountAvail>414.99</voidedAmountAvail><br />
<refundedAmount>0.00</refundedAmount><br />
<refundedAmountAvail>0.00</refundedAmountAvail><br />
<fraudAuthorized>0.00</fraudAuthorized><br />
<fraudCharged>0.00</fraudCharged><br />
<authorizeInProgress>0.00</authorizeInProgress><br />
<chargeInProgress>0.00</chargeInProgress><br />
<transactionInProgress></transactionInProgress><br />
<capturedAmountAvailMin>0.00</capturedAmountAvailMin><br />
<capturedAmountAvailGateway>414.99</capturedAmountAvailGateway><br />
<capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway><br />
<voidedAmountAvailGateway>414.99</voidedAmountAvailGateway><br />
<refundedAmountAvailGateway>0.00</refundedAmountAvailGateway><br />
<txnId>8e67e0da23ce7ed451b2c1adbbd7373c</txnId><br />
<lastMessage>Success</lastMessage><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Detailed payment and transaction information request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get_additional_info<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | A unique payment ID received in the payment initialisation request response<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>get_additional_info</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | payment<br />
| colspan="1" | container<br />
| colspan="1" | Payment information request response<br />
|-<br />
| colspan="1" | transactions<br />
| colspan="1" | container<br />
| colspan="1" | Transaction list<br />
|-<br />
| colspan="1" | transactions/date<br />
| colspan="1" | integer, 11<br />
| colspan="1" | Transaction date (Unix timestamp)<br />
|-<br />
| colspan="1" | transactions/action<br />
| colspan="1" | string, 255<br />
| colspan="1" | Transaction name<br />
|-<br />
| colspan="1" | transactions/status<br />
| colspan="1" | string, 255<br />
| colspan="1" | Transaction status<br />
|-<br />
| colspan="1" | transactions/message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|-<br />
| colspan="1" | transactions/total<br />
| colspan="1" | string, 32<br />
| colspan="1" | Transaction amount and currency<br />
|-<br />
| colspan="1" | transactions/txnid<br />
| colspan="1" | string, 255<br />
| colspan="1" | Gateway transaction unique ID<br />
|-<br />
| colspan="1" | transactions/payment_status<br />
| colspan="1" | string, 255<br />
| colspan="1" | The payment status after the transaction<br />
|-<br />
| colspan="1" | transactions/fields<br />
| colspan="1" | container<br />
| colspan="1" | Transaction additional fields list<br />
|-<br />
| colspan="1" | transactions/fields/name<br />
| colspan="1" | string, 255<br />
| colspan="1" | Field name<br />
|-<br />
| colspan="1" | transactions/fields/name<br />
| colspan="1" | string, 255<br />
| colspan="1" | Field value<br />
|-<br />
| colspan="1" | payment/cardValidation <br />(API 1.5 and later)<br />
| colspan="1" | container<br />
| colspan="1" | container for Address validation system (AVS)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_z <br />(API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS ZIP-code ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_c (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS cardholder name ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_a (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS street address ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/cvv (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for CVV/CVV2/CVD ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/maskedCardData (API 1.5 and later)<br />
| colspan="1" | container<br />
| colspan="1" | container for Credit Card details (which are allowed to store and display by PA-DSS)<br />
|-<br />
| colspan="1" | payment/maskedCardData/first6 (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | First six digits of the credit card number<br />
|-<br />
| colspan="1" | payment/maskedCardData/last4 (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Last four digits of the credit card number<br />
|-<br />
| colspan="1" | payment/maskedCardData/type (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card type: VISA, MC, AMEX, etc<br />
|-<br />
| colspan="1" | payment/maskedCardData/expire_month (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card expiration month<br />
|-<br />
| colspan="1" | payment/maskedCardData/expire_year (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card expiration year<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<payment><br />
<status>2</status><br />
<message>Payment is authorized</message><br />
<isFraudStatus>1</isFraudStatus><br />
<currency>USD</currency><br />
<amount>10.61</amount><br />
<authorized>10.61</authorized><br />
<chargedAmount>0.00</chargedAmount><br />
<capturedAmount>0.00</capturedAmount><br />
<capturedAmountAvail>10.61</capturedAmountAvail><br />
<voidedAmount>0.00</voidedAmount><br />
<voidedAmountAvail>10.61</voidedAmountAvail><br />
<refundedAmount>0.00</refundedAmount><br />
<refundedAmountAvail>0.00</refundedAmountAvail><br />
<fraudAuthorized>0.00</fraudAuthorized><br />
<fraudCharged>0.00</fraudCharged><br />
<authorizeInProgress>0.00</authorizeInProgress><br />
<chargeInProgress>0.00</chargeInProgress><br />
<advinfo><br />
<Message></Message><br />
<Response code>1</Response><br />
<txn_id>6583</txn_id><br />
<Authorization number>ET154399</Authorization><br />
<AVS>5: Cardholder name incorrect, billing address and postal code match</AVS><br />
<Bank message>Approved</Bank><br />
<Bank response code>100</Bank><br />
<CVV2>M: CVV2 / CVC2/CVD Match.</CVV2><br />
<Processing status>Transaction Normal</Processing><br />
<Transarmor Token>8393008475641111</Transarmor><br />
<[Kount] 702650>Distance from Device to Billing &gt; 1000km</[Kount] 702650><br />
<[Kount] 702656>Billing Country not equal to BIN Country (Visa/MC)</[Kount] 702656><br />
<[Kount] 702662>Billing Country not equal to Device Country</[Kount] 702662><br />
<[Kount] Auto>R</[Kount] Auto><br />
<[Kount] Errors></[Kount] Errors><br />
<[Kount] Score>26</[Kount] Score><br />
<[Kount] Transaction ID>3Z7903KDCTT0</[Kount] Transaction ID><br />
<[Kount] Warnings></[Kount] Warnings><br />
</advinfo><br />
<transactionInProgress></transactionInProgress><br />
<capturedAmountAvailMin>0.00</capturedAmountAvailMin><br />
<capturedAmountAvailGateway>10.61</capturedAmountAvailGateway><br />
<capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway><br />
<voidedAmountAvailGateway>10.61</voidedAmountAvailGateway><br />
<refundedAmountAvailGateway>0.00</refundedAmountAvailGateway><br />
<cardValidation><br />
<avs_z>1</avs_z><br />
<avs_c>2</avs_c><br />
<avs_a>1</avs_a><br />
<cvv>1</cvv><br />
</cardValidation><br />
<maskedCardData><br />
<first6>411111</first6><br />
<last4>1111</last4><br />
<type>VISA</type><br />
<expire_month>03</expire_month><br />
<expire_year>2020</expire_year><br />
</maskedCardData><br />
</payment><br />
<transactions type="cell"><br />
<date>1438098759</date><br />
<action>Authorize</action><br />
<status>Success</status><br />
<message>Transaction Normal</message><br />
<total>10.61 USD</total><br />
<txnid>57629270</txnid><br />
<fields type="cell"><br />
<name>Authorization number</name><br />
<value>ET154399</value><br />
</fields><br />
<fields type="cell"><br />
<name>AVS</name><br />
<value>5: Cardholder name incorrect, billing address and postal code match</value><br />
</fields><br />
<fields type="cell"><br />
<name>Bank message</name><br />
<value>Approved</value><br />
</fields><br />
<fields type="cell"><br />
<name>Bank response code</name><br />
<value>100</value><br />
</fields><br />
<fields type="cell"><br />
<name>CVV2</name><br />
<value>M: CVV2 / CVC2/CVD Match.</value><br />
</fields><br />
<fields type="cell"><br />
<name>Processing status</name><br />
<value>Transaction Normal</value><br />
</fields><br />
<fields type="cell"><br />
<name>Transarmor Token</name><br />
<value>8393008475641111</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702650</name><br />
<value>Distance from Device to Billing &gt; 1000km</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702656</name><br />
<value>Billing Country not equal to BIN Country (Visa/MC)</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702662</name><br />
<value>Billing Country not equal to Device Country</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Auto</name><br />
<value>R</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Score</name><br />
<value>26</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Transaction ID</name><br />
<value>3Z7903KDCTT0</value><br />
</fields><br />
<payment_status>Charged</payment_status><br />
</transactions><br />
<error></error><br />
<error_message></error_message><br />
<is_error_message></is_error_message><br />
<version>2.2.0</version><br />
</data><br />
</pre><br />
<br />
<br /><br />
''The following pertains to API 1.5 and later:''<br /><br />
If the transaction was checked by Kount antifraud screening service, the "advinfo" and "tansaction/fields" containers contain information of kount results. The field names related to Kount start with the [Kount] prefix. The information can be extracted as follows:<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1"| [Kount] %%%%%, where %%%%% is some number<br />
| colspan="1"| triggered rule, the number is the number of this rule<br />
|-<br />
| colspan="1"| [Kount] Auto<br />
| colspan="1"| The status of the transaction in Kount ("R" - review, "D" - declined, "A" - approved)<br />
|-<br />
| colspan="1"| [Kount] Errors<br />
| colspan="1"| list of errors (if any)<br />
|-<br />
| colspan="1"| [Kount] Warnings: <br />
| colspan="1"| list of warnings (if any)<br />
|-<br />
| colspan="1"| [Kount] Score<br />
| colspan="1"| Risk score<br />
|-<br />
| colspan="1"| [Kount] Transaction ID<br />
| colspan="1"| Transaction ID in Kount, can be used to display the direct link to the transaction in Kount, https://awc.test.kount.net/workflow/detail.html?id=%%%%%% for test mode or https://awc.kount.net/workflow/detail.html?id=%%%%%%, where %%%%% should be replaced with the transaction ID<br />
|}<br />
<br /><br />
<br />
==Capture authorized transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string,128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal capture<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | The amount to capture from the previously authorized transaction. By default equals the amount of the authorized transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
<br />
=== Request example ===<br />
<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>capture</action><br />
</pre><br />
<br />
===Response example===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
Response example <pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Void authorized transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal void<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | Amount to void of the authorized transaction. By default equals to the amount of the authorized transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>void</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Refund captured transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal capture<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | Amount to be refunded to the customer of the previously captured transactions. By default equals to the amount of captured transactions<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>refund</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Blocked by gateway transaction accept request (Accept)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal accept<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>accept</action><br />
</pre><br />
<br />
===Response example===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
Response example <pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Blocked by gateway transaction decline request (Decline)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal decline<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>decline</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
<br />
==Charge again transaction request (Tokenization)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal recharge<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID which references the token that will be used to identify the payment on the side of the payment gateway<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | The amount for which the "saved" card is to be charged using the token from the previous successful transaction<br />
|-<br />
| colspan="1" | description<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Description of the transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|-<br />
| colspan="1" | refId (supported by API 1.4 and later)<br />
| colspan="1" | N<br />
| colspan="1" | string, 128<br />
| colspan="1" | Order ID in the online store<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<description>Recurring payment for the new issue of Playboy</description><br />
<target>payment</target><br />
<action>recharge</action><br />
<api_version>1.2</api_version><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | data<br />
| colspan="1" | array<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[status]<br />
| colspan="1" | integer<br />
| colspan="1" | Status of the new payment (See [[#Payment status codes|Payment status codes]])<br />
|-<br />
| colspan="1" | data[transaction_id]<br />
| colspan="1" | string<br />
| colspan="1" | ID of the created payment for further references (capture/void/refund etc)<br />
|-<br />
| colspan="1" | data[error]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[error_message]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[is_error_message]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|}<br />
<br /><br /><br />
<br />
==Callback request with service payment information==<br />
<br />
This is a background request that X-Payments sends to the store after a payment has been completed and it’s result (accepted, declined, etc) has been received from the payment gateway. The request is sent via HTTP POST to the callbackURL defined in the Payment initialisation request. Once this request has been sent, the customer is redirected back to the store.<br />
<br />
===POSTed data===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Value'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | callback<br />
| colspan="1" | fixed string<br />
| colspan="1" | Identifies the callback request<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string (MD5 hash)<br />
| colspan="1" | A unique ID of the payment on the side of X-Payments<br />
|-<br />
| colspan="1" | updateData<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string<br />
| colspan="1" | Encrypted response from X-Payments<br />
|}<br />
<br />
X-Payments does not expect a response from the store for this request; however, if the HTTP status of the response is not 200 OK, the request is considered failed, and a special notification is sent to the X-Payments admin. The store needs to decrypt the encrypted part of the response and update the order on its side accordingly. Once the updateData value has been decrypted, it is an XML document with the same structure as the [[X-Payments:API#Response_specification_2|response for Payment information request]].<br />
<br /><br /><br />
<br />
==Check cart callback request==<br />
<br />
After the customer has submitted credit card data, right before sending this data to the payment gateway, X-Payments connects to the store to verify the cart total and contents.<br />
<br />
The HTTP POST request is sent to the '''callbackURL''' defined in the '''Payment initialisation request'''.<br />
<br />
===POSTed data===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Value'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | check_cart<br />
| colspan="1" | fixed string<br />
| colspan="1" | Identifies the check-cart callback request<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string (MD5 hash)<br />
| colspan="1" | A unique ID of the payment on the side of X-Payments<br />
|-<br />
| colspan="1" | refId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string<br />
| colspan="1" | Order ID (or any other reference) in the online store<br />
|}<br />
<br /><br />
As of API v1.3, the store must respond to this callback request. The response must be an encrypted XML document (i.e. the same way as for other communication between the store and X-Payments).<br />
<br />
===Encrypted response for check-cart callback request===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | Y<br />
| colspan="1" | fixed string<br />
| colspan="1" | Should be “cart-changed” or "cart-not-changed"<br />
|-<br />
| colspan="1" | cart<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with cart/order description. See [[X-Payments:API#Request_specification|Payment initialisation request specification]] for details. This container must be included for "status = cart-changed" and is not necessary for "status = cart-not-changed"<br />
|-<br />
| colspan="1" | saveCard<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | Whether the customer has chosen to save their card for future use (“Y” if the customer would like to save the card)<br />
|}<br />
<br /><br /><br />
<br />
==Communication between X-Payments iframe and the store==<br />
<br />
===Communication structure===<br />
Communication between the online store (parent frame) and X-Payments (iframe) is implemented with the help of the javascript Window.postMessage method. Notifictions to both the sides represent stringified JSON formatted texts that consist of a service message (string) and an optional list of parameters:<br />
:* '''height''': height of the iframe<br />
:* '''error''': human readable message<br />
:* '''type''': message type. X-Payments sends it as 2, which indicates that the online store should re-initialize the payment. In API v1.3 no other values are supported.<br />
<br />
===Messages sent from the online store to X-Payments===<br />
'''Submit payment form'''<br /><br />
X-Payments’ iframe does not have a Submit button, so instead of it the payment form should be submitted from the parent window by any kind of “Submit order” or “Place order” button at checkout. At the same time, the special message '''submitPaymentForm''' with no parameters should be sent.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'submitPaymentForm',<br />
:::params: {}<br />
}<br />
-----------------------------------------------------------<br />
<br />
<br /><br /><br />
===Messages sent from X-Payments to the online store===<br />
'''Iframe is loaded and ready'''<br /><br />
The message ready notifies the parent window that the payment form is ready. The actual height of the iframe is included in the parameters, so the parent window (checkout page) can perform the necessary adjustments.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'ready',<br />
:::params: {<br />
::::::height: $(document).height()<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Payment form submitted with an error'''<br /><br />
The message '''paymentFormSubmitError''' with no parameters is sent in the case of any validation error. This may be the case, for example, if the customer’s credit card expiration date is in the past, or the credit card number does not match the card type (e.g. VISA, MasterCard), or when a required field has not been submitted (e.g. CVV2). Once the message '''paymentFormSubmitError''' with no parameters has been received, the store should not proceed to the next step of the checkout process, but should expect the payment form to be submitted again.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Internal error'''<br /><br />
The '''paymentFormSubmitError''' message with a special set of parameters is used to notify the store if something is wrong outside X-Payments, and X-Payments cannot do anything about it (for example, if the payment gateway has sent an unknown/unexpected piece of data).<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {<br />
::::::height: $(document).height(),<br />
::::::error: 'Internal error',<br />
::::::type: '2'<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Session is expired'''<br /><br />
For security reasons the length of the session is limited to 15 minutes. After this period the store has to re-initialize the payment. In this case X-Payments sends the '''paymentFormSubmitError''' message with the “Payment session expired” error.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {<br />
::::::height: $(document).height(),<br />
::::::error: 'Payment session expired',<br />
::::::type: '2'<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Payment form in Iframe is submitted''' (supported by API v1.4 and later)<br /><br />
The message '''paymentFormSubmit''' notifies the parent window that the payment form has been submitted from the X-Payments side; for example, if a customer clicks the Enter key inside the iframe. Once the store receives this message, it should operate in the same way as though the customer has clicked the Place order button at checkout.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmit',<br />
:::params: {}<br />
}<br />
<br />
-----------------------------------------------------------<br />
<br /><br /><br />
<br />
==Appendix A. Status codes.==<br />
<br />
===Payment status codes===<br />
: 1 - New<br />
: 2 - Authorized<br />
: 3 - Declined<br />
: 4 - Charged<br />
: 5 - Refunded<br />
: 6 - Partially refunded<br />
<br />
===Operation status codes===<br />
: 0 - transaction failed<br />
: 1 - transaction is successful<br />
: 2 - transaction is successful and is duplicate<br />
<br />
<br />
<br />
==See also==<br />
<br />
* [http://lu53.crtdev.local/%7Emixon/google-cache-w.php?q=/index.php?title=X-Cart:X-Payments_Connector X-Cart:X-Payments Connector]<br />
<br />
[[Category:X-Payments Developer Guide]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:Troubleshooting&diff=673X-Payments:Troubleshooting2016-05-25T10:05:51Z<p>Alex “Ambal” Mulin: /* Sage Pay - Reason: 4020 : Information received from an Invalid IP address */</p>
<hr />
<div><noinclude>{{Template:XP manual TOC}}</noinclude><br />
==Troubleshooting==<br />
<br />
===X-Payments 1.x installation process fails on a Windows server===<br />
If X-Payments 1.x installation fails on a Windows server, try replacing the following line from install.php:<br />
<pre>define('XP_DIR', rtrim(realpath(dirname(__FILE__)), XP_DS) . XP_DS);</pre><br />
with this line:<br />
<pre>define('XP_DIR', rtrim(dirname(__FILE__), XP_DS) . XP_DS);</pre><br />
<br />
===Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php)===<br />
<br />
I am trying to install the X-Payments module but receive the following error on step 2 of the installation process:<br />
<br />
Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php) [function.require-once]: failed to open stream: No such file or directory in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
Fatal error: require_once() [function.require]: Failed opening required '/home/user/public_html/xpayments/lib/PDO.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
<br />
<b>Solution:</b><br />
<br />
It looks like the problem is related to the current PHP configuration on your server.<br />
<br />
PHP is currently compiled with the necessary extensions:<br />
<br />
'--enable-pdo=shared'<br />
'--with-pdo-mysql=shared'<br />
'--with-pdo-sqlite=shared'<br />
<br />
However, X-Payments requires a bit different type of PHP configuration. PDO extension, as well as the MySQL PDO driver, needs to be installed as a shared module. In other words your php.ini file needs to be updated so that the PDO extensions will be loaded automatically when PHP runs:<br />
<br />
extension=php_pdo.so<br />
extension=php_pdo_mysql.so<br />
<br />
See also:<br />
* http://php.net/manual/en/pdo.installation.php<br />
<br />
Please share this info with your server administrator and ask them to make the necessary changes in your PHP configuration.<br />
<br />
===cron.php: X-Payments is using a non-secure protocol error===<br />
<br />
I have tried everything to get the x payments cron.php working, but it is not working and we are getting this error:<br />
<br />
ERROR [2012-25-06 12:23:01]<br />
User: unknown; IP: unknown<br />
Zone: Core<br />
Code: NONSECURE_PROTOCOL (237)<br />
X-Payments is using a non-secure protocol<br />
<br />
Affected systems: Core/Defender.php file (60:assert); Application.php file (133:check); /home/user/public_html/xpayments/cron.php file (26:run)<br />
<br />
<b>Solution:</b><br />
<br />
Wrong PHP binary is used to run cron.php script. You need to run cron.php using so called "CLI" version of PHP. Ask your hosting administrator to tell where PHP CLI is located on your server and configure cron to run cron.php script using PHP CLI version.<br />
<br />
<br />
===Duplicate charges===<br />
<br />
X-Payments v1.0.5 may have this issue under certain circumstances (iFrame checkout option aka "Lite interface" is enabled). Reason is that customers don't see an obvious sign that their payment is being processed after they entered their details and clicked "Submit" button so they click once again. This may create duplicate charges with some payment processors supported by X-Payments.<br />
<br />
<b>Solution:</b><br />
<br />
Apply below patches to<br />
<br />
1) front-end templates of your X-Payments:<br />
<br />
[[File:Xp.105.diff]]<br />
<br />
2) X-Cart connector:<br />
<br />
[[File:Xc.454.diff]]<br />
<br />
<br />
See how to apply patches at [http://help.x-cart.com/index.php?title=X-Cart:To_apply_a_patch_manually X-Cart:To apply a patch manually]<br />
<br />
<b>Note:</b><br />
You do not need to apply the above patches if your X-Payments version is not v1.0.5 and if you do not use iFrame checkout provided by X-Payments.<br />
<br />
===Empty or 404 page at Magento admin back-end===<br />
<br />
If you see empty or 404 page at System -> Configuration -> X-Payments connector after installation do the following:<br />
<br />
1) Clear cache:<br />
System -> Cache Management<br />
<br />
2) Logout and login admin area again<br />
<br />
3) Then go to System -> Permissions -> Roles and click on "Administrators", then in a popup/new window click "Save Role".<br />
That's it.<br />
<br />
===My store background image does not carry over to X-Payments checkout area template===<br />
<br />
'''Solution:'''<br />
<br />
Make sure if the background image parameter in your X-Payments checkout skin is set as direct URL to your store image.<br />
<br />
X-Payments checkout skin CSS file includes the following class used to display the header of integrated store pages:<br />
<br />
#header .line1 .logo {<br />
background: url("../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg") no-repeat scroll left top #000000;<br />
height: 240px;<br />
margin-left: 0;<br />
padding-top: 0;<br />
position: relative;<br />
width: auto;<br />
}<br />
<br />
For example, one of the possible solutions - modify the code of the generated CSS file, and change the default background image URL:<br />
<br />
"../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg"<br />
<br />
to e.g. this one:<br />
<br />
"https://yourshopdomain.com/xcart/skin/artistictunes_car_tires/images/custom/top_image1.jpg"<br />
<br />
===X-Payments error (code: 843): Unallowed target===<br />
<br />
This type of error may appear in X-Cart versions prior to 4.5.0.<br />
You see below error message and X-Payments log file entry when using "Test connection" and "Request payment methods" buttons:<br />
<br />
Error message:<br />
<br />
<source><br />
- X-Payments error (code: 843): Unallowed target - ""<br />
</source><br />
<br />
X-Payments log file entry:<br />
<br />
<source><br />
-----------------------------------<br />
ERROR [2013-11-05 00:11:49]<br />
User: shopping cart (%%%%%%%%%%%); IP: %%%%%%%%%%%%<br />
Zone: Model<br />
Code: TARGET_UNALLOWED (843)<br />
Unallowed target - ""<br />
-----------------------------------<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Check if you have correct charset code specified in "Charset" field on X-Cart admin back-end -> Content -> Languages -> Your store language page.<br />
See how to manage languages in X-Cart [[http://help.x-cart.com/index.php?title=X-Cart:Managing_Languages | here]].<br />
<br />
<br />
===Sage Pay - Reason: 4020 : Information received from an Invalid IP address===<br />
<br />
This is caused by a wrong IP for callbacks set in your Sage Pay account.<br />
<br />
If you are using X-Payments Hosted plan (Basic, PRO or Multistore) you need to add the IP address '''98.142.211.162''' or '''104.200.145.25''' in your SagePay merchant backend on the Settings -> Valid IPs page.<br />
<br />
If you are using a downloadable X-Payments license - you need to enter IP address of the server where your X-Payments copy is deployed. See [[X-Payments:How_It_Works#Callback_from_X-Payments_to_the_store | this article]] to understand X-Payments callbacks.<br />
<br />
===No credit card form displayed when a customer pays===<br />
<br />
====Error message at checkout instead of credit card form====<br />
<br />
You've made a change in credit card form template at X-Payments side and now your checkout doesn't work?<br />
<br />
This is the most probable situation with such type of errors during checkout via X-Payments. You've made a change in X-Payments credit card form and forgot to approve it at X-Payments admin back-end. As result X-Payments cannot process credit cards as it sees some changes in templates, but they are not approved by you, i.e. the admin user. Such approval process is implemented in X-Payments for security reasons. See also [[X-Payments:User_manual#Customizing_the_Interface]]<br />
<br />
'''Solution:'''<br />
<br />
Go into admin back-end dashboard and '''log in as the main admin user''' and check if it displays a warning about "Payment interface files have been modified" like below<br />
[[File:Warning_customer_interface_changed.png]]<br />
<br />
If yes, '''click "Approve" link''' in the warning text and everything is set now.<br />
<br />
====No payment methods are displayed in the X-Payments connector settings====<br />
<br />
So you deployed the configuration bundle copied from the X-Payments dashboard but do not see any payment methods in X-Cart on the X-Payments connector settings page.<br /><br />
Your checkout via X-Payments does not work either.<br />
<br />
'''Solution:'''<br />
Make sure the online store is enabled in the X-Payments Admin back end and has at least one payment method enabled for it.<br />
<br />
[[File:Xp_admin_backend.png|border|668px|]]<br />
<br />
====CyberSource Internal Error====<br />
<br />
Do you use CyberSource and get "Internal Error" on the checkout page along with below error within the X-Payments error log?<br />
<br />
<source><br />
<br />
ERROR [2012-13-12 17:27:17]<br />
User: unknown; IP: 68.184.224.121<br />
Zone: Transport<br />
Code: FILE_NOT_ACCESSIBLE (109)<br />
File "Path/to/the/cybersource/security/key/txt/file" does not exist or is not readable<br />
<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Make sure you specified the right **server** path to the Cybersource key file on the [[X-Payments:CyberSourceSOAP | "CyberSource SOAP toolkit API" configuration page]], and it is readable by HTTP daemon on your X-Payments server.<br />
<br />
====You use Hosted X-Payments plans and run out of bandwidth====<br />
<br />
Congratulations! Your amount of transactions is impressive indeed! Most likely you used all bandwidth we provide for X-Payments Hosted accounts.<br />
<br />
'''Solution''':<br />
<br />
Please contact us using your HelpDesk account regarding the issue and we will consult you how to increase your bandwidth. Also, you should consider either upgrading to larger X-Payments Hosted plan or using X-Payments downloadable license that you can host yourself.<br />
<br />
====You use Hosted X-Payments plans and run out of disk space====<br />
<br />
One more reason for Hosted X-Payments plans can be you've run out of disk space we provide with every plan - check X-Payments folder at your X-Payments Hosted account (see [[X-Payments:X-Payments-Hosted-FAQ]]).<br />
<br />
'''Solution:'''<br />
<br />
Download logs files from your X-Payments Hosted account (see [[X-Payments:FAQ#Where_can_I_find_X-Payments_logs.3F]]) and remove them at X-Payments server to clear up some space.<br />
<br />
====Your integrated shopping cart does not pass all customer profile fields to X-Payments correctly====<br />
<br />
E.g. in X-Cart you can configure some vital for X-Payments customer profile fields (e.g. zipcode, address, email) as optional and your customers can miss them and do not fill in them with data during checkout. Thus X-Cart passes empty values for those data fields and X-Payments fails to process a transaction. X-Payments connector usually shows below warning<br />
<br />
[[File:Warning_profile_fields_XP_connector.png]]<br />
<br />
<br />
'''Solution:'''<br />
<br />
Either make such customer profile fields mandatory for checkout in your cart or customize your cart connector for X-Payments to pass non-empty values if they should not be mandatory for your checkout routine and customers can leave such profile fields empty.<br />
<br />
====PayPal PRO integration does not work in X-Cart 4.x====<br />
<br />
You followed [http://help.x-cart.com/index.php?title=X-Cart:Adding_and_enabling_PayPal_payment_methods_in_X-Cart Adding and enabling PayPal payment methods in X-Cart] and [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments]], made sure all configuration settings are set correctly, but PayPal PRO still does not work for you and you see "Internal error" message when you use X-Payments in iFrame mode or see "Internal error (The merchantEmail is missing or incorrect)" error message when X-Payments is configured as a separate page in your X-Cart checkout routine.<br />
<br />
'''Solution:'''<br />
<br />
PayPal module in X-Cart v4.x refers to "orders department email address" at General settings/Company options/Company emails section. You need to have a valid email address in that setting to fix the issue.<br />
<br />
====X-Cart isn't Synchronizing PayPal Payments PRO payment methods from X-Payments====<br />
<br />
Trying to update payment processor on the back end of the store in the X-Payments Connector. In the backend of the X-Payments Admin, there is a new payment method enabled- PayPal Payments Pro. Virtual Merchant will no longer be used. See screenshot in the attachment.<br />
<br />
On the backend of the site, once I try to Synchronize Payment Methods, the screen quickly shows options available to sync the new payment method. I have options to "set orders for..." then the options quickly disappear. There is a screenshot attached.<br />
<br />
So with that, once I try to synchronize, the system won't allow me. The old payment method still remains (although it hasn't been deleted in the X-Payment Admin Backend) but the new method SHOULD appear once they are synchronized, showing TWO payment methods on the backend of the store, with the option for me to enable either one.<br />
<br />
<br />
'''Solution:'''<br />
<br />
X-Cart 4 have some restrictions of PayPal usage, so that you need to first add PayPal Pro methods inside X-Cart and configure them using the same credentials like in X-Payments. Re-sync methods after that and you'll see the PayPal.<br />
<br />
====There are connection problems between your shopping cart and X-Payments at the time when a customer pays====<br />
<br />
Your cart cannot connect to X-Payments some times and your customers see "Internal error" displayed.<br />
<br />
'''Solution:'''<br />
<br />
Make sure your cart server can connect to X-Payments server at all times (especially during your site high load times of a day).<br />
<br />
==="Callback to online store is failed" notification and now all credit card transactions are failing===<br />
<br />
You receive below notifications from X-Payments<br />
<br />
<source><br />
"Callback to online store is failed. This notification has been sent by X-Payments installation at 'www.mysite.com'"<br />
</source><br />
<br />
and now all credit card transactions are failing and the credit card fields for secure checkout on your website are missing.<br />
<br />
<br />
'''Solution:'''<br />
<br />
Most likely you regenerated [[X-Payments:Encryption_keys | encryption codes in X-Payments]] but neglected to update the information in X-Cart, hence the credit card fields are not loading when the customer is attempting to use a credit card for payment.<br />
<br />
To remedy this go into X-Payments, copy the new encryption codes and paste them into X-Cart in the appropriate fields (Payment Methods → Credit Card → X-Payments connector module settings, see [http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector#Configuring_X-Payments_Connector Configuring X-Payments Connector]).<br />
<br />
===Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this===<br />
<br />
You started to see error messages like below instead of working X-Payments.<br />
<br />
<source><br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 153<br />
or<br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 131<br />
</source><br />
<br />
'''Solution:'''<br />
<br />
It is due to updating PHP to v 5.4.<br />
<br />
To fix the problem, in lines 131 and 153 of<br />
<br />
<xpayments_dir>/lib/XPay/Model/Base/Module.php<br />
<br />
change<br />
<br />
<source><br />
self::$this-><br />
</source><br />
<br />
to<br />
<br />
<source><br />
$this-><br />
</source><br />
<br />
===My X-Payments doesn't store customers credit cards/X-Payments subscriptions module doesn't work===<br />
<br />
So "Store credit card" functionality or X-Payments Subscriptions module doesn't work in your shopping cart despite of you integrated it with X-Payments?<br />
<br />
'''Solution:'''<br />
<br />
# Make sure you use X-Payments v2.x because X-Payments v1.x doesn't support this functionality.<br />
# Make sure you use a payment gateway that supports so called "tokenization" in X-Payments v2.x - see the list of such payment gateways at [[X-Payments:Supported_payment_gateways]]. They have "+" in "Tokenization" column. "-" means tokenization is not supported for a payment gateway.<br />
# So you do use X-Payments v2.x and a payment gateway that supports tokenization in X-Payments? Please make sure tokenization functionality is enabled for your payment gateway account at payment gateway side. Sometimes payment gateways call it differently, e.g. "vault", "Transformer", etc. If you are not sure - contact your payment gateway to enable tokenization for your payment gateway.<br />
<br />
===Customer CC expires in 2022 - X-Payments stops at 2020===<br />
<br />
We just had a customer call in. He could not check out because our X-Payments payment page would not allow him to enter the expiration year of 2022 for his credit card. Our X-Payments only goes up to 2020.<br />
<br />
<br />
'''Solution:'''<br />
<br />
You need to change YEAR_RANGE from 7 to 10 for example in file lib/XPay/View/Payment/Main.php<br />
<br />
// Years list range<br />
<br />
const YEAR_RANGE = 7<br />
<br />
===White screen or HTTP 500 Internal server error instead of admin dashboard===<br />
<br />
You see white screen after logging in X-Payments admin dashboard.<br />
<br />
'''Solution:'''<br />
<br />
Some PHP packages contain a bug that causes "White screen" or HTTP 500 Internal server error when PHP operates with the database via PDO. If you experience such issue contact your hosting support referring to:<br />
<br />
https://bugs.php.net/bug.php?id=60825<br />
https://bugs.php.net/bug.php?id=53716<br />
<br />
===Magento: cannot test module connection or payment methods cannot be imported===<br />
<br />
You copied all configuration data from X-Payments properly but in Magento admin you see below message when you click "Test module" button<br />
Test transaction failed. Please check the X-Payment Connector settings and try again. If all options is ok review your X-Payments settings and make sure you have properly defined shopping cart properties.<br />
<br />
Or a message that payment methods cannot be imported when you click "Request payment methods" button.<br />
<br />
'''Solution:'''<br />
<br />
Possible reason - you do not have a valid SSL certificate installed for your X-Payments. Self-signed SSL cannot pass libCurl validation and thus prevent connection between Magento and X-Payments, too. You need to install a valid SSL certificate at X-Payments server.<br />
<br />
'''NOTE:''' users of our hosted X-Payments plans are safe since we provide SSL by default.<br />
<br />
===Google Chrome v41.0.2272.76 detects X-Payments v2.1 credit card form as a mobile site on desktops===<br />
<br />
After the update of the Google Chrome web browser to version 41.0.2272.76, the credit card form provided to your site by X-Payments v2.1 may be displayed incorrectly for Google Chrome users. <br />
The problem behind this is that the value of the user-agent header sent by Chrome has changed, which causes X-Payments to identify the browser as running on a mobile device, even when, if fact, it is running on a PC. The result is that the credit card form is corrupted like on these screen shots:<br />
<br />
- http://awesomescreenshot.com/0724kkas56<br />
- http://awesomescreenshot.com/04f4kkaq18<br />
<br />
<br />
'''Solution:'''<br />
<br />
To fix the issue, you need to update the Mobile Detect library in your X-Payments installation so the list of supported user agents is relevant. For that you should replace the file<br />
<xpayments-dir>/lib/MobileDetect.php with this one: https://drive.google.com/file/d/0B6p7sehSZL8_QUN6VmRVMHpxaFE/view?usp=sharing (should be done via SFTP, SSH, Control panel, etc.)<br />
<br />
If you find it difficult to apply the changes yourself please contact our Tech Support team using https://secure.x-cart.com.<br />
<br />
===Trouble with credit card logos in iFrame template for X-Cart 5===<br />
<br />
You use X-Cart 5 integrated with X-Payments v2.x and see credit card logos displayed like [https://drive.google.com/a/x-cart.com/file/d/0B6p7sehSZL8_T1kyQ0RCNS1nWDA/view?usp=sharing this in checkout] using Mac Safari or iPad.<br />
<br />
'''Solution'''<br />
<br />
Replace files fast.css and xc5.css in folder <x-pay_dir>/public/templates/ with these:<br />
<br />
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_OUVTeUtCUkFjY2M&usp=sharing<br />
<br />
<br />
===My entire shop is run in an iFrame and X-Payments does not display "Pay" button===<br />
<br />
There is a special code in X-Payments that hides "Pay" button if it the payment form is shown inside iframe.<br />
In your case the whole store is placed inside iframe and that triggers the special code.<br />
Easiest workaround which will not affect other stores connected to the X-Payments is to edit the template file css (I presume you use default.css) and where<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
}<br />
</pre><br />
<br />
you should add<br />
<br />
<pre><br />
display: block !important;<br />
</pre><br />
<br />
e.g. after correction that code will look like<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
display: block !important;<br />
}<br />
</pre><br />
<br />
Do not forget to approve the changes in the admin back-end afterwards.<br />
<br />
<br />
===X-Payments credit card form does not fit properly on Android tablet screen when used in iFrame in X-Cart 4 OPC===<br />
<br />
X-Payments credit card form is displayed as shown on [https://drive.google.com/file/d/0B6p7sehSZL8_ZDhac2JNVWxlQ1E/view?usp=sharing this screen shot].<br />
<br />
The reason is X-Cart 4 OPC shows desktop version of the site checkout while X-Payments shows mobile checkout template which is wider than needed for XC4 desktop OPC.<br />
<br />
'''Solution'''<br />
<br />
Apply [https://drive.google.com/file/d/0B6p7sehSZL8_c0JmYjhaRi1ITEE/view?usp=sharing this patch] to X-Payments connector files in your X-Cart 4.<br />
<br /><br />
<br />
===How to test payments via PayPal in X-Payments===<br />
<br />
There is a list of credit card numbers in the PayPal guides which many people assume can be used when processing credit card transactions through PayPal. However, many of these card numbers have been blocked from PayPal system in one fashion or another (e.g. delay processing a lot so integrated software like X-Cart or Magento just fails to place a test transaction), so general advice is "don't use those card numbers".<br />
<br />
In general, when testing credit card transactions with PayPal as the processor, it is recommended using a randomized credit card number. The number<br />
must have a valid BIN, a valid check digit, and must be the correct length for the card type, but aside from that, the card number can be random. <br />
You can get such random test credit card numbers at http://getcreditcardnumbers.com<br />
<br />
==="The TxnID field is missing or incorrect" message after upgrading to a new connector version in Magento===<br />
<br />
If after upgrading Magento connector to a new version and placing a new order you see an error message "The txnID field is missing or incorrect" instead of successful "Thank you for your order" page you need to clean/purge Magento's cache in your shop in the admin back-end. Consult with Magento user manual how to do that.<br />
<br />
===Browser warning about wrong SSL certificate pops up===<br />
<br />
If your browser shows a pop-up with warning about SSL certificate every time you test a transaction via X-Payments - this means your store installation has self-made/dummy SSL certificate. It is fine during testing, but you need to upgrade it to a real SSL certificate when your site goes live. <br />
During testing just add that SSL certificate to exclusions in your browser in order not to see that warning every time you place a test transaction via X-Payments. This won't help you to hide that message from your shoppers though. The warning is not shown by a browser if a real SSL certificate is used.<br />
<br />
==="X-Payments tried to notify the store about updates in payment but failed" notification===<br />
<br />
You receive notifications that say "X-Payments tried to notify the store about updates in payment but failed ...".<br />
<br />
They mean X-Payments callback requests have failed because of timeout or because your online shop site is not reachable by X-Payments.<br />
<br />
In the 1st case the store didn't respond within 15 seconds coded by default in X-Payments, but the logs from the side of the store for these requests say, that the requests were received and processed with no errors. It means, that communication between the store and X-Payments actually works, but it takes to long for the store to respond. As a quick solution for this very reason it is recommended to increase the timeout limits in your X-Payments installation:<br />
If X-Payments 2.x - in file lib/XPay/Model/Payment.php by changing "15" in a line of code that looks like to a bigger value (max 60):<br />
<br />
<pre><br />
$requestData->setTimeout(15);<br />
</pre><br />
<br />
If X-Payments 3.x - in file config/config.ini.php in section [callback] change value of wait_timeout param:<br />
<br />
<pre><br />
[callback]<br />
<br />
; Wait timeout for callback requests to the shopping cart (in seconds)<br />
wait_timeout=15<br />
</pre><br />
<br />
If you do not have access to your X-Payments installation code - contact vendors of the software by posting them a technical support ticket via https://secure.x-cart.com.<br />
<br />
But the right solution is to figure out why your web site does not respond to X-Payments callbacks within 15 seconds.<br />
<br />
In the 2nd case it might be firewall blocking X-Payments callback requests or your web shop was down for some time.<br />
<br />
==="No Payment Methods Available" message shown to a customer===<br />
<br />
A customer cannot place an order as he/she is displayed a message "No Payment Methods Available" at checkout and at the same time you see an error message "Data validation error, node "request": String length ("266342") exceeds the maximum allowed length for this node - "100000" in X-Payments error log file.<br />
<br />
'''Reason'''<br />
<br />
A shopper added too many line items (different products) to his/her cart ("too many" - e.g. over a thousand) and as result data passed to X-Payments exceeds amount it is configured to accept for security reasons.<br />
<br />
<br />
'''Solution'''<br />
<br />
1) a customer should divide his order in several with less number of line items and process them one by one.<br />
<br />
2) if you face to this issue too often you can increase amount of data allowed to be processed by X-Payments by changing value of constant REQUEST_MAX_LENGTH in X-Payments file lib/XPay/Transport/Request/Api.php, but we do not recommend to large value there for security reasons.<br />
<br />
===Payflow PRO currency issue===<br />
<br />
'''NOTE''': do not confuse this with PayPal Payments PRO (PayFlow API)! There is PayFlow PRO integration, too. We are talking about PayFlow PRO here.<br />
<br />
You need to process payments via PayFlow PRO in other currency than USD, but there is no way to change it. You configured integrated cart in e.g. CAD but X-Payments passes data to PayFlow PRO as USD. This is caused by features of PayFlow PRO API - no exact requirements about passing currency type to PayFlow PRO - sometimes it can be passed as "CUR", sometimes as "CU", etc depending on payment processor you have configured at PayFlow PRO back-end.<br />
<br />
'''Solution'''<br />
<br />
1) Switch to PayPal Payments Pro (Payflow API) integration instead of PayFlow PRO in X-Payments.<br />
<br />
or<br />
<br />
2) change code of X-Payments as follows:<br />
in file lib/XPay/Module/PayflowPro.php find function<br />
<br />
<pre><br />
private function getInitRequestBody(XPay_Transport_GatewayRequest $request)<br />
</pre><br />
<br />
In the function find lines<br />
<br />
<pre><br />
...<br />
$fields = array(<br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
...<br />
</pre><br />
<br />
and add a line of code<br />
<br />
<pre><br />
'CURRENCY' => $request->payment->get('currency'),<br />
</pre><br />
<br />
to get something like <br />
<br />
<pre><br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'CURRENCY' => $request->payment->get('currency'),<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
</pre><br />
<br />
The above tweak will work if "PayPal" is configured as the gateway in your PayFlow PRO account.<br />
<br />
For others you should directly specify currency in format required by payment gateway.<br />
<br />
E.g.<br />
<pre><br />
'CURRENCY' => 'USD',<br />
</pre><br />
<br />
<br />
===X-Cart 5 and Exception message: Shopping cart server returned wrong HTTP headers for callback.===<br />
<br />
You use X-Cart 5 and see below error message or error log entry at X-Cart 5 side:<br />
<br />
<pre><br />
Failed to send "check_cart" callback to the store "mydomain.com"<br />
Url: https://www.example.com/cart.php?target=callback&action=callback&xpcBackReference=ABCDEFGHIJKL<br />
Exception message: Shopping cart server returned wrong HTTP headers for callback.<br />
</pre><br />
<br />
'''Solution''':<br />
<br />
Most likely you try to test X-Payments with X-Cart 5 storefront closed. If so, in X-Cart 5 file etc/config.php find below piece of code:<br />
<br />
<pre><br />
[storefront_options]<br />
; Do not close target=callback for payments if storefront is closed<br />
callback_opened = Off<br />
</pre><br />
<br />
and change "Off" to "On" there.<br />
<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:X-Payments-Hosted-FAQ&diff=672X-Payments:X-Payments-Hosted-FAQ2016-05-25T10:00:01Z<p>Alex “Ambal” Mulin: /* What do I need to put as "Callback IP"? */</p>
<hr />
<div>===What do I need to put as "Callback IP"?===<br />
<br />
If you use the X-Payments Hosted solution you should use IP address '''98.142.211.162''' if your account is based on X-Payments v1.x or v2.x or '''104.200.145.25''' if X-Payments v3.x<br />
<br />
===How to configure FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===<br />
<br />
You should use the details from the email received when your account was created:<br />
<br />
:* host: yourdomain.x-checkout.com <br /><br />
:* user: skins@yourdomain.x-checkout.com <br /><br />
:* password: the one that you've received <br /><br />
<br />
Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.<br />
<br />
Instructions for FileZilla FTP Client:<br />
<br />
# Start FileZilla<br />
# Go to File -> Site Manager<br />
# Click New site<br />
# Enter the connection settings:<br />
#* Host: yourdomain.x-checkout.com <br /><br />
#* Port: leave blank <br /><br />
#* Protocol: FTP - File Transfer Protocol <br /><br />
#* Encryption: Require explict FTP over TLS <br /><br />
#* Logon type: Normal <br /><br />
#* user: skins@yourdomain.x-checkout.com <br /><br />
#* password: the one that you've received <br />[[File:Filezilla.png]]<br /><br />
# Click the Connect button<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:X-Payments-Hosted-FAQ&diff=671X-Payments:X-Payments-Hosted-FAQ2016-05-25T09:59:33Z<p>Alex “Ambal” Mulin: /* What do I need to put as "Callback IP"? */</p>
<hr />
<div>===What do I need to put as "Callback IP"?===<br />
<br />
If you use the X-Payments Hosted solution you should use IP address 98.142.211.162 if your account is based on X-Payments v1.x or v2.x or 104.200.145.25 if X-Payments v3.x<br />
<br />
===How to configure FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===<br />
<br />
You should use the details from the email received when your account was created:<br />
<br />
:* host: yourdomain.x-checkout.com <br /><br />
:* user: skins@yourdomain.x-checkout.com <br /><br />
:* password: the one that you've received <br /><br />
<br />
Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.<br />
<br />
Instructions for FileZilla FTP Client:<br />
<br />
# Start FileZilla<br />
# Go to File -> Site Manager<br />
# Click New site<br />
# Enter the connection settings:<br />
#* Host: yourdomain.x-checkout.com <br /><br />
#* Port: leave blank <br /><br />
#* Protocol: FTP - File Transfer Protocol <br /><br />
#* Encryption: Require explict FTP over TLS <br /><br />
#* Logon type: Normal <br /><br />
#* user: skins@yourdomain.x-checkout.com <br /><br />
#* password: the one that you've received <br />[[File:Filezilla.png]]<br /><br />
# Click the Connect button<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:How_It_Works&diff=670X-Payments:How It Works2016-05-25T08:53:24Z<p>Alex “Ambal” Mulin: </p>
<hr />
<div><noinclude>{{XP_manual_TOC}}</noinclude><br />
<br />
==X-Payments flow via diagram==<br />
:[[File:XP-diagram.png|700px|border]]<br />
<br />
===API Call===<br />
<br />
1) Store initiates an API call to X-Payments to create a payment (Created payments can be [[X-Payments:User_manual#Viewing_Payments|viewed]] on the 'Payments' page in X-Payments back end). At this step store sends to X-Payments all information about the customer (billing and shipping address) and the products being purchased (product quantities and cost). In addition to that, store instructs X-Payments as to which payment configuration should be used.<br />
<br />
<br />
2) X-Payments validates this initial request from the store: checks whether the requested [[X-Payments:User_manual#Payment_Configurations|payment configuration]] is [[X-Payments:Managing store connections#Editing Online Store Details|active]], whether the payment currency passed on to X-Payments by the store matches the currency specified in the respective payment configuration in X-Payments, and makes some other internal checks; for instance, a check is conducted to ensure that the template files for the page where customers enter cardholder data have not been modified without approval by X-Payments admin. If everything is fine, X-Payments returns a [[X-Payments:API#Response_specification | payment "token"]] to the store (The token serves as a temporary identifier of the payment in X-Payments; it is generated as a result of the API call and is removed after the customer is redirected back to the store when the payment is completed). If a problem is detected, no token is sent to the store, and an internal error is generated in X-Payments. Detailed information about such errors can be found in the X-Payments and X-Cart logs:<br /><br />
* X-Payments: See the <u><xpay-dir>/var/log/api/YYYY-MM-DD/</u> directory<br />
* X-Cart: See the <u><xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php</u> file<br />
<br />
===Payment===<br />
<br />
3) Customer is redirected to the X-Payments secure page where the form for entering credit card details is located. If the iframe is used, this redirect is not visible to customer, as the form is embedded into the checkout page.<br />
<br />
<br />
4) Customer enters credit card details and submits the form. These details are sent to the payment gateway along with other data previously received by X-Payments (address details, products being purchased, etc).<br />
<br />
<br />
5) Payment gateway operates with the bank to charge the card (or authorize the funds in case of an "auth only" transaction) and sends back to X-Payments the information about the transaction.<br />
<br />
The log of communication between X-Payments and the payment gateway can be found in the <u><xpay-dir>/var/log/payment/YYYY-MM-DD/</u> directory.<br />
<br />
===Callback from gateway (PayPal) to X-Payments===<br />
<br />
6) Some payment gateways also send back to X-Payments an additional "callback" request. This "callback" request provides detailed information about the transaction and also helps to validate/confirm the transaction. Currently only PayPal Payments PRO operates in X-Payments in such a way. As an additional protection, X-Payments allows you to specify the IP addresses from which the gateway's callback requests can be received. Provided with a list of trusted Call-back IPs for PayPal, X-Payments will only accept "callback" requests coming from PayPal’s server and ignore all other requests coming from anywhere else, should such requests be made. The list of PayPal’s IP addresses can be found here: https://ppmts.custhelp.com/app/answers/detail/a_id/92<br />
If you wish to use this additional protection, you can enter the necessary IP addresses into [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments#PayPalPaymentsProPayPalAPIconfsettings|PayPal payment configuration settings]] in X-Payments back end.<br />
<br />
The log of payment gateway callback request processing is saved to the <u><xpay-dir>/var/log/callback/YYYY-MM-DD/</u> directory.<br />
<br />
===Invoice===<br />
<br />
7) Customer is redirected back to the store where the Invoice page is displayed.<br />
If the transaction is declined by the payment gateway for some reason, the error page is displayed. Additional information about the reasons of the transaction being declined can be found in the X-Payments admin back end on the 'Payment details' page.<br />
<br />
<br />
===Callback from X-Payments to the store===<br />
<br />
8) Detailed information about the payment is sent to the store via a "callback" request.<br />
The same functionality ("callback" requests) is used to notify the store if the payment has been changed via X-Payments admin back end; for example, if a secondary transaction took place ('Capture' or 'Void' for an authorized transaction, 'Refund' for a charge).<br />
<br />
X-Cart allows additional protection for callback requests from X-Payments: thus you can specify the IP addresses for X-Payments callbacks in X-Payments connector module settings: http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector. X-Cart will accept only those callback requests that come from the specified IP addresses, others will be ignored.<br />
<br />
'''Important''': On some server configurations the IP address from which the callback request comes may not match the IP of the server where X-Payments is installed as illustrated below:<br />
<br />
:[[File:XP-diagram1.png|700px|border]]<br />
<br />
Even if X-Payments is installed on the 172.18.0.3 IP address, and is accessible via web by it, the outgoing request is received from the "proxy" of 172.18.0.0. So, it is recommended to verify the IP address for outgoing HTTPS connections with your hosting provider.<br />
<br />
{{Note|If you use the '''X-Payments Hosted''' plan, you should use IP address '''98.142.211.162''' if your X-Payments account is v1.x or v2.x based or '''104.200.145.25''' if v3.x based.}}<br />
<br />
The log of the X-Payments callback requests processing is saved to the following locations:<br /><br />
* X-Cart: See the <u><xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php</u> file if any error occurred.<br />
* X-Payments: See the <u><xpay-dir>/var/log/payment/YYYY-MM-DD/</u> directory for the initial Authorize or Sale (Authorize and Capture at the same time or Auto settle) transaction and <u><xpay-dir>/var/log/admin/YYYY-MM-DD/</u> directory for the secondary Capture, Void or Refund transaction.<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:Troubleshooting&diff=632X-Payments:Troubleshooting2016-05-05T12:49:52Z<p>Alex “Ambal” Mulin: /* "X-Payments tried to notify the store about updates in payment but failed" notification */</p>
<hr />
<div><noinclude>{{Template:XP manual TOC}}</noinclude><br />
==Troubleshooting==<br />
<br />
===X-Payments 1.x installation process fails on a Windows server===<br />
If X-Payments 1.x installation fails on a Windows server, try replacing the following line from install.php:<br />
<pre>define('XP_DIR', rtrim(realpath(dirname(__FILE__)), XP_DS) . XP_DS);</pre><br />
with this line:<br />
<pre>define('XP_DIR', rtrim(dirname(__FILE__), XP_DS) . XP_DS);</pre><br />
<br />
===Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php)===<br />
<br />
I am trying to install the X-Payments module but receive the following error on step 2 of the installation process:<br />
<br />
Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php) [function.require-once]: failed to open stream: No such file or directory in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
Fatal error: require_once() [function.require]: Failed opening required '/home/user/public_html/xpayments/lib/PDO.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
<br />
<b>Solution:</b><br />
<br />
It looks like the problem is related to the current PHP configuration on your server.<br />
<br />
PHP is currently compiled with the necessary extensions:<br />
<br />
'--enable-pdo=shared'<br />
'--with-pdo-mysql=shared'<br />
'--with-pdo-sqlite=shared'<br />
<br />
However, X-Payments requires a bit different type of PHP configuration. PDO extension, as well as the MySQL PDO driver, needs to be installed as a shared module. In other words your php.ini file needs to be updated so that the PDO extensions will be loaded automatically when PHP runs:<br />
<br />
extension=php_pdo.so<br />
extension=php_pdo_mysql.so<br />
<br />
See also:<br />
* http://php.net/manual/en/pdo.installation.php<br />
<br />
Please share this info with your server administrator and ask them to make the necessary changes in your PHP configuration.<br />
<br />
===cron.php: X-Payments is using a non-secure protocol error===<br />
<br />
I have tried everything to get the x payments cron.php working, but it is not working and we are getting this error:<br />
<br />
ERROR [2012-25-06 12:23:01]<br />
User: unknown; IP: unknown<br />
Zone: Core<br />
Code: NONSECURE_PROTOCOL (237)<br />
X-Payments is using a non-secure protocol<br />
<br />
Affected systems: Core/Defender.php file (60:assert); Application.php file (133:check); /home/user/public_html/xpayments/cron.php file (26:run)<br />
<br />
<b>Solution:</b><br />
<br />
Wrong PHP binary is used to run cron.php script. You need to run cron.php using so called "CLI" version of PHP. Ask your hosting administrator to tell where PHP CLI is located on your server and configure cron to run cron.php script using PHP CLI version.<br />
<br />
<br />
===Duplicate charges===<br />
<br />
X-Payments v1.0.5 may have this issue under certain circumstances (iFrame checkout option aka "Lite interface" is enabled). Reason is that customers don't see an obvious sign that their payment is being processed after they entered their details and clicked "Submit" button so they click once again. This may create duplicate charges with some payment processors supported by X-Payments.<br />
<br />
<b>Solution:</b><br />
<br />
Apply below patches to<br />
<br />
1) front-end templates of your X-Payments:<br />
<br />
[[File:Xp.105.diff]]<br />
<br />
2) X-Cart connector:<br />
<br />
[[File:Xc.454.diff]]<br />
<br />
<br />
See how to apply patches at [http://help.x-cart.com/index.php?title=X-Cart:To_apply_a_patch_manually X-Cart:To apply a patch manually]<br />
<br />
<b>Note:</b><br />
You do not need to apply the above patches if your X-Payments version is not v1.0.5 and if you do not use iFrame checkout provided by X-Payments.<br />
<br />
===Empty or 404 page at Magento admin back-end===<br />
<br />
If you see empty or 404 page at System -> Configuration -> X-Payments connector after installation do the following:<br />
<br />
1) Clear cache:<br />
System -> Cache Management<br />
<br />
2) Logout and login admin area again<br />
<br />
3) Then go to System -> Permissions -> Roles and click on "Administrators", then in a popup/new window click "Save Role".<br />
That's it.<br />
<br />
===My store background image does not carry over to X-Payments checkout area template===<br />
<br />
'''Solution:'''<br />
<br />
Make sure if the background image parameter in your X-Payments checkout skin is set as direct URL to your store image.<br />
<br />
X-Payments checkout skin CSS file includes the following class used to display the header of integrated store pages:<br />
<br />
#header .line1 .logo {<br />
background: url("../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg") no-repeat scroll left top #000000;<br />
height: 240px;<br />
margin-left: 0;<br />
padding-top: 0;<br />
position: relative;<br />
width: auto;<br />
}<br />
<br />
For example, one of the possible solutions - modify the code of the generated CSS file, and change the default background image URL:<br />
<br />
"../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg"<br />
<br />
to e.g. this one:<br />
<br />
"https://yourshopdomain.com/xcart/skin/artistictunes_car_tires/images/custom/top_image1.jpg"<br />
<br />
===X-Payments error (code: 843): Unallowed target===<br />
<br />
This type of error may appear in X-Cart versions prior to 4.5.0.<br />
You see below error message and X-Payments log file entry when using "Test connection" and "Request payment methods" buttons:<br />
<br />
Error message:<br />
<br />
<source><br />
- X-Payments error (code: 843): Unallowed target - ""<br />
</source><br />
<br />
X-Payments log file entry:<br />
<br />
<source><br />
-----------------------------------<br />
ERROR [2013-11-05 00:11:49]<br />
User: shopping cart (%%%%%%%%%%%); IP: %%%%%%%%%%%%<br />
Zone: Model<br />
Code: TARGET_UNALLOWED (843)<br />
Unallowed target - ""<br />
-----------------------------------<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Check if you have correct charset code specified in "Charset" field on X-Cart admin back-end -> Content -> Languages -> Your store language page.<br />
See how to manage languages in X-Cart [[http://help.x-cart.com/index.php?title=X-Cart:Managing_Languages | here]].<br />
<br />
<br />
===Sage Pay - Reason: 4020 : Information received from an Invalid IP address===<br />
<br />
This is caused by a wrong IP for callbacks set in your Sage Pay account.<br />
<br />
If you are using X-Payments Hosted plan (Basic, PRO or Multistore) you need to add the IP address of 98.142.211.162 in your SagePay merchant backend on the Settings -> Valid IPs page.<br />
<br />
If you are using a downloadable X-Payments license - you need to enter IP address of the server where your X-Payments copy is deployed. See [[X-Payments:How_It_Works#Callback_from_X-Payments_to_the_store | this article]] to understand X-Payments callbacks.<br />
<br />
===No credit card form displayed when a customer pays===<br />
<br />
====Error message at checkout instead of credit card form====<br />
<br />
You've made a change in credit card form template at X-Payments side and now your checkout doesn't work?<br />
<br />
This is the most probable situation with such type of errors during checkout via X-Payments. You've made a change in X-Payments credit card form and forgot to approve it at X-Payments admin back-end. As result X-Payments cannot process credit cards as it sees some changes in templates, but they are not approved by you, i.e. the admin user. Such approval process is implemented in X-Payments for security reasons. See also [[X-Payments:User_manual#Customizing_the_Interface]]<br />
<br />
'''Solution:'''<br />
<br />
Go into admin back-end dashboard and '''log in as the main admin user''' and check if it displays a warning about "Payment interface files have been modified" like below<br />
[[File:Warning_customer_interface_changed.png]]<br />
<br />
If yes, '''click "Approve" link''' in the warning text and everything is set now.<br />
<br />
====No payment methods are displayed in the X-Payments connector settings====<br />
<br />
So you deployed the configuration bundle copied from the X-Payments dashboard but do not see any payment methods in X-Cart on the X-Payments connector settings page.<br /><br />
Your checkout via X-Payments does not work either.<br />
<br />
'''Solution:'''<br />
Make sure the online store is enabled in the X-Payments Admin back end and has at least one payment method enabled for it.<br />
<br />
[[File:Xp_admin_backend.png|border|668px|]]<br />
<br />
====CyberSource Internal Error====<br />
<br />
Do you use CyberSource and get "Internal Error" on the checkout page along with below error within the X-Payments error log?<br />
<br />
<source><br />
<br />
ERROR [2012-13-12 17:27:17]<br />
User: unknown; IP: 68.184.224.121<br />
Zone: Transport<br />
Code: FILE_NOT_ACCESSIBLE (109)<br />
File "Path/to/the/cybersource/security/key/txt/file" does not exist or is not readable<br />
<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Make sure you specified the right **server** path to the Cybersource key file on the [[X-Payments:CyberSourceSOAP | "CyberSource SOAP toolkit API" configuration page]], and it is readable by HTTP daemon on your X-Payments server.<br />
<br />
====You use Hosted X-Payments plans and run out of bandwidth====<br />
<br />
Congratulations! Your amount of transactions is impressive indeed! Most likely you used all bandwidth we provide for X-Payments Hosted accounts.<br />
<br />
'''Solution''':<br />
<br />
Please contact us using your HelpDesk account regarding the issue and we will consult you how to increase your bandwidth. Also, you should consider either upgrading to larger X-Payments Hosted plan or using X-Payments downloadable license that you can host yourself.<br />
<br />
====You use Hosted X-Payments plans and run out of disk space====<br />
<br />
One more reason for Hosted X-Payments plans can be you've run out of disk space we provide with every plan - check X-Payments folder at your X-Payments Hosted account (see [[X-Payments:X-Payments-Hosted-FAQ]]).<br />
<br />
'''Solution:'''<br />
<br />
Download logs files from your X-Payments Hosted account (see [[X-Payments:FAQ#Where_can_I_find_X-Payments_logs.3F]]) and remove them at X-Payments server to clear up some space.<br />
<br />
====Your integrated shopping cart does not pass all customer profile fields to X-Payments correctly====<br />
<br />
E.g. in X-Cart you can configure some vital for X-Payments customer profile fields (e.g. zipcode, address, email) as optional and your customers can miss them and do not fill in them with data during checkout. Thus X-Cart passes empty values for those data fields and X-Payments fails to process a transaction. X-Payments connector usually shows below warning<br />
<br />
[[File:Warning_profile_fields_XP_connector.png]]<br />
<br />
<br />
'''Solution:'''<br />
<br />
Either make such customer profile fields mandatory for checkout in your cart or customize your cart connector for X-Payments to pass non-empty values if they should not be mandatory for your checkout routine and customers can leave such profile fields empty.<br />
<br />
====PayPal PRO integration does not work in X-Cart 4.x====<br />
<br />
You followed [http://help.x-cart.com/index.php?title=X-Cart:Adding_and_enabling_PayPal_payment_methods_in_X-Cart Adding and enabling PayPal payment methods in X-Cart] and [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments]], made sure all configuration settings are set correctly, but PayPal PRO still does not work for you and you see "Internal error" message when you use X-Payments in iFrame mode or see "Internal error (The merchantEmail is missing or incorrect)" error message when X-Payments is configured as a separate page in your X-Cart checkout routine.<br />
<br />
'''Solution:'''<br />
<br />
PayPal module in X-Cart v4.x refers to "orders department email address" at General settings/Company options/Company emails section. You need to have a valid email address in that setting to fix the issue.<br />
<br />
====X-Cart isn't Synchronizing PayPal Payments PRO payment methods from X-Payments====<br />
<br />
Trying to update payment processor on the back end of the store in the X-Payments Connector. In the backend of the X-Payments Admin, there is a new payment method enabled- PayPal Payments Pro. Virtual Merchant will no longer be used. See screenshot in the attachment.<br />
<br />
On the backend of the site, once I try to Synchronize Payment Methods, the screen quickly shows options available to sync the new payment method. I have options to "set orders for..." then the options quickly disappear. There is a screenshot attached.<br />
<br />
So with that, once I try to synchronize, the system won't allow me. The old payment method still remains (although it hasn't been deleted in the X-Payment Admin Backend) but the new method SHOULD appear once they are synchronized, showing TWO payment methods on the backend of the store, with the option for me to enable either one.<br />
<br />
<br />
'''Solution:'''<br />
<br />
X-Cart 4 have some restrictions of PayPal usage, so that you need to first add PayPal Pro methods inside X-Cart and configure them using the same credentials like in X-Payments. Re-sync methods after that and you'll see the PayPal.<br />
<br />
====There are connection problems between your shopping cart and X-Payments at the time when a customer pays====<br />
<br />
Your cart cannot connect to X-Payments some times and your customers see "Internal error" displayed.<br />
<br />
'''Solution:'''<br />
<br />
Make sure your cart server can connect to X-Payments server at all times (especially during your site high load times of a day).<br />
<br />
==="Callback to online store is failed" notification and now all credit card transactions are failing===<br />
<br />
You receive below notifications from X-Payments<br />
<br />
<source><br />
"Callback to online store is failed. This notification has been sent by X-Payments installation at 'www.mysite.com'"<br />
</source><br />
<br />
and now all credit card transactions are failing and the credit card fields for secure checkout on your website are missing.<br />
<br />
<br />
'''Solution:'''<br />
<br />
Most likely you regenerated [[X-Payments:Encryption_keys | encryption codes in X-Payments]] but neglected to update the information in X-Cart, hence the credit card fields are not loading when the customer is attempting to use a credit card for payment.<br />
<br />
To remedy this go into X-Payments, copy the new encryption codes and paste them into X-Cart in the appropriate fields (Payment Methods → Credit Card → X-Payments connector module settings, see [http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector#Configuring_X-Payments_Connector Configuring X-Payments Connector]).<br />
<br />
===Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this===<br />
<br />
You started to see error messages like below instead of working X-Payments.<br />
<br />
<source><br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 153<br />
or<br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 131<br />
</source><br />
<br />
'''Solution:'''<br />
<br />
It is due to updating PHP to v 5.4.<br />
<br />
To fix the problem, in lines 131 and 153 of<br />
<br />
<xpayments_dir>/lib/XPay/Model/Base/Module.php<br />
<br />
change<br />
<br />
<source><br />
self::$this-><br />
</source><br />
<br />
to<br />
<br />
<source><br />
$this-><br />
</source><br />
<br />
===My X-Payments doesn't store customers credit cards/X-Payments subscriptions module doesn't work===<br />
<br />
So "Store credit card" functionality or X-Payments Subscriptions module doesn't work in your shopping cart despite of you integrated it with X-Payments?<br />
<br />
'''Solution:'''<br />
<br />
# Make sure you use X-Payments v2.x because X-Payments v1.x doesn't support this functionality.<br />
# Make sure you use a payment gateway that supports so called "tokenization" in X-Payments v2.x - see the list of such payment gateways at [[X-Payments:Supported_payment_gateways]]. They have "+" in "Tokenization" column. "-" means tokenization is not supported for a payment gateway.<br />
# So you do use X-Payments v2.x and a payment gateway that supports tokenization in X-Payments? Please make sure tokenization functionality is enabled for your payment gateway account at payment gateway side. Sometimes payment gateways call it differently, e.g. "vault", "Transformer", etc. If you are not sure - contact your payment gateway to enable tokenization for your payment gateway.<br />
<br />
===Customer CC expires in 2022 - X-Payments stops at 2020===<br />
<br />
We just had a customer call in. He could not check out because our X-Payments payment page would not allow him to enter the expiration year of 2022 for his credit card. Our X-Payments only goes up to 2020.<br />
<br />
<br />
'''Solution:'''<br />
<br />
You need to change YEAR_RANGE from 7 to 10 for example in file lib/XPay/View/Payment/Main.php<br />
<br />
// Years list range<br />
<br />
const YEAR_RANGE = 7<br />
<br />
===White screen or HTTP 500 Internal server error instead of admin dashboard===<br />
<br />
You see white screen after logging in X-Payments admin dashboard.<br />
<br />
'''Solution:'''<br />
<br />
Some PHP packages contain a bug that causes "White screen" or HTTP 500 Internal server error when PHP operates with the database via PDO. If you experience such issue contact your hosting support referring to:<br />
<br />
https://bugs.php.net/bug.php?id=60825<br />
https://bugs.php.net/bug.php?id=53716<br />
<br />
===Magento: cannot test module connection or payment methods cannot be imported===<br />
<br />
You copied all configuration data from X-Payments properly but in Magento admin you see below message when you click "Test module" button<br />
Test transaction failed. Please check the X-Payment Connector settings and try again. If all options is ok review your X-Payments settings and make sure you have properly defined shopping cart properties.<br />
<br />
Or a message that payment methods cannot be imported when you click "Request payment methods" button.<br />
<br />
'''Solution:'''<br />
<br />
Possible reason - you do not have a valid SSL certificate installed for your X-Payments. Self-signed SSL cannot pass libCurl validation and thus prevent connection between Magento and X-Payments, too. You need to install a valid SSL certificate at X-Payments server.<br />
<br />
'''NOTE:''' users of our hosted X-Payments plans are safe since we provide SSL by default.<br />
<br />
===Google Chrome v41.0.2272.76 detects X-Payments v2.1 credit card form as a mobile site on desktops===<br />
<br />
After the update of the Google Chrome web browser to version 41.0.2272.76, the credit card form provided to your site by X-Payments v2.1 may be displayed incorrectly for Google Chrome users. <br />
The problem behind this is that the value of the user-agent header sent by Chrome has changed, which causes X-Payments to identify the browser as running on a mobile device, even when, if fact, it is running on a PC. The result is that the credit card form is corrupted like on these screen shots:<br />
<br />
- http://awesomescreenshot.com/0724kkas56<br />
- http://awesomescreenshot.com/04f4kkaq18<br />
<br />
<br />
'''Solution:'''<br />
<br />
To fix the issue, you need to update the Mobile Detect library in your X-Payments installation so the list of supported user agents is relevant. For that you should replace the file<br />
<xpayments-dir>/lib/MobileDetect.php with this one: https://drive.google.com/file/d/0B6p7sehSZL8_QUN6VmRVMHpxaFE/view?usp=sharing (should be done via SFTP, SSH, Control panel, etc.)<br />
<br />
If you find it difficult to apply the changes yourself please contact our Tech Support team using https://secure.x-cart.com.<br />
<br />
===Trouble with credit card logos in iFrame template for X-Cart 5===<br />
<br />
You use X-Cart 5 integrated with X-Payments v2.x and see credit card logos displayed like [https://drive.google.com/a/x-cart.com/file/d/0B6p7sehSZL8_T1kyQ0RCNS1nWDA/view?usp=sharing this in checkout] using Mac Safari or iPad.<br />
<br />
'''Solution'''<br />
<br />
Replace files fast.css and xc5.css in folder <x-pay_dir>/public/templates/ with these:<br />
<br />
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_OUVTeUtCUkFjY2M&usp=sharing<br />
<br />
<br />
===My entire shop is run in an iFrame and X-Payments does not display "Pay" button===<br />
<br />
There is a special code in X-Payments that hides "Pay" button if it the payment form is shown inside iframe.<br />
In your case the whole store is placed inside iframe and that triggers the special code.<br />
Easiest workaround which will not affect other stores connected to the X-Payments is to edit the template file css (I presume you use default.css) and where<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
}<br />
</pre><br />
<br />
you should add<br />
<br />
<pre><br />
display: block !important;<br />
</pre><br />
<br />
e.g. after correction that code will look like<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
display: block !important;<br />
}<br />
</pre><br />
<br />
Do not forget to approve the changes in the admin back-end afterwards.<br />
<br />
<br />
===X-Payments credit card form does not fit properly on Android tablet screen when used in iFrame in X-Cart 4 OPC===<br />
<br />
X-Payments credit card form is displayed as shown on [https://drive.google.com/file/d/0B6p7sehSZL8_ZDhac2JNVWxlQ1E/view?usp=sharing this screen shot].<br />
<br />
The reason is X-Cart 4 OPC shows desktop version of the site checkout while X-Payments shows mobile checkout template which is wider than needed for XC4 desktop OPC.<br />
<br />
'''Solution'''<br />
<br />
Apply [https://drive.google.com/file/d/0B6p7sehSZL8_c0JmYjhaRi1ITEE/view?usp=sharing this patch] to X-Payments connector files in your X-Cart 4.<br />
<br /><br />
<br />
===How to test payments via PayPal in X-Payments===<br />
<br />
There is a list of credit card numbers in the PayPal guides which many people assume can be used when processing credit card transactions through PayPal. However, many of these card numbers have been blocked from PayPal system in one fashion or another (e.g. delay processing a lot so integrated software like X-Cart or Magento just fails to place a test transaction), so general advice is "don't use those card numbers".<br />
<br />
In general, when testing credit card transactions with PayPal as the processor, it is recommended using a randomized credit card number. The number<br />
must have a valid BIN, a valid check digit, and must be the correct length for the card type, but aside from that, the card number can be random. <br />
You can get such random test credit card numbers at http://getcreditcardnumbers.com<br />
<br />
==="The TxnID field is missing or incorrect" message after upgrading to a new connector version in Magento===<br />
<br />
If after upgrading Magento connector to a new version and placing a new order you see an error message "The txnID field is missing or incorrect" instead of successful "Thank you for your order" page you need to clean/purge Magento's cache in your shop in the admin back-end. Consult with Magento user manual how to do that.<br />
<br />
===Browser warning about wrong SSL certificate pops up===<br />
<br />
If your browser shows a pop-up with warning about SSL certificate every time you test a transaction via X-Payments - this means your store installation has self-made/dummy SSL certificate. It is fine during testing, but you need to upgrade it to a real SSL certificate when your site goes live. <br />
During testing just add that SSL certificate to exclusions in your browser in order not to see that warning every time you place a test transaction via X-Payments. This won't help you to hide that message from your shoppers though. The warning is not shown by a browser if a real SSL certificate is used.<br />
<br />
==="X-Payments tried to notify the store about updates in payment but failed" notification===<br />
<br />
You receive notifications that say "X-Payments tried to notify the store about updates in payment but failed ...".<br />
<br />
They mean X-Payments callback requests have failed because of timeout or because your online shop site is not reachable by X-Payments.<br />
<br />
In the 1st case the store didn't respond within 15 seconds coded by default in X-Payments, but the logs from the side of the store for these requests say, that the requests were received and processed with no errors. It means, that communication between the store and X-Payments actually works, but it takes to long for the store to respond. As a quick solution for this very reason it is recommended to increase the timeout limits in your X-Payments installation:<br />
If X-Payments 2.x - in file lib/XPay/Model/Payment.php by changing "15" in a line of code that looks like to a bigger value (max 60):<br />
<br />
<pre><br />
$requestData->setTimeout(15);<br />
</pre><br />
<br />
If X-Payments 3.x - in file config/config.ini.php in section [callback] change value of wait_timeout param:<br />
<br />
<pre><br />
[callback]<br />
<br />
; Wait timeout for callback requests to the shopping cart (in seconds)<br />
wait_timeout=15<br />
</pre><br />
<br />
If you do not have access to your X-Payments installation code - contact vendors of the software by posting them a technical support ticket via https://secure.x-cart.com.<br />
<br />
But the right solution is to figure out why your web site does not respond to X-Payments callbacks within 15 seconds.<br />
<br />
In the 2nd case it might be firewall blocking X-Payments callback requests or your web shop was down for some time.<br />
<br />
==="No Payment Methods Available" message shown to a customer===<br />
<br />
A customer cannot place an order as he/she is displayed a message "No Payment Methods Available" at checkout and at the same time you see an error message "Data validation error, node "request": String length ("266342") exceeds the maximum allowed length for this node - "100000" in X-Payments error log file.<br />
<br />
'''Reason'''<br />
<br />
A shopper added too many line items (different products) to his/her cart ("too many" - e.g. over a thousand) and as result data passed to X-Payments exceeds amount it is configured to accept for security reasons.<br />
<br />
<br />
'''Solution'''<br />
<br />
1) a customer should divide his order in several with less number of line items and process them one by one.<br />
<br />
2) if you face to this issue too often you can increase amount of data allowed to be processed by X-Payments by changing value of constant REQUEST_MAX_LENGTH in X-Payments file lib/XPay/Transport/Request/Api.php, but we do not recommend to large value there for security reasons.<br />
<br />
===Payflow PRO currency issue===<br />
<br />
'''NOTE''': do not confuse this with PayPal Payments PRO (PayFlow API)! There is PayFlow PRO integration, too. We are talking about PayFlow PRO here.<br />
<br />
You need to process payments via PayFlow PRO in other currency than USD, but there is no way to change it. You configured integrated cart in e.g. CAD but X-Payments passes data to PayFlow PRO as USD. This is caused by features of PayFlow PRO API - no exact requirements about passing currency type to PayFlow PRO - sometimes it can be passed as "CUR", sometimes as "CU", etc depending on payment processor you have configured at PayFlow PRO back-end.<br />
<br />
'''Solution'''<br />
<br />
1) Switch to PayPal Payments Pro (Payflow API) integration instead of PayFlow PRO in X-Payments.<br />
<br />
or<br />
<br />
2) change code of X-Payments as follows:<br />
in file lib/XPay/Module/PayflowPro.php find function<br />
<br />
<pre><br />
private function getInitRequestBody(XPay_Transport_GatewayRequest $request)<br />
</pre><br />
<br />
In the function find lines<br />
<br />
<pre><br />
...<br />
$fields = array(<br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
...<br />
</pre><br />
<br />
and add a line of code<br />
<br />
<pre><br />
'CURRENCY' => $request->payment->get('currency'),<br />
</pre><br />
<br />
to get something like <br />
<br />
<pre><br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'CURRENCY' => $request->payment->get('currency'),<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
</pre><br />
<br />
The above tweak will work if "PayPal" is configured as the gateway in your PayFlow PRO account.<br />
<br />
For others you should directly specify currency in format required by payment gateway.<br />
<br />
E.g.<br />
<pre><br />
'CURRENCY' => 'USD',<br />
</pre><br />
<br />
<br />
===X-Cart 5 and Exception message: Shopping cart server returned wrong HTTP headers for callback.===<br />
<br />
You use X-Cart 5 and see below error message or error log entry at X-Cart 5 side:<br />
<br />
<pre><br />
Failed to send "check_cart" callback to the store "mydomain.com"<br />
Url: https://www.example.com/cart.php?target=callback&action=callback&xpcBackReference=ABCDEFGHIJKL<br />
Exception message: Shopping cart server returned wrong HTTP headers for callback.<br />
</pre><br />
<br />
'''Solution''':<br />
<br />
Most likely you try to test X-Payments with X-Cart 5 storefront closed. If so, in X-Cart 5 file etc/config.php find below piece of code:<br />
<br />
<pre><br />
[storefront_options]<br />
; Do not close target=callback for payments if storefront is closed<br />
callback_opened = Off<br />
</pre><br />
<br />
and change "Off" to "On" there.<br />
<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:Troubleshooting&diff=631X-Payments:Troubleshooting2016-05-05T12:49:22Z<p>Alex “Ambal” Mulin: /* "X-Payments tried to notify the store about updates in payment but failed" notification */</p>
<hr />
<div><noinclude>{{Template:XP manual TOC}}</noinclude><br />
==Troubleshooting==<br />
<br />
===X-Payments 1.x installation process fails on a Windows server===<br />
If X-Payments 1.x installation fails on a Windows server, try replacing the following line from install.php:<br />
<pre>define('XP_DIR', rtrim(realpath(dirname(__FILE__)), XP_DS) . XP_DS);</pre><br />
with this line:<br />
<pre>define('XP_DIR', rtrim(dirname(__FILE__), XP_DS) . XP_DS);</pre><br />
<br />
===Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php)===<br />
<br />
I am trying to install the X-Payments module but receive the following error on step 2 of the installation process:<br />
<br />
Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php) [function.require-once]: failed to open stream: No such file or directory in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
Fatal error: require_once() [function.require]: Failed opening required '/home/user/public_html/xpayments/lib/PDO.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
<br />
<b>Solution:</b><br />
<br />
It looks like the problem is related to the current PHP configuration on your server.<br />
<br />
PHP is currently compiled with the necessary extensions:<br />
<br />
'--enable-pdo=shared'<br />
'--with-pdo-mysql=shared'<br />
'--with-pdo-sqlite=shared'<br />
<br />
However, X-Payments requires a bit different type of PHP configuration. PDO extension, as well as the MySQL PDO driver, needs to be installed as a shared module. In other words your php.ini file needs to be updated so that the PDO extensions will be loaded automatically when PHP runs:<br />
<br />
extension=php_pdo.so<br />
extension=php_pdo_mysql.so<br />
<br />
See also:<br />
* http://php.net/manual/en/pdo.installation.php<br />
<br />
Please share this info with your server administrator and ask them to make the necessary changes in your PHP configuration.<br />
<br />
===cron.php: X-Payments is using a non-secure protocol error===<br />
<br />
I have tried everything to get the x payments cron.php working, but it is not working and we are getting this error:<br />
<br />
ERROR [2012-25-06 12:23:01]<br />
User: unknown; IP: unknown<br />
Zone: Core<br />
Code: NONSECURE_PROTOCOL (237)<br />
X-Payments is using a non-secure protocol<br />
<br />
Affected systems: Core/Defender.php file (60:assert); Application.php file (133:check); /home/user/public_html/xpayments/cron.php file (26:run)<br />
<br />
<b>Solution:</b><br />
<br />
Wrong PHP binary is used to run cron.php script. You need to run cron.php using so called "CLI" version of PHP. Ask your hosting administrator to tell where PHP CLI is located on your server and configure cron to run cron.php script using PHP CLI version.<br />
<br />
<br />
===Duplicate charges===<br />
<br />
X-Payments v1.0.5 may have this issue under certain circumstances (iFrame checkout option aka "Lite interface" is enabled). Reason is that customers don't see an obvious sign that their payment is being processed after they entered their details and clicked "Submit" button so they click once again. This may create duplicate charges with some payment processors supported by X-Payments.<br />
<br />
<b>Solution:</b><br />
<br />
Apply below patches to<br />
<br />
1) front-end templates of your X-Payments:<br />
<br />
[[File:Xp.105.diff]]<br />
<br />
2) X-Cart connector:<br />
<br />
[[File:Xc.454.diff]]<br />
<br />
<br />
See how to apply patches at [http://help.x-cart.com/index.php?title=X-Cart:To_apply_a_patch_manually X-Cart:To apply a patch manually]<br />
<br />
<b>Note:</b><br />
You do not need to apply the above patches if your X-Payments version is not v1.0.5 and if you do not use iFrame checkout provided by X-Payments.<br />
<br />
===Empty or 404 page at Magento admin back-end===<br />
<br />
If you see empty or 404 page at System -> Configuration -> X-Payments connector after installation do the following:<br />
<br />
1) Clear cache:<br />
System -> Cache Management<br />
<br />
2) Logout and login admin area again<br />
<br />
3) Then go to System -> Permissions -> Roles and click on "Administrators", then in a popup/new window click "Save Role".<br />
That's it.<br />
<br />
===My store background image does not carry over to X-Payments checkout area template===<br />
<br />
'''Solution:'''<br />
<br />
Make sure if the background image parameter in your X-Payments checkout skin is set as direct URL to your store image.<br />
<br />
X-Payments checkout skin CSS file includes the following class used to display the header of integrated store pages:<br />
<br />
#header .line1 .logo {<br />
background: url("../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg") no-repeat scroll left top #000000;<br />
height: 240px;<br />
margin-left: 0;<br />
padding-top: 0;<br />
position: relative;<br />
width: auto;<br />
}<br />
<br />
For example, one of the possible solutions - modify the code of the generated CSS file, and change the default background image URL:<br />
<br />
"../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg"<br />
<br />
to e.g. this one:<br />
<br />
"https://yourshopdomain.com/xcart/skin/artistictunes_car_tires/images/custom/top_image1.jpg"<br />
<br />
===X-Payments error (code: 843): Unallowed target===<br />
<br />
This type of error may appear in X-Cart versions prior to 4.5.0.<br />
You see below error message and X-Payments log file entry when using "Test connection" and "Request payment methods" buttons:<br />
<br />
Error message:<br />
<br />
<source><br />
- X-Payments error (code: 843): Unallowed target - ""<br />
</source><br />
<br />
X-Payments log file entry:<br />
<br />
<source><br />
-----------------------------------<br />
ERROR [2013-11-05 00:11:49]<br />
User: shopping cart (%%%%%%%%%%%); IP: %%%%%%%%%%%%<br />
Zone: Model<br />
Code: TARGET_UNALLOWED (843)<br />
Unallowed target - ""<br />
-----------------------------------<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Check if you have correct charset code specified in "Charset" field on X-Cart admin back-end -> Content -> Languages -> Your store language page.<br />
See how to manage languages in X-Cart [[http://help.x-cart.com/index.php?title=X-Cart:Managing_Languages | here]].<br />
<br />
<br />
===Sage Pay - Reason: 4020 : Information received from an Invalid IP address===<br />
<br />
This is caused by a wrong IP for callbacks set in your Sage Pay account.<br />
<br />
If you are using X-Payments Hosted plan (Basic, PRO or Multistore) you need to add the IP address of 98.142.211.162 in your SagePay merchant backend on the Settings -> Valid IPs page.<br />
<br />
If you are using a downloadable X-Payments license - you need to enter IP address of the server where your X-Payments copy is deployed. See [[X-Payments:How_It_Works#Callback_from_X-Payments_to_the_store | this article]] to understand X-Payments callbacks.<br />
<br />
===No credit card form displayed when a customer pays===<br />
<br />
====Error message at checkout instead of credit card form====<br />
<br />
You've made a change in credit card form template at X-Payments side and now your checkout doesn't work?<br />
<br />
This is the most probable situation with such type of errors during checkout via X-Payments. You've made a change in X-Payments credit card form and forgot to approve it at X-Payments admin back-end. As result X-Payments cannot process credit cards as it sees some changes in templates, but they are not approved by you, i.e. the admin user. Such approval process is implemented in X-Payments for security reasons. See also [[X-Payments:User_manual#Customizing_the_Interface]]<br />
<br />
'''Solution:'''<br />
<br />
Go into admin back-end dashboard and '''log in as the main admin user''' and check if it displays a warning about "Payment interface files have been modified" like below<br />
[[File:Warning_customer_interface_changed.png]]<br />
<br />
If yes, '''click "Approve" link''' in the warning text and everything is set now.<br />
<br />
====No payment methods are displayed in the X-Payments connector settings====<br />
<br />
So you deployed the configuration bundle copied from the X-Payments dashboard but do not see any payment methods in X-Cart on the X-Payments connector settings page.<br /><br />
Your checkout via X-Payments does not work either.<br />
<br />
'''Solution:'''<br />
Make sure the online store is enabled in the X-Payments Admin back end and has at least one payment method enabled for it.<br />
<br />
[[File:Xp_admin_backend.png|border|668px|]]<br />
<br />
====CyberSource Internal Error====<br />
<br />
Do you use CyberSource and get "Internal Error" on the checkout page along with below error within the X-Payments error log?<br />
<br />
<source><br />
<br />
ERROR [2012-13-12 17:27:17]<br />
User: unknown; IP: 68.184.224.121<br />
Zone: Transport<br />
Code: FILE_NOT_ACCESSIBLE (109)<br />
File "Path/to/the/cybersource/security/key/txt/file" does not exist or is not readable<br />
<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Make sure you specified the right **server** path to the Cybersource key file on the [[X-Payments:CyberSourceSOAP | "CyberSource SOAP toolkit API" configuration page]], and it is readable by HTTP daemon on your X-Payments server.<br />
<br />
====You use Hosted X-Payments plans and run out of bandwidth====<br />
<br />
Congratulations! Your amount of transactions is impressive indeed! Most likely you used all bandwidth we provide for X-Payments Hosted accounts.<br />
<br />
'''Solution''':<br />
<br />
Please contact us using your HelpDesk account regarding the issue and we will consult you how to increase your bandwidth. Also, you should consider either upgrading to larger X-Payments Hosted plan or using X-Payments downloadable license that you can host yourself.<br />
<br />
====You use Hosted X-Payments plans and run out of disk space====<br />
<br />
One more reason for Hosted X-Payments plans can be you've run out of disk space we provide with every plan - check X-Payments folder at your X-Payments Hosted account (see [[X-Payments:X-Payments-Hosted-FAQ]]).<br />
<br />
'''Solution:'''<br />
<br />
Download logs files from your X-Payments Hosted account (see [[X-Payments:FAQ#Where_can_I_find_X-Payments_logs.3F]]) and remove them at X-Payments server to clear up some space.<br />
<br />
====Your integrated shopping cart does not pass all customer profile fields to X-Payments correctly====<br />
<br />
E.g. in X-Cart you can configure some vital for X-Payments customer profile fields (e.g. zipcode, address, email) as optional and your customers can miss them and do not fill in them with data during checkout. Thus X-Cart passes empty values for those data fields and X-Payments fails to process a transaction. X-Payments connector usually shows below warning<br />
<br />
[[File:Warning_profile_fields_XP_connector.png]]<br />
<br />
<br />
'''Solution:'''<br />
<br />
Either make such customer profile fields mandatory for checkout in your cart or customize your cart connector for X-Payments to pass non-empty values if they should not be mandatory for your checkout routine and customers can leave such profile fields empty.<br />
<br />
====PayPal PRO integration does not work in X-Cart 4.x====<br />
<br />
You followed [http://help.x-cart.com/index.php?title=X-Cart:Adding_and_enabling_PayPal_payment_methods_in_X-Cart Adding and enabling PayPal payment methods in X-Cart] and [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments]], made sure all configuration settings are set correctly, but PayPal PRO still does not work for you and you see "Internal error" message when you use X-Payments in iFrame mode or see "Internal error (The merchantEmail is missing or incorrect)" error message when X-Payments is configured as a separate page in your X-Cart checkout routine.<br />
<br />
'''Solution:'''<br />
<br />
PayPal module in X-Cart v4.x refers to "orders department email address" at General settings/Company options/Company emails section. You need to have a valid email address in that setting to fix the issue.<br />
<br />
====X-Cart isn't Synchronizing PayPal Payments PRO payment methods from X-Payments====<br />
<br />
Trying to update payment processor on the back end of the store in the X-Payments Connector. In the backend of the X-Payments Admin, there is a new payment method enabled- PayPal Payments Pro. Virtual Merchant will no longer be used. See screenshot in the attachment.<br />
<br />
On the backend of the site, once I try to Synchronize Payment Methods, the screen quickly shows options available to sync the new payment method. I have options to "set orders for..." then the options quickly disappear. There is a screenshot attached.<br />
<br />
So with that, once I try to synchronize, the system won't allow me. The old payment method still remains (although it hasn't been deleted in the X-Payment Admin Backend) but the new method SHOULD appear once they are synchronized, showing TWO payment methods on the backend of the store, with the option for me to enable either one.<br />
<br />
<br />
'''Solution:'''<br />
<br />
X-Cart 4 have some restrictions of PayPal usage, so that you need to first add PayPal Pro methods inside X-Cart and configure them using the same credentials like in X-Payments. Re-sync methods after that and you'll see the PayPal.<br />
<br />
====There are connection problems between your shopping cart and X-Payments at the time when a customer pays====<br />
<br />
Your cart cannot connect to X-Payments some times and your customers see "Internal error" displayed.<br />
<br />
'''Solution:'''<br />
<br />
Make sure your cart server can connect to X-Payments server at all times (especially during your site high load times of a day).<br />
<br />
==="Callback to online store is failed" notification and now all credit card transactions are failing===<br />
<br />
You receive below notifications from X-Payments<br />
<br />
<source><br />
"Callback to online store is failed. This notification has been sent by X-Payments installation at 'www.mysite.com'"<br />
</source><br />
<br />
and now all credit card transactions are failing and the credit card fields for secure checkout on your website are missing.<br />
<br />
<br />
'''Solution:'''<br />
<br />
Most likely you regenerated [[X-Payments:Encryption_keys | encryption codes in X-Payments]] but neglected to update the information in X-Cart, hence the credit card fields are not loading when the customer is attempting to use a credit card for payment.<br />
<br />
To remedy this go into X-Payments, copy the new encryption codes and paste them into X-Cart in the appropriate fields (Payment Methods → Credit Card → X-Payments connector module settings, see [http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector#Configuring_X-Payments_Connector Configuring X-Payments Connector]).<br />
<br />
===Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this===<br />
<br />
You started to see error messages like below instead of working X-Payments.<br />
<br />
<source><br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 153<br />
or<br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 131<br />
</source><br />
<br />
'''Solution:'''<br />
<br />
It is due to updating PHP to v 5.4.<br />
<br />
To fix the problem, in lines 131 and 153 of<br />
<br />
<xpayments_dir>/lib/XPay/Model/Base/Module.php<br />
<br />
change<br />
<br />
<source><br />
self::$this-><br />
</source><br />
<br />
to<br />
<br />
<source><br />
$this-><br />
</source><br />
<br />
===My X-Payments doesn't store customers credit cards/X-Payments subscriptions module doesn't work===<br />
<br />
So "Store credit card" functionality or X-Payments Subscriptions module doesn't work in your shopping cart despite of you integrated it with X-Payments?<br />
<br />
'''Solution:'''<br />
<br />
# Make sure you use X-Payments v2.x because X-Payments v1.x doesn't support this functionality.<br />
# Make sure you use a payment gateway that supports so called "tokenization" in X-Payments v2.x - see the list of such payment gateways at [[X-Payments:Supported_payment_gateways]]. They have "+" in "Tokenization" column. "-" means tokenization is not supported for a payment gateway.<br />
# So you do use X-Payments v2.x and a payment gateway that supports tokenization in X-Payments? Please make sure tokenization functionality is enabled for your payment gateway account at payment gateway side. Sometimes payment gateways call it differently, e.g. "vault", "Transformer", etc. If you are not sure - contact your payment gateway to enable tokenization for your payment gateway.<br />
<br />
===Customer CC expires in 2022 - X-Payments stops at 2020===<br />
<br />
We just had a customer call in. He could not check out because our X-Payments payment page would not allow him to enter the expiration year of 2022 for his credit card. Our X-Payments only goes up to 2020.<br />
<br />
<br />
'''Solution:'''<br />
<br />
You need to change YEAR_RANGE from 7 to 10 for example in file lib/XPay/View/Payment/Main.php<br />
<br />
// Years list range<br />
<br />
const YEAR_RANGE = 7<br />
<br />
===White screen or HTTP 500 Internal server error instead of admin dashboard===<br />
<br />
You see white screen after logging in X-Payments admin dashboard.<br />
<br />
'''Solution:'''<br />
<br />
Some PHP packages contain a bug that causes "White screen" or HTTP 500 Internal server error when PHP operates with the database via PDO. If you experience such issue contact your hosting support referring to:<br />
<br />
https://bugs.php.net/bug.php?id=60825<br />
https://bugs.php.net/bug.php?id=53716<br />
<br />
===Magento: cannot test module connection or payment methods cannot be imported===<br />
<br />
You copied all configuration data from X-Payments properly but in Magento admin you see below message when you click "Test module" button<br />
Test transaction failed. Please check the X-Payment Connector settings and try again. If all options is ok review your X-Payments settings and make sure you have properly defined shopping cart properties.<br />
<br />
Or a message that payment methods cannot be imported when you click "Request payment methods" button.<br />
<br />
'''Solution:'''<br />
<br />
Possible reason - you do not have a valid SSL certificate installed for your X-Payments. Self-signed SSL cannot pass libCurl validation and thus prevent connection between Magento and X-Payments, too. You need to install a valid SSL certificate at X-Payments server.<br />
<br />
'''NOTE:''' users of our hosted X-Payments plans are safe since we provide SSL by default.<br />
<br />
===Google Chrome v41.0.2272.76 detects X-Payments v2.1 credit card form as a mobile site on desktops===<br />
<br />
After the update of the Google Chrome web browser to version 41.0.2272.76, the credit card form provided to your site by X-Payments v2.1 may be displayed incorrectly for Google Chrome users. <br />
The problem behind this is that the value of the user-agent header sent by Chrome has changed, which causes X-Payments to identify the browser as running on a mobile device, even when, if fact, it is running on a PC. The result is that the credit card form is corrupted like on these screen shots:<br />
<br />
- http://awesomescreenshot.com/0724kkas56<br />
- http://awesomescreenshot.com/04f4kkaq18<br />
<br />
<br />
'''Solution:'''<br />
<br />
To fix the issue, you need to update the Mobile Detect library in your X-Payments installation so the list of supported user agents is relevant. For that you should replace the file<br />
<xpayments-dir>/lib/MobileDetect.php with this one: https://drive.google.com/file/d/0B6p7sehSZL8_QUN6VmRVMHpxaFE/view?usp=sharing (should be done via SFTP, SSH, Control panel, etc.)<br />
<br />
If you find it difficult to apply the changes yourself please contact our Tech Support team using https://secure.x-cart.com.<br />
<br />
===Trouble with credit card logos in iFrame template for X-Cart 5===<br />
<br />
You use X-Cart 5 integrated with X-Payments v2.x and see credit card logos displayed like [https://drive.google.com/a/x-cart.com/file/d/0B6p7sehSZL8_T1kyQ0RCNS1nWDA/view?usp=sharing this in checkout] using Mac Safari or iPad.<br />
<br />
'''Solution'''<br />
<br />
Replace files fast.css and xc5.css in folder <x-pay_dir>/public/templates/ with these:<br />
<br />
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_OUVTeUtCUkFjY2M&usp=sharing<br />
<br />
<br />
===My entire shop is run in an iFrame and X-Payments does not display "Pay" button===<br />
<br />
There is a special code in X-Payments that hides "Pay" button if it the payment form is shown inside iframe.<br />
In your case the whole store is placed inside iframe and that triggers the special code.<br />
Easiest workaround which will not affect other stores connected to the X-Payments is to edit the template file css (I presume you use default.css) and where<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
}<br />
</pre><br />
<br />
you should add<br />
<br />
<pre><br />
display: block !important;<br />
</pre><br />
<br />
e.g. after correction that code will look like<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
display: block !important;<br />
}<br />
</pre><br />
<br />
Do not forget to approve the changes in the admin back-end afterwards.<br />
<br />
<br />
===X-Payments credit card form does not fit properly on Android tablet screen when used in iFrame in X-Cart 4 OPC===<br />
<br />
X-Payments credit card form is displayed as shown on [https://drive.google.com/file/d/0B6p7sehSZL8_ZDhac2JNVWxlQ1E/view?usp=sharing this screen shot].<br />
<br />
The reason is X-Cart 4 OPC shows desktop version of the site checkout while X-Payments shows mobile checkout template which is wider than needed for XC4 desktop OPC.<br />
<br />
'''Solution'''<br />
<br />
Apply [https://drive.google.com/file/d/0B6p7sehSZL8_c0JmYjhaRi1ITEE/view?usp=sharing this patch] to X-Payments connector files in your X-Cart 4.<br />
<br /><br />
<br />
===How to test payments via PayPal in X-Payments===<br />
<br />
There is a list of credit card numbers in the PayPal guides which many people assume can be used when processing credit card transactions through PayPal. However, many of these card numbers have been blocked from PayPal system in one fashion or another (e.g. delay processing a lot so integrated software like X-Cart or Magento just fails to place a test transaction), so general advice is "don't use those card numbers".<br />
<br />
In general, when testing credit card transactions with PayPal as the processor, it is recommended using a randomized credit card number. The number<br />
must have a valid BIN, a valid check digit, and must be the correct length for the card type, but aside from that, the card number can be random. <br />
You can get such random test credit card numbers at http://getcreditcardnumbers.com<br />
<br />
==="The TxnID field is missing or incorrect" message after upgrading to a new connector version in Magento===<br />
<br />
If after upgrading Magento connector to a new version and placing a new order you see an error message "The txnID field is missing or incorrect" instead of successful "Thank you for your order" page you need to clean/purge Magento's cache in your shop in the admin back-end. Consult with Magento user manual how to do that.<br />
<br />
===Browser warning about wrong SSL certificate pops up===<br />
<br />
If your browser shows a pop-up with warning about SSL certificate every time you test a transaction via X-Payments - this means your store installation has self-made/dummy SSL certificate. It is fine during testing, but you need to upgrade it to a real SSL certificate when your site goes live. <br />
During testing just add that SSL certificate to exclusions in your browser in order not to see that warning every time you place a test transaction via X-Payments. This won't help you to hide that message from your shoppers though. The warning is not shown by a browser if a real SSL certificate is used.<br />
<br />
==="X-Payments tried to notify the store about updates in payment but failed" notification===<br />
<br />
You receive notifications that say "X-Payments tried to notify the store about updates in payment but failed ...".<br />
<br />
They mean X-Payments callback requests have failed because of timeout or because your online shop site is not reachable by X-Payments.<br />
<br />
In the 1st case the store didn't respond within 15 seconds coded by default in X-Payments, but the logs from the side of the store for these requests say, that the requests were received and processed with no errors. It means, that communication between the store and X-Payments actually works, but it takes to long for the store to respond. As a quick solution for this very reason it is recommended to increase the timeout limits in your X-Payments installation:<br />
If X-Payments 2.x - in file lib/XPay/Model/Payment.php by changing "15" in a line of code that looks like to a bigger value (max 60):<br />
<code><br />
$requestData->setTimeout(15);<br />
</code><br />
<br />
If X-Payments 3.x - in file config/config.ini.php in section [callback] change value of wait_timeout param:<br />
<code><br />
[callback]<br />
<br />
; Wait timeout for callback requests to the shopping cart (in seconds)<br />
wait_timeout=15<br />
</code><br />
<br />
If you do not have access to your X-Payments installation code - contact vendors of the software by posting them a technical support ticket via https://secure.x-cart.com.<br />
<br />
But the right solution is to figure out why your web site does not respond to X-Payments callbacks within 15 seconds.<br />
<br />
In the 2nd case it might be firewall blocking X-Payments callback requests or your web shop was down for some time.<br />
<br />
==="No Payment Methods Available" message shown to a customer===<br />
<br />
A customer cannot place an order as he/she is displayed a message "No Payment Methods Available" at checkout and at the same time you see an error message "Data validation error, node "request": String length ("266342") exceeds the maximum allowed length for this node - "100000" in X-Payments error log file.<br />
<br />
'''Reason'''<br />
<br />
A shopper added too many line items (different products) to his/her cart ("too many" - e.g. over a thousand) and as result data passed to X-Payments exceeds amount it is configured to accept for security reasons.<br />
<br />
<br />
'''Solution'''<br />
<br />
1) a customer should divide his order in several with less number of line items and process them one by one.<br />
<br />
2) if you face to this issue too often you can increase amount of data allowed to be processed by X-Payments by changing value of constant REQUEST_MAX_LENGTH in X-Payments file lib/XPay/Transport/Request/Api.php, but we do not recommend to large value there for security reasons.<br />
<br />
===Payflow PRO currency issue===<br />
<br />
'''NOTE''': do not confuse this with PayPal Payments PRO (PayFlow API)! There is PayFlow PRO integration, too. We are talking about PayFlow PRO here.<br />
<br />
You need to process payments via PayFlow PRO in other currency than USD, but there is no way to change it. You configured integrated cart in e.g. CAD but X-Payments passes data to PayFlow PRO as USD. This is caused by features of PayFlow PRO API - no exact requirements about passing currency type to PayFlow PRO - sometimes it can be passed as "CUR", sometimes as "CU", etc depending on payment processor you have configured at PayFlow PRO back-end.<br />
<br />
'''Solution'''<br />
<br />
1) Switch to PayPal Payments Pro (Payflow API) integration instead of PayFlow PRO in X-Payments.<br />
<br />
or<br />
<br />
2) change code of X-Payments as follows:<br />
in file lib/XPay/Module/PayflowPro.php find function<br />
<br />
<pre><br />
private function getInitRequestBody(XPay_Transport_GatewayRequest $request)<br />
</pre><br />
<br />
In the function find lines<br />
<br />
<pre><br />
...<br />
$fields = array(<br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
...<br />
</pre><br />
<br />
and add a line of code<br />
<br />
<pre><br />
'CURRENCY' => $request->payment->get('currency'),<br />
</pre><br />
<br />
to get something like <br />
<br />
<pre><br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'CURRENCY' => $request->payment->get('currency'),<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
</pre><br />
<br />
The above tweak will work if "PayPal" is configured as the gateway in your PayFlow PRO account.<br />
<br />
For others you should directly specify currency in format required by payment gateway.<br />
<br />
E.g.<br />
<pre><br />
'CURRENCY' => 'USD',<br />
</pre><br />
<br />
<br />
===X-Cart 5 and Exception message: Shopping cart server returned wrong HTTP headers for callback.===<br />
<br />
You use X-Cart 5 and see below error message or error log entry at X-Cart 5 side:<br />
<br />
<pre><br />
Failed to send "check_cart" callback to the store "mydomain.com"<br />
Url: https://www.example.com/cart.php?target=callback&action=callback&xpcBackReference=ABCDEFGHIJKL<br />
Exception message: Shopping cart server returned wrong HTTP headers for callback.<br />
</pre><br />
<br />
'''Solution''':<br />
<br />
Most likely you try to test X-Payments with X-Cart 5 storefront closed. If so, in X-Cart 5 file etc/config.php find below piece of code:<br />
<br />
<pre><br />
[storefront_options]<br />
; Do not close target=callback for payments if storefront is closed<br />
callback_opened = Off<br />
</pre><br />
<br />
and change "Off" to "On" there.<br />
<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:Troubleshooting&diff=630X-Payments:Troubleshooting2016-05-05T12:48:56Z<p>Alex “Ambal” Mulin: /* "X-Payments tried to notify the store about updates in payment but failed" notification */</p>
<hr />
<div><noinclude>{{Template:XP manual TOC}}</noinclude><br />
==Troubleshooting==<br />
<br />
===X-Payments 1.x installation process fails on a Windows server===<br />
If X-Payments 1.x installation fails on a Windows server, try replacing the following line from install.php:<br />
<pre>define('XP_DIR', rtrim(realpath(dirname(__FILE__)), XP_DS) . XP_DS);</pre><br />
with this line:<br />
<pre>define('XP_DIR', rtrim(dirname(__FILE__), XP_DS) . XP_DS);</pre><br />
<br />
===Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php)===<br />
<br />
I am trying to install the X-Payments module but receive the following error on step 2 of the installation process:<br />
<br />
Warning: require_once(/home/user/public_html/xpayments/lib/PDO.php) [function.require-once]: failed to open stream: No such file or directory in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
Fatal error: require_once() [function.require]: Failed opening required '/home/user/public_html/xpayments/lib/PDO.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/user/public_html/xpayments/top.inc.PHP53.php on line 84<br />
<br />
<br />
<b>Solution:</b><br />
<br />
It looks like the problem is related to the current PHP configuration on your server.<br />
<br />
PHP is currently compiled with the necessary extensions:<br />
<br />
'--enable-pdo=shared'<br />
'--with-pdo-mysql=shared'<br />
'--with-pdo-sqlite=shared'<br />
<br />
However, X-Payments requires a bit different type of PHP configuration. PDO extension, as well as the MySQL PDO driver, needs to be installed as a shared module. In other words your php.ini file needs to be updated so that the PDO extensions will be loaded automatically when PHP runs:<br />
<br />
extension=php_pdo.so<br />
extension=php_pdo_mysql.so<br />
<br />
See also:<br />
* http://php.net/manual/en/pdo.installation.php<br />
<br />
Please share this info with your server administrator and ask them to make the necessary changes in your PHP configuration.<br />
<br />
===cron.php: X-Payments is using a non-secure protocol error===<br />
<br />
I have tried everything to get the x payments cron.php working, but it is not working and we are getting this error:<br />
<br />
ERROR [2012-25-06 12:23:01]<br />
User: unknown; IP: unknown<br />
Zone: Core<br />
Code: NONSECURE_PROTOCOL (237)<br />
X-Payments is using a non-secure protocol<br />
<br />
Affected systems: Core/Defender.php file (60:assert); Application.php file (133:check); /home/user/public_html/xpayments/cron.php file (26:run)<br />
<br />
<b>Solution:</b><br />
<br />
Wrong PHP binary is used to run cron.php script. You need to run cron.php using so called "CLI" version of PHP. Ask your hosting administrator to tell where PHP CLI is located on your server and configure cron to run cron.php script using PHP CLI version.<br />
<br />
<br />
===Duplicate charges===<br />
<br />
X-Payments v1.0.5 may have this issue under certain circumstances (iFrame checkout option aka "Lite interface" is enabled). Reason is that customers don't see an obvious sign that their payment is being processed after they entered their details and clicked "Submit" button so they click once again. This may create duplicate charges with some payment processors supported by X-Payments.<br />
<br />
<b>Solution:</b><br />
<br />
Apply below patches to<br />
<br />
1) front-end templates of your X-Payments:<br />
<br />
[[File:Xp.105.diff]]<br />
<br />
2) X-Cart connector:<br />
<br />
[[File:Xc.454.diff]]<br />
<br />
<br />
See how to apply patches at [http://help.x-cart.com/index.php?title=X-Cart:To_apply_a_patch_manually X-Cart:To apply a patch manually]<br />
<br />
<b>Note:</b><br />
You do not need to apply the above patches if your X-Payments version is not v1.0.5 and if you do not use iFrame checkout provided by X-Payments.<br />
<br />
===Empty or 404 page at Magento admin back-end===<br />
<br />
If you see empty or 404 page at System -> Configuration -> X-Payments connector after installation do the following:<br />
<br />
1) Clear cache:<br />
System -> Cache Management<br />
<br />
2) Logout and login admin area again<br />
<br />
3) Then go to System -> Permissions -> Roles and click on "Administrators", then in a popup/new window click "Save Role".<br />
That's it.<br />
<br />
===My store background image does not carry over to X-Payments checkout area template===<br />
<br />
'''Solution:'''<br />
<br />
Make sure if the background image parameter in your X-Payments checkout skin is set as direct URL to your store image.<br />
<br />
X-Payments checkout skin CSS file includes the following class used to display the header of integrated store pages:<br />
<br />
#header .line1 .logo {<br />
background: url("../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg") no-repeat scroll left top #000000;<br />
height: 240px;<br />
margin-left: 0;<br />
padding-top: 0;<br />
position: relative;<br />
width: auto;<br />
}<br />
<br />
For example, one of the possible solutions - modify the code of the generated CSS file, and change the default background image URL:<br />
<br />
"../../skin/artistictunes_car_tires/css/../images/custom/top_image1.jpg"<br />
<br />
to e.g. this one:<br />
<br />
"https://yourshopdomain.com/xcart/skin/artistictunes_car_tires/images/custom/top_image1.jpg"<br />
<br />
===X-Payments error (code: 843): Unallowed target===<br />
<br />
This type of error may appear in X-Cart versions prior to 4.5.0.<br />
You see below error message and X-Payments log file entry when using "Test connection" and "Request payment methods" buttons:<br />
<br />
Error message:<br />
<br />
<source><br />
- X-Payments error (code: 843): Unallowed target - ""<br />
</source><br />
<br />
X-Payments log file entry:<br />
<br />
<source><br />
-----------------------------------<br />
ERROR [2013-11-05 00:11:49]<br />
User: shopping cart (%%%%%%%%%%%); IP: %%%%%%%%%%%%<br />
Zone: Model<br />
Code: TARGET_UNALLOWED (843)<br />
Unallowed target - ""<br />
-----------------------------------<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Check if you have correct charset code specified in "Charset" field on X-Cart admin back-end -> Content -> Languages -> Your store language page.<br />
See how to manage languages in X-Cart [[http://help.x-cart.com/index.php?title=X-Cart:Managing_Languages | here]].<br />
<br />
<br />
===Sage Pay - Reason: 4020 : Information received from an Invalid IP address===<br />
<br />
This is caused by a wrong IP for callbacks set in your Sage Pay account.<br />
<br />
If you are using X-Payments Hosted plan (Basic, PRO or Multistore) you need to add the IP address of 98.142.211.162 in your SagePay merchant backend on the Settings -> Valid IPs page.<br />
<br />
If you are using a downloadable X-Payments license - you need to enter IP address of the server where your X-Payments copy is deployed. See [[X-Payments:How_It_Works#Callback_from_X-Payments_to_the_store | this article]] to understand X-Payments callbacks.<br />
<br />
===No credit card form displayed when a customer pays===<br />
<br />
====Error message at checkout instead of credit card form====<br />
<br />
You've made a change in credit card form template at X-Payments side and now your checkout doesn't work?<br />
<br />
This is the most probable situation with such type of errors during checkout via X-Payments. You've made a change in X-Payments credit card form and forgot to approve it at X-Payments admin back-end. As result X-Payments cannot process credit cards as it sees some changes in templates, but they are not approved by you, i.e. the admin user. Such approval process is implemented in X-Payments for security reasons. See also [[X-Payments:User_manual#Customizing_the_Interface]]<br />
<br />
'''Solution:'''<br />
<br />
Go into admin back-end dashboard and '''log in as the main admin user''' and check if it displays a warning about "Payment interface files have been modified" like below<br />
[[File:Warning_customer_interface_changed.png]]<br />
<br />
If yes, '''click "Approve" link''' in the warning text and everything is set now.<br />
<br />
====No payment methods are displayed in the X-Payments connector settings====<br />
<br />
So you deployed the configuration bundle copied from the X-Payments dashboard but do not see any payment methods in X-Cart on the X-Payments connector settings page.<br /><br />
Your checkout via X-Payments does not work either.<br />
<br />
'''Solution:'''<br />
Make sure the online store is enabled in the X-Payments Admin back end and has at least one payment method enabled for it.<br />
<br />
[[File:Xp_admin_backend.png|border|668px|]]<br />
<br />
====CyberSource Internal Error====<br />
<br />
Do you use CyberSource and get "Internal Error" on the checkout page along with below error within the X-Payments error log?<br />
<br />
<source><br />
<br />
ERROR [2012-13-12 17:27:17]<br />
User: unknown; IP: 68.184.224.121<br />
Zone: Transport<br />
Code: FILE_NOT_ACCESSIBLE (109)<br />
File "Path/to/the/cybersource/security/key/txt/file" does not exist or is not readable<br />
<br />
</source><br />
<br />
<b>Solution:</b><br />
<br />
Make sure you specified the right **server** path to the Cybersource key file on the [[X-Payments:CyberSourceSOAP | "CyberSource SOAP toolkit API" configuration page]], and it is readable by HTTP daemon on your X-Payments server.<br />
<br />
====You use Hosted X-Payments plans and run out of bandwidth====<br />
<br />
Congratulations! Your amount of transactions is impressive indeed! Most likely you used all bandwidth we provide for X-Payments Hosted accounts.<br />
<br />
'''Solution''':<br />
<br />
Please contact us using your HelpDesk account regarding the issue and we will consult you how to increase your bandwidth. Also, you should consider either upgrading to larger X-Payments Hosted plan or using X-Payments downloadable license that you can host yourself.<br />
<br />
====You use Hosted X-Payments plans and run out of disk space====<br />
<br />
One more reason for Hosted X-Payments plans can be you've run out of disk space we provide with every plan - check X-Payments folder at your X-Payments Hosted account (see [[X-Payments:X-Payments-Hosted-FAQ]]).<br />
<br />
'''Solution:'''<br />
<br />
Download logs files from your X-Payments Hosted account (see [[X-Payments:FAQ#Where_can_I_find_X-Payments_logs.3F]]) and remove them at X-Payments server to clear up some space.<br />
<br />
====Your integrated shopping cart does not pass all customer profile fields to X-Payments correctly====<br />
<br />
E.g. in X-Cart you can configure some vital for X-Payments customer profile fields (e.g. zipcode, address, email) as optional and your customers can miss them and do not fill in them with data during checkout. Thus X-Cart passes empty values for those data fields and X-Payments fails to process a transaction. X-Payments connector usually shows below warning<br />
<br />
[[File:Warning_profile_fields_XP_connector.png]]<br />
<br />
<br />
'''Solution:'''<br />
<br />
Either make such customer profile fields mandatory for checkout in your cart or customize your cart connector for X-Payments to pass non-empty values if they should not be mandatory for your checkout routine and customers can leave such profile fields empty.<br />
<br />
====PayPal PRO integration does not work in X-Cart 4.x====<br />
<br />
You followed [http://help.x-cart.com/index.php?title=X-Cart:Adding_and_enabling_PayPal_payment_methods_in_X-Cart Adding and enabling PayPal payment methods in X-Cart] and [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments]], made sure all configuration settings are set correctly, but PayPal PRO still does not work for you and you see "Internal error" message when you use X-Payments in iFrame mode or see "Internal error (The merchantEmail is missing or incorrect)" error message when X-Payments is configured as a separate page in your X-Cart checkout routine.<br />
<br />
'''Solution:'''<br />
<br />
PayPal module in X-Cart v4.x refers to "orders department email address" at General settings/Company options/Company emails section. You need to have a valid email address in that setting to fix the issue.<br />
<br />
====X-Cart isn't Synchronizing PayPal Payments PRO payment methods from X-Payments====<br />
<br />
Trying to update payment processor on the back end of the store in the X-Payments Connector. In the backend of the X-Payments Admin, there is a new payment method enabled- PayPal Payments Pro. Virtual Merchant will no longer be used. See screenshot in the attachment.<br />
<br />
On the backend of the site, once I try to Synchronize Payment Methods, the screen quickly shows options available to sync the new payment method. I have options to "set orders for..." then the options quickly disappear. There is a screenshot attached.<br />
<br />
So with that, once I try to synchronize, the system won't allow me. The old payment method still remains (although it hasn't been deleted in the X-Payment Admin Backend) but the new method SHOULD appear once they are synchronized, showing TWO payment methods on the backend of the store, with the option for me to enable either one.<br />
<br />
<br />
'''Solution:'''<br />
<br />
X-Cart 4 have some restrictions of PayPal usage, so that you need to first add PayPal Pro methods inside X-Cart and configure them using the same credentials like in X-Payments. Re-sync methods after that and you'll see the PayPal.<br />
<br />
====There are connection problems between your shopping cart and X-Payments at the time when a customer pays====<br />
<br />
Your cart cannot connect to X-Payments some times and your customers see "Internal error" displayed.<br />
<br />
'''Solution:'''<br />
<br />
Make sure your cart server can connect to X-Payments server at all times (especially during your site high load times of a day).<br />
<br />
==="Callback to online store is failed" notification and now all credit card transactions are failing===<br />
<br />
You receive below notifications from X-Payments<br />
<br />
<source><br />
"Callback to online store is failed. This notification has been sent by X-Payments installation at 'www.mysite.com'"<br />
</source><br />
<br />
and now all credit card transactions are failing and the credit card fields for secure checkout on your website are missing.<br />
<br />
<br />
'''Solution:'''<br />
<br />
Most likely you regenerated [[X-Payments:Encryption_keys | encryption codes in X-Payments]] but neglected to update the information in X-Cart, hence the credit card fields are not loading when the customer is attempting to use a credit card for payment.<br />
<br />
To remedy this go into X-Payments, copy the new encryption codes and paste them into X-Cart in the appropriate fields (Payment Methods → Credit Card → X-Payments connector module settings, see [http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector#Configuring_X-Payments_Connector Configuring X-Payments Connector]).<br />
<br />
===Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this===<br />
<br />
You started to see error messages like below instead of working X-Payments.<br />
<br />
<source><br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 153<br />
or<br />
Fatal error: Access to undeclared static property: XPay_Model_Base_Module::$this in /xxxxxxxxxxx/lib/XPay/Model/Base/Module.php on line 131<br />
</source><br />
<br />
'''Solution:'''<br />
<br />
It is due to updating PHP to v 5.4.<br />
<br />
To fix the problem, in lines 131 and 153 of<br />
<br />
<xpayments_dir>/lib/XPay/Model/Base/Module.php<br />
<br />
change<br />
<br />
<source><br />
self::$this-><br />
</source><br />
<br />
to<br />
<br />
<source><br />
$this-><br />
</source><br />
<br />
===My X-Payments doesn't store customers credit cards/X-Payments subscriptions module doesn't work===<br />
<br />
So "Store credit card" functionality or X-Payments Subscriptions module doesn't work in your shopping cart despite of you integrated it with X-Payments?<br />
<br />
'''Solution:'''<br />
<br />
# Make sure you use X-Payments v2.x because X-Payments v1.x doesn't support this functionality.<br />
# Make sure you use a payment gateway that supports so called "tokenization" in X-Payments v2.x - see the list of such payment gateways at [[X-Payments:Supported_payment_gateways]]. They have "+" in "Tokenization" column. "-" means tokenization is not supported for a payment gateway.<br />
# So you do use X-Payments v2.x and a payment gateway that supports tokenization in X-Payments? Please make sure tokenization functionality is enabled for your payment gateway account at payment gateway side. Sometimes payment gateways call it differently, e.g. "vault", "Transformer", etc. If you are not sure - contact your payment gateway to enable tokenization for your payment gateway.<br />
<br />
===Customer CC expires in 2022 - X-Payments stops at 2020===<br />
<br />
We just had a customer call in. He could not check out because our X-Payments payment page would not allow him to enter the expiration year of 2022 for his credit card. Our X-Payments only goes up to 2020.<br />
<br />
<br />
'''Solution:'''<br />
<br />
You need to change YEAR_RANGE from 7 to 10 for example in file lib/XPay/View/Payment/Main.php<br />
<br />
// Years list range<br />
<br />
const YEAR_RANGE = 7<br />
<br />
===White screen or HTTP 500 Internal server error instead of admin dashboard===<br />
<br />
You see white screen after logging in X-Payments admin dashboard.<br />
<br />
'''Solution:'''<br />
<br />
Some PHP packages contain a bug that causes "White screen" or HTTP 500 Internal server error when PHP operates with the database via PDO. If you experience such issue contact your hosting support referring to:<br />
<br />
https://bugs.php.net/bug.php?id=60825<br />
https://bugs.php.net/bug.php?id=53716<br />
<br />
===Magento: cannot test module connection or payment methods cannot be imported===<br />
<br />
You copied all configuration data from X-Payments properly but in Magento admin you see below message when you click "Test module" button<br />
Test transaction failed. Please check the X-Payment Connector settings and try again. If all options is ok review your X-Payments settings and make sure you have properly defined shopping cart properties.<br />
<br />
Or a message that payment methods cannot be imported when you click "Request payment methods" button.<br />
<br />
'''Solution:'''<br />
<br />
Possible reason - you do not have a valid SSL certificate installed for your X-Payments. Self-signed SSL cannot pass libCurl validation and thus prevent connection between Magento and X-Payments, too. You need to install a valid SSL certificate at X-Payments server.<br />
<br />
'''NOTE:''' users of our hosted X-Payments plans are safe since we provide SSL by default.<br />
<br />
===Google Chrome v41.0.2272.76 detects X-Payments v2.1 credit card form as a mobile site on desktops===<br />
<br />
After the update of the Google Chrome web browser to version 41.0.2272.76, the credit card form provided to your site by X-Payments v2.1 may be displayed incorrectly for Google Chrome users. <br />
The problem behind this is that the value of the user-agent header sent by Chrome has changed, which causes X-Payments to identify the browser as running on a mobile device, even when, if fact, it is running on a PC. The result is that the credit card form is corrupted like on these screen shots:<br />
<br />
- http://awesomescreenshot.com/0724kkas56<br />
- http://awesomescreenshot.com/04f4kkaq18<br />
<br />
<br />
'''Solution:'''<br />
<br />
To fix the issue, you need to update the Mobile Detect library in your X-Payments installation so the list of supported user agents is relevant. For that you should replace the file<br />
<xpayments-dir>/lib/MobileDetect.php with this one: https://drive.google.com/file/d/0B6p7sehSZL8_QUN6VmRVMHpxaFE/view?usp=sharing (should be done via SFTP, SSH, Control panel, etc.)<br />
<br />
If you find it difficult to apply the changes yourself please contact our Tech Support team using https://secure.x-cart.com.<br />
<br />
===Trouble with credit card logos in iFrame template for X-Cart 5===<br />
<br />
You use X-Cart 5 integrated with X-Payments v2.x and see credit card logos displayed like [https://drive.google.com/a/x-cart.com/file/d/0B6p7sehSZL8_T1kyQ0RCNS1nWDA/view?usp=sharing this in checkout] using Mac Safari or iPad.<br />
<br />
'''Solution'''<br />
<br />
Replace files fast.css and xc5.css in folder <x-pay_dir>/public/templates/ with these:<br />
<br />
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_OUVTeUtCUkFjY2M&usp=sharing<br />
<br />
<br />
===My entire shop is run in an iFrame and X-Payments does not display "Pay" button===<br />
<br />
There is a special code in X-Payments that hides "Pay" button if it the payment form is shown inside iframe.<br />
In your case the whole store is placed inside iframe and that triggers the special code.<br />
Easiest workaround which will not affect other stores connected to the X-Payments is to edit the template file css (I presume you use default.css) and where<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
}<br />
</pre><br />
<br />
you should add<br />
<br />
<pre><br />
display: block !important;<br />
</pre><br />
<br />
e.g. after correction that code will look like<br />
<br />
<pre><br />
div.content div.buttonRow {<br />
margin: 35px auto;<br />
width: 400px;<br />
display: block !important;<br />
}<br />
</pre><br />
<br />
Do not forget to approve the changes in the admin back-end afterwards.<br />
<br />
<br />
===X-Payments credit card form does not fit properly on Android tablet screen when used in iFrame in X-Cart 4 OPC===<br />
<br />
X-Payments credit card form is displayed as shown on [https://drive.google.com/file/d/0B6p7sehSZL8_ZDhac2JNVWxlQ1E/view?usp=sharing this screen shot].<br />
<br />
The reason is X-Cart 4 OPC shows desktop version of the site checkout while X-Payments shows mobile checkout template which is wider than needed for XC4 desktop OPC.<br />
<br />
'''Solution'''<br />
<br />
Apply [https://drive.google.com/file/d/0B6p7sehSZL8_c0JmYjhaRi1ITEE/view?usp=sharing this patch] to X-Payments connector files in your X-Cart 4.<br />
<br /><br />
<br />
===How to test payments via PayPal in X-Payments===<br />
<br />
There is a list of credit card numbers in the PayPal guides which many people assume can be used when processing credit card transactions through PayPal. However, many of these card numbers have been blocked from PayPal system in one fashion or another (e.g. delay processing a lot so integrated software like X-Cart or Magento just fails to place a test transaction), so general advice is "don't use those card numbers".<br />
<br />
In general, when testing credit card transactions with PayPal as the processor, it is recommended using a randomized credit card number. The number<br />
must have a valid BIN, a valid check digit, and must be the correct length for the card type, but aside from that, the card number can be random. <br />
You can get such random test credit card numbers at http://getcreditcardnumbers.com<br />
<br />
==="The TxnID field is missing or incorrect" message after upgrading to a new connector version in Magento===<br />
<br />
If after upgrading Magento connector to a new version and placing a new order you see an error message "The txnID field is missing or incorrect" instead of successful "Thank you for your order" page you need to clean/purge Magento's cache in your shop in the admin back-end. Consult with Magento user manual how to do that.<br />
<br />
===Browser warning about wrong SSL certificate pops up===<br />
<br />
If your browser shows a pop-up with warning about SSL certificate every time you test a transaction via X-Payments - this means your store installation has self-made/dummy SSL certificate. It is fine during testing, but you need to upgrade it to a real SSL certificate when your site goes live. <br />
During testing just add that SSL certificate to exclusions in your browser in order not to see that warning every time you place a test transaction via X-Payments. This won't help you to hide that message from your shoppers though. The warning is not shown by a browser if a real SSL certificate is used.<br />
<br />
==="X-Payments tried to notify the store about updates in payment but failed" notification===<br />
<br />
You receive notifications that say "X-Payments tried to notify the store about updates in payment but failed ...".<br />
<br />
They mean X-Payments callback requests have failed because of timeout or because your online shop site is not reachable by X-Payments.<br />
<br />
In the 1st case the store didn't respond within 15 seconds coded by default in X-Payments, but the logs from the side of the store for these requests say, that the requests were received and processed with no errors. It means, that communication between the store and X-Payments actually works, but it takes to long for the store to respond. As a quick solution for this very reason it is recommended to increase the timeout limits in your X-Payments installation:<br />
If X-Payments 2.x - in file lib/XPay/Model/Payment.php by changing "15" in a line of code that looks like to a bigger value (max 60):<br />
<br />
$requestData->setTimeout(15);<br />
<br />
If X-Payments 3.x - in file config/config.ini.php in section [callback] change value of wait_timeout param:<br />
<br />
[callback]<br />
<br />
; Wait timeout for callback requests to the shopping cart (in seconds)<br />
wait_timeout=15<br />
<br />
If you do not have access to your X-Payments installation code - contact vendors of the software by posting them a technical support ticket via https://secure.x-cart.com.<br />
<br />
But the right solution is to figure out why your web site does not respond to X-Payments callbacks within 15 seconds.<br />
<br />
In the 2nd case it might be firewall blocking X-Payments callback requests or your web shop was down for some time.<br />
<br />
==="No Payment Methods Available" message shown to a customer===<br />
<br />
A customer cannot place an order as he/she is displayed a message "No Payment Methods Available" at checkout and at the same time you see an error message "Data validation error, node "request": String length ("266342") exceeds the maximum allowed length for this node - "100000" in X-Payments error log file.<br />
<br />
'''Reason'''<br />
<br />
A shopper added too many line items (different products) to his/her cart ("too many" - e.g. over a thousand) and as result data passed to X-Payments exceeds amount it is configured to accept for security reasons.<br />
<br />
<br />
'''Solution'''<br />
<br />
1) a customer should divide his order in several with less number of line items and process them one by one.<br />
<br />
2) if you face to this issue too often you can increase amount of data allowed to be processed by X-Payments by changing value of constant REQUEST_MAX_LENGTH in X-Payments file lib/XPay/Transport/Request/Api.php, but we do not recommend to large value there for security reasons.<br />
<br />
===Payflow PRO currency issue===<br />
<br />
'''NOTE''': do not confuse this with PayPal Payments PRO (PayFlow API)! There is PayFlow PRO integration, too. We are talking about PayFlow PRO here.<br />
<br />
You need to process payments via PayFlow PRO in other currency than USD, but there is no way to change it. You configured integrated cart in e.g. CAD but X-Payments passes data to PayFlow PRO as USD. This is caused by features of PayFlow PRO API - no exact requirements about passing currency type to PayFlow PRO - sometimes it can be passed as "CUR", sometimes as "CU", etc depending on payment processor you have configured at PayFlow PRO back-end.<br />
<br />
'''Solution'''<br />
<br />
1) Switch to PayPal Payments Pro (Payflow API) integration instead of PayFlow PRO in X-Payments.<br />
<br />
or<br />
<br />
2) change code of X-Payments as follows:<br />
in file lib/XPay/Module/PayflowPro.php find function<br />
<br />
<pre><br />
private function getInitRequestBody(XPay_Transport_GatewayRequest $request)<br />
</pre><br />
<br />
In the function find lines<br />
<br />
<pre><br />
...<br />
$fields = array(<br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
...<br />
</pre><br />
<br />
and add a line of code<br />
<br />
<pre><br />
'CURRENCY' => $request->payment->get('currency'),<br />
</pre><br />
<br />
to get something like <br />
<br />
<pre><br />
'TRXTYPE' => XPay_Model_PaymentTransaction::SALE == $request->action ? 'S' : 'A',<br />
'CURRENCY' => $request->payment->get('currency'),<br />
'AMT' => $this->preparePrice($request->payment->get('total')),<br />
'TAXAMT' => $this->preparePrice($additionalData->get('tax_cost')),<br />
</pre><br />
<br />
The above tweak will work if "PayPal" is configured as the gateway in your PayFlow PRO account.<br />
<br />
For others you should directly specify currency in format required by payment gateway.<br />
<br />
E.g.<br />
<pre><br />
'CURRENCY' => 'USD',<br />
</pre><br />
<br />
<br />
===X-Cart 5 and Exception message: Shopping cart server returned wrong HTTP headers for callback.===<br />
<br />
You use X-Cart 5 and see below error message or error log entry at X-Cart 5 side:<br />
<br />
<pre><br />
Failed to send "check_cart" callback to the store "mydomain.com"<br />
Url: https://www.example.com/cart.php?target=callback&action=callback&xpcBackReference=ABCDEFGHIJKL<br />
Exception message: Shopping cart server returned wrong HTTP headers for callback.<br />
</pre><br />
<br />
'''Solution''':<br />
<br />
Most likely you try to test X-Payments with X-Cart 5 storefront closed. If so, in X-Cart 5 file etc/config.php find below piece of code:<br />
<br />
<pre><br />
[storefront_options]<br />
; Do not close target=callback for payments if storefront is closed<br />
callback_opened = Off<br />
</pre><br />
<br />
and change "Off" to "On" there.<br />
<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=629X-Payments:PCI DSS implementation guide for X-Payments 2.22016-04-26T12:30:42Z<p>Alex “Ambal” Mulin: /* X-Cart Payments versioning policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
* X - major release version number that gets incremented when high impact changes are introduced and certified under PA-DSS requirements;<br />
* Y - minor release version number that gets incremented when low impact changes are added to X-Cart Payments package;<br />
* Z - maintenance/bug-fix release version number that gets incremented when no impact and administrative changes are done to X-Cart Payments package.<br />
<br />
See samples of changes below:<br />
<br />
* High-impact - major update of core X-Cart Payments functions such as login routine, credit card processing inside X-Cart Payments.<br />
* Low-impact - update of integration with newer versions of DBMS, OS and middleware whose older versions have been already verified, adding or removing payment processor integrations, re-compiling source code using new code compiler or new compiler settings, change to X-Cart Payments versioning policy, other changes not related to security of the application.<br />
* No impact - UI changes, changes to DB schemes, report module updates, update or adding of new payment gateway.<br />
* Administrative change - change of application name, change of software vendor name.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=628X-Payments:PCI DSS implementation guide for X-Payments 2.22016-04-26T12:29:28Z<p>Alex “Ambal” Mulin: /* X-Cart Payments versioning policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
* X - major release version number that gets incremented when high impact changes are introduced and certified under PA-DSS requirements;<br />
* Y - minor release version number that gets incremented when low impact changes are added to X-Cart Payments package;<br />
* Z - maintenance/bug-fix release version number that gets incremented when no impact and administrative changes are done to X-Cart Payments package.<br />
<br />
See samples of changes below:<br />
<br />
High-impact - major update of core X-Cart Payments functions such as login routine, credit card processing inside X-Cart Payments.<br />
Low-impact - update of integration with newer versions of DBMS, OS and middleware whose older versions have been already verified, adding or removing payment processor integrations, re-compiling source code using new code compiler or new compiler settings, change to X-Cart Payments versioning policy, other changes not related to security of the application.<br />
No impact - UI changes, changes to DB schemes, report module updates, update or adding of new payment gateway<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:Supported_payment_gateways&diff=614X-Payments:Supported payment gateways2016-03-24T14:26:52Z<p>Alex “Ambal” Mulin: </p>
<hr />
<div>'''Legend:'''<br />
<br />
* '''Auth''': Allows to authorize the availability of funds for a transaction (The buyer's funds are temporarily placed on hold to ensure the availability of the authorization amount for capture).<br />
* '''Capture''': Allows to capture the amount of the authorization (The money authorized for the order is moved from the buyers's account to the merchant's account).<br />
* '''Sale''': Supports transactions of 'Sale' type (Authorization and capture actions are completed simultaneously at the time the payment is processed).<br />
* '''Void''': Allows the removal of an authorization hold from the buyer's account by the merchant.<br />
* '''Refund''': Allows to issue refunds (The money is returned to the buyer's account).<br />
* '''Get Status''': Can provide information about the status of a transaction to X-Payments.<br />
* '''Accept''', '''Decline''': Allows to accept or reject transactions with a higher likelihood of risk.<br />
* '''Test''': Can test whether the merchant account details entered in X-Payments are valid.<br />
* '''3D-Secure via Cardinal Commerce''': Supports 3-D Secure payer authentication via Cardinal Commerce.<br />
* '''Tokenization''': Supports tokenization (Allows to charge customer credit cards again - without X-Payments storing cardholder data).<br />
* '''p''': Supports partial transactions (For example, "Capture + p" = Allows to capture a partial amount of the authorization).<br />
* '''m''': Supports multiple transactions (For example, "Capture + m" = Allows to perform the capture action multiple times).<br />
<br />
<br />
{| class="wikitable" width=90%<br />
|-<br />
! scope="col" style="width: 15%;"| '''Payment service provider'''<br />
! scope="col" style="width: 20%;"| '''Payment system'''<br />
! scope="col" style="width: 6%;"| '''Sale'''<br />
! scope="col" style="width: 6%;"| '''Auth'''<br />
! scope="col" style="width: 10%;"| '''Capture'''<br />
! scope="col" style="width: 6%;"| '''Void'''<br />
! scope="col" style="width: 10%;"| '''Refund'''<br />
! scope="col" style="width: 6%;"| '''Get status'''<br />
! scope="col" style="width: 6%;"| '''Accept'''<br />
! scope="col" style="width: 6%;"| '''Decline'''<br />
! scope="col" style="width: 6%;"| '''Test'''<br />
! scope="col" style="width: 6%;"| '''3D-Secure via <br/>Cardinal Commerce'''<br />
! scope="col" style="width: 6%;"| '''Tokenization'''<br />
|- style="vertical-align:top;"<br />
| [http://www.paypal.com/ PayPal]<br />
| PayFlow Pro<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| 3d Secure<br />built in<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.paypal.com/ PayPal]<br />
| PayPal Payments Pro (PayPal API)<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.paypal.com/ PayPal]<br />
| PayPal Payments Pro (Payflow API)<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.anz.com/ Australia and New Zealand Banking Group Limited]<br />
| ANZ eGate<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://paymentgateway.americanexpress.com/ American Express]<br />
| American Express Web-Services API Integration<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.cybersource.com/ CyberSource Corporation]<br />
| Authorize.Net AIM<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.cybersource.com/ CyberSource Corporation]<br />
| Authorize.Net AIM XML<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.cybersource.com/ CyberSource Corporation]<br />
| Authorize.Net CIM<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.beanstream.com/ Digital River, Inc.]<br />
| Beanstream, a Digital River Company/FirstData Canada <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://bluepay.com/xpayments-partner-page BluePay]<br />
| BluePay <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [https://www.braintreepayments.com/ Braintree, a division of PayPal, Inc.]<br />
| Braintree<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.caledoncard.com/ Blue Pay Canada (ex. Caledon Computer Systems, Inc.)]<br />
| Blue Pay Canada (ex. Caledon)<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.cardinalcommerce.com/ CardinalCommerce Corporation]<br />
| Cardinal Commerce Centinel<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
| <br />
| <br />
| 3d Secure<br />built in<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.chasepaymentech.com/ Chase Paymentech]<br />
| Chase Paymentech <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
|<br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.cybersource.com/ CyberSource]<br />
| CyberSource - SOAP toolkit API <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.dibspayment.com/ DIBS Payment Services AB]<br />
| DIBS<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://digitalriverpayments.co.uk/ Digital River, Inc.]<br />
| Digital River World Payments / Beanstream<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.securepay.com.au/ SecurePay Pty Ltd]<br />
| [http://www.directone.com.au/ DirectOne - Direct Interface] <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [https://secure.5thdl.com Sparrow (ex. 5th Dimension Logisitics, LLC)]<br />
| Sparrow (ex. 5th Dimension Gateway)<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.echo-inc.com/ Electronic Clearing House, Inc.]<br />
| ECHO NVP<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.elavon.com/ Elavon, Inc.]<br />
| Elavon Converge<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| 3d Secure<br />built in<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.barclaycardbusiness.co.uk/about_us.html Barclaycard Business]<br />
| ePDQ MPI XML (Phased out) <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.eprocessingnetwork.com/Info.html eProcessing Network, LLC]<br />
| eProcessing Network - Transparent Database Engine<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.moneris.com/ Moneris Solutions]<br />
| eSELECTplus <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]<br />
| eWay Realtime Payments XML<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.globalpaymentsinc.com Global Payments, Inc]<br />
| Global Iris/HSBC - RealAuth Remote<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| 3d Secure<br />built in<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.goemerchant.com/ GoEmerchant, LLC]<br />
| GoEmerchant - XML Gateway API<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.heidelpay.de Heidelberger Payment GmbH]<br />
| HeidelPay<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
|<br />
|<br />
|<br />
|<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.innovativegateway.com/ Intuit, Inc. Innovative Gateway]<br />
| Innovative Gateway<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.itransact.com/ iTransact, Inc.]<br />
| iTransact XML<br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.firstdata.com/ First Data Corporation]<br />
| First Data Payeezy Gateway (ex- Global Gateway e4)<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.merituspayment.com/ Meritus Payment Solutions]<br />
| Meritus Web Host<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />(works only in "Sale" mode, is disabled in "Auth only" mode)<br />
|- style="vertical-align:top;"<br />
| [http://www.netbilling.com/ Netbilling, Inc.]<br />
| Netbilling - Direct Mode 3.1 <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.netregistry.com.au/ Netregistry Pty Ltd]<br />
| NetRegistry <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.ogone.com/ Ingenico Payment Services (former Ogone)]<br />
| Ingenico/Ogone/ePDQ e-Commerce<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.paygate.net/ PayGate]<br />
| PayGate Korea <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.psigate.com/ Payment Services Interactive Gateway Inc.]<br />
| PSiGate XML API<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.quantumgateway.com/ Quantum Services LLC]<br />
| QuantumGateway - Transparent QGWdatabase Engine<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
|<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.quantumgateway.com/ Quantum Services LLC]<br />
| QuantumGateway - XML Requester<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://payments.intuit.com/ Intuit Inc.]<br />
| Intuit QuickBooks Payments<br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.realexpayments.com/ Realex Payments]<br />
| Realex<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
|<br />
|<br />
| <br />
| 3d Secure<br />built in<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.sagepay.com/ Sage Pay]<br />
| Sage Pay Go - Direct Interface<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| 3d Secure<br />built in<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.securepay.com/ SecurePay.com Inc.]<br />
| SecurePay USA<br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.securepay.com.au/ SecurePay - A Business of Australia Post]<br />
| SecurePay Australia<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [https://www.simplify.com/commerce/ MasterCard]<br />
| Simplify Commerce by MasterCard<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
|<br />
|<br />
|<br />
|<br />
|<br />
| [[File:Check.svg|25px]]<br />
|- style="vertical-align:top;"<br />
| [http://www.skipjack.com/ Skipjack Financial Services, Inc.]<br />
| SkipJack<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.usaepay.com/ GorCorp Inc.]<br />
| USA ePay - Transaction Gateway API<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.elavon.com/ Elavon, Inc.]<br />
| Virtual Merchant - Merchant Provided Form<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.plugnpay.com/ Plug and Pay Technologies]<br />
| WebXpress<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.worldpay.com/ Worldpay]<br />
| Worldpay Corporate Gateway - Direct Model<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p, m<br />
| <br />
| <br />
| <br />
| <br />
| 3d Secure<br />built in<br />
| <br />
|- style="vertical-align:top;"<br />
| [http://www.worldpay.us/ WorldPay US, Inc.]<br />
| WorldPay US <br />&nbsp;<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]]<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]] + p<br />
| [[File:Check.svg|25px]] + p<br />
| <br />
| <br />
| <br />
| <br />
| <br />
| [[File:Check.svg|25px]]<br />
|- <br />
|}<br />
<br />
[[Category:X-Payments User Manual]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=XPH:About&diff=510XPH:About2016-02-10T11:13:25Z<p>Alex “Ambal” Mulin: /* Trademark policy */</p>
<hr />
<div><div style="background: #F7F7F7; border: 1px solid #999999; padding: 1em; "><br />
<big><br />
[[File:information.gif]] The goal of this website is to provide help on using X-Payments. <br />
<br />
</big><br />
<br><br />
<br><br />
The list of Help resources available on X-Payments can be found on the [[Main_Page | Main Page]].<br /><br />
The following links provide some additional ways of browsing the site content that may be helpful:<br />
* [[Special:Allpages/X-Payments:]] - Lists all pages in the X-Payments: namespace.<br />
* [[Special:RecentChanges]] - Provides a list of recent changes.<br />
<br><br />
{{Note1}} '''This website should not be used as a discussion board or support desk'''. Any support inquiries should be posted to <u>Message board</u> under your {{QA}}.<br />
</div><br />
<br />
<br />
<br />
==Editorial guidelines==<br />
<br />
* Please note that all help articles on X-Payments in this MediaWiki installation must be created in the "X-Payments" namespace. To achieve this, use "X-Payments" as a prefix when naming your pages. The correct format is "X-Payments:Name_of_page".<br />
<br />
* Feel free to create and use [[:Category:Info templates|Templates]]<br />
<br />
* Consult the [http://meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software.<br />
<br />
==Privacy policy==<br />
<br />
See http://www.x-cart.com/privacy-policy.html<br />
<br />
==Trademark policy==<br />
<br />
See http://www.x-cart.com/trademark-policy.html<br />
<br />
==API==<br />
<br />
Read http://www.mediawiki.org/wiki/API on how to use MediaWiki API for retrieving data contained within this portal.<br />
<br />
__NOTOC__</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=XPH:About&diff=509XPH:About2016-02-10T11:13:12Z<p>Alex “Ambal” Mulin: /* Privacy policy */</p>
<hr />
<div><div style="background: #F7F7F7; border: 1px solid #999999; padding: 1em; "><br />
<big><br />
[[File:information.gif]] The goal of this website is to provide help on using X-Payments. <br />
<br />
</big><br />
<br><br />
<br><br />
The list of Help resources available on X-Payments can be found on the [[Main_Page | Main Page]].<br /><br />
The following links provide some additional ways of browsing the site content that may be helpful:<br />
* [[Special:Allpages/X-Payments:]] - Lists all pages in the X-Payments: namespace.<br />
* [[Special:RecentChanges]] - Provides a list of recent changes.<br />
<br><br />
{{Note1}} '''This website should not be used as a discussion board or support desk'''. Any support inquiries should be posted to <u>Message board</u> under your {{QA}}.<br />
</div><br />
<br />
<br />
<br />
==Editorial guidelines==<br />
<br />
* Please note that all help articles on X-Payments in this MediaWiki installation must be created in the "X-Payments" namespace. To achieve this, use "X-Payments" as a prefix when naming your pages. The correct format is "X-Payments:Name_of_page".<br />
<br />
* Feel free to create and use [[:Category:Info templates|Templates]]<br />
<br />
* Consult the [http://meta.wikimedia.org/wiki/Help:Contents User's Guide] for information on using the wiki software.<br />
<br />
==Privacy policy==<br />
<br />
See http://www.x-cart.com/privacy-policy.html<br />
<br />
==Trademark policy==<br />
<br />
See http://www.qtmsoft.com/trademark-policy.html<br />
<br />
==API==<br />
<br />
Read http://www.mediawiki.org/wiki/API on how to use MediaWiki API for retrieving data contained within this portal.<br />
<br />
__NOTOC__</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:API&diff=501X-Payments:API2015-12-18T09:05:07Z<p>Alex “Ambal” Mulin: /* Check cart callback request */</p>
<hr />
<div>== API versions supported ==<br />
<br />
'''API v1.1''': X-Payments 1.0.2-1.0.5 <br /><br />
'''API v1.2''': X-Payments 1.0.6, 2.0.0, 2.0.1 <br /><br />
'''API v1.3''': X-Payments 2.1.0, 2.1.1 <br /><br />
'''API v1.4''': X-Payments 2.1.2 (Nov 2014), 2.1.3 (Feb 2015)<br /><br />
'''API v1.5''': X-Payments 2.2 (June 2015)<br /><br />
'''API v1.6''': X-Payments 2.3 (planned)<br /><br /><br />
<br />
==API requests==<br />
<br />
All API requests are made to the '''httрs://<xpayments_url>/api.php''' URL.<br />
Only HTTPS protocol is used.<br />
A request is an XML document that is encrypted using RSA method with a key generated by X-Payments.<br />
<br />
'''Request/Response encryption'''<br />
<br />
* Encryption method used: RSA;<br />
* Key length: 2048 bit;<br />
* A private key is created with a 32 character password;<br />
* The password is generated randomly;<br />
* The number of password characters varies from 33 to 127.<br />
<br />
For each online store X-Payments generates 2 pairs of keys:<br />
<br />
# a public and a private key to encrypt requests/responses from the online store to X-Payments;<br />
# a public and a private key to encrypt requests/responses from X-Payments to the online store.<br />
<br />
So when the online store sends a request to X-Payments, this request is encrypted using the public key from the first pair, X-Payments decrypts it using the private key of the first pair. Then X-Payments response is encrypted using the public key of the second pair, and the online store decrypts this response using the private key of the second pair.<br />
<br />
To ensure full-featured two-way commumication between X-Payments and an online store, you need to copy tree values from the X-Payments interface:<br />
:* Public key from the first pair (Online store → X-Payments),<br />
:* Private key from the second pair (X-Payments → Online store),<br />
:* Private key password,<br />
and have them stored on the side of the online store by an appropriate X-Payments connector.<br />
<br />
<br />
'''Encryption algorithm:'''<br />
<br />
# An empty string is created for pre-prepared data.<br />
# A 32-character salt-block is formed of random characters from 33 to 255.<br />
# The length of the salt-block in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The salt-block length string and the salt-block are added to the pre-prepared data.<br />
# MD5 digital signature is taken from the data. The signature is formed as a HEX (32-character string).<br />
# The length of the digital signature in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The digital signature length string and the digital signature are added to the pre-prepared data.<br />
# The length of the data string in bites is taken and transformed into a 12-character string by adding zeros before it.<br />
# The data string length string and the data string are added to the pre-prepared data.<br />
# The string of pre-prepared data is divided into 128 bite chunks.<br />
# Each chunk is encrypted using a public key.<br />
# Each chunk is encoded with base64.<br />
# Chunks are glued together using a line feed character (0x0a).<br />
# API prefix is added to the glued chunks.<br />
<br />
===cURL as a means of sending requests===<br />
<br />
Using libcurl v.7.10 and above is recommended.<br />
<br />
TTL should be specified depending on the performance of the server where X-Payments is installed. The recommended value is 120 seconds.<br />
<br />
It is recommended to use SSL v.3 and above.<br />
<br />
===Data types===<br />
<br />
Data types used:<br />
<br />
* string - a UTF-8 string;<br />
* email - an email address no longer than 255 characters;<br />
* URL - a URL address no longer than 255 characters;<br />
* currency - a floating point number denoting a certain sum of money. The mantissa size is the same as the payment currency mantissa size, but not longer than 3. All the exceeding characters will be truncated.<br />
* integer - an integer number.<br />
<br />
ISO 4217 Alpha-3 in the upper register is always used as the payment currency code.<br />
<br />
ISO 639-1 Alpha-2 in the lower register is always used as the language code.<br />
<br />
==Payment configurations list request==<br />
<br />
Returns a list of payment configurations that are configured, enabled, and assigned to this online store/shopping cart.<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment_confs<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br /><br />
<br />
===Request example===<br />
<br />
<pre><br />
<api_version>1.5</api_version><br />
<target>payment_confs</target><br />
<action>get</action><br />
</pre><br />
<br /><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | payment_module<br />
| colspan="1" | container<br />
| colspan="1" | <br />
|-<br />
| colspan="1" | payment_module/name<br />
| colspan="1" | string<br />
| colspan="1" | Name of the payment configuration, as set by the X-Payments admin<br />
|-<br />
| colspan="1" | payment_module/id<br />
| colspan="1" | integer<br />
| colspan="1" | Identifier of the payment configuration (autoincrement)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes<br />
| colspan="1" | container<br />
| colspan="1" | <br />
|-<br />
| colspan="1" | payment_module/transactionTypes/sale<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration allows "Sale" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/auth<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration allows "Authorize only" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/capture<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Capture" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/capturePart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Capture" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/captureMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Capture" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/void<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Void" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/voidPart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Void" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/voidMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Void" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refund<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Refund" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refundPart<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows partial "Refund" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/refundMulti<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows multiple "Refund" operations ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/getInfo<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows to receive information from the payment gateway ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/accept<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Accept" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/decline<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Decline" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/transactionTypes/test<br />
| colspan="1" | string <br />
| colspan="1" | Whether the payment configuration allows "Test" operation ("1" - allows, "" empty - doesn't allow)<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo<br />
| colspan="1" | container<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/authExp<br />
| colspan="1" | integer<br />
| colspan="1" | How many days the transaction can stay in the Authorized status before being declined automatically<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/captMinLimit<br />
| colspan="1" | float<br />
| colspan="1" | Minimum capture limit allowed by the payment gateway. Presented as a part of 1 (0 - no minimum limit, 0.2 - minimum 20% of authorized total, 0.5 - 50% of authorized total, etc.)<br />
|-<br />
| colspan="1" | payment_module/authCaptureInfo/captMaxLimit<br />
| colspan="1" | <br />
| colspan="1" | Maximum capture limit allowed by the payment gateway. Presented as a part of 1 (0 - no maximum limit, 0.5 - 50% of authorized total, 1 - 100% of authorized total, etc.)<br />
|-<br />
| colspan="1" | payment_module/moduleName<br />
| colspan="1" | string<br />
| colspan="1" | Default X-Payments name of the payment configuration<br />
|-<br />
| colspan="1" | payment_module/settingsHash<br />
| colspan="1" | string<br />
| colspan="1" | MD5 hash of the payment configuration settings<br />
|-<br />
| colspan="1" | payment_module/currency<br />
| colspan="1" | string<br />
| colspan="1" | 3-characters code of currency (ISO 4217). API v1.3 and later.<br />
|-<br />
| colspan="1" | payment_module/canSaveCards<br />
| colspan="1" | string<br />
| colspan="1" | Whether the payment configuration supports tokenization, i.e. customers' credit card can be saved on the payment gateway ("Y" - supports, "N" - doesn't support). API v1.3 and later.<br />
|-<br />
| colspan="1" | payment_module/class<br />
| colspan="1" | string<br />
| colspan="1" | Service field of the class name. It is unique for a payment module so it can be used to detect a certain payment gateway. E.g. XPay_Module_SagePayDirect for SagePay, XPay_Module_AuthorizeNet for Authorize.Net AIM, etc. API v1.4 and later.<br />
|-<br />
| colspan="1" | payment_module/isTestMode<br />
| colspan="1" | string<br />
| colspan="1" | Indicates if the payment configuration is configured in test mode ("Y" - test mode, "N" - live mode). API v1.4 and later.<br />
|}<br />
<br /><br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<payment_module type="cell"><br />
<name>First Data Global Gateway e4(SM) Web Service API</name><br />
<id>1</id><br />
<transactionTypes><br />
<sale>1</sale><br />
<auth>1</auth><br />
<capture>1</capture><br />
<capturePart>1</capturePart><br />
<captureMulti></captureMulti><br />
<void>1</void><br />
<voidPart></voidPart><br />
<voidMulti></voidMulti><br />
<refund>1</refund><br />
<refundPart>1</refundPart><br />
<refundMulti>1</refundMulti><br />
<getInfo></getInfo><br />
<accept></accept><br />
<decline></decline><br />
<test></test><br />
</transactionTypes><br />
<authCaptureInfo><br />
<authExp>30</authExp><br />
<captMinLimit>0</captMinLimit><br />
<captMaxLimit>1</captMaxLimit><br />
</authCaptureInfo><br />
<moduleName>First Data Payeezy Gateway (ex- Global Gateway e4)</moduleName><br />
<settingsHash>d41d8cd98f00b204e9800998ecf8427e</settingsHash><br />
<currency>USD</currency><br />
<canSaveCards>Y</canSaveCards><br />
<class>XPay_Module_FirstDataE4</class><br />
<isTestMode>Y</isTestMode><br />
</payment_module><br />
<payment_module type="cell"><br />
<name>Chase Paymentech</name><br />
<id>2</id><br />
<transactionTypes><br />
<sale>1</sale><br />
<auth>1</auth><br />
<capture>1</capture><br />
<capturePart>1</capturePart><br />
<captureMulti></captureMulti><br />
<void>1</void><br />
<voidPart></voidPart><br />
<voidMulti></voidMulti><br />
<refund>1</refund><br />
<refundPart>1</refundPart><br />
<refundMulti></refundMulti><br />
<getInfo></getInfo><br />
<accept></accept><br />
<decline></decline><br />
<test></test><br />
</transactionTypes><br />
<authCaptureInfo><br />
<authExp>30</authExp><br />
<captMinLimit>0</captMinLimit><br />
<captMaxLimit>1</captMaxLimit><br />
</authCaptureInfo><br />
<moduleName>Chase Paymentech</moduleName><br />
<settingsHash>d41d8cd98f00b204e9800998ecf8427e</settingsHash><br />
<currency>USD</currency><br />
<canSaveCards>Y</canSaveCards><br />
<class>XPay_Module_Chase</class><br />
<isTestMode>Y</isTestMode><br />
</payment_module><br />
</data><br />
</pre><br />
<br /><br />
<br />
==Test connection request==<br />
Use this request to test the connection between the store and X-Payments. It can also help to detect the version of the X-Payments installation and the API version supported by X-Payments.<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal connect<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal test<br />
|-<br />
| colspan="1" | testCode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Any string<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br /><br />
<br />
===Request example===<br />
<br />
<pre><br />
<testCode>123</testCode><br />
<api_version>1.5</api_version><br />
<target>connect</target><br />
<action>test</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | hashCode<br />
| colspan="1" | string<br />
| colspan="1" | MD5 hash of the sent code<br />
|-<br />
| colspan="1" | error<br />
| colspan="1" | string<br />
| colspan="1" | Error code (if any)<br />
|-<br />
| colspan="1" | error_message<br />
| colspan="1" | string<br />
| colspan="1" | Error message<br />
|-<br />
| colspan="1" | is_error_message<br />
| colspan="1" | string<br />
| colspan="1" | Flag indicating the error message presence <br />
|-<br />
| colspan="1" | version<br />
| colspan="1" | string<br />
| colspan="1" | X-Payments version<br />
|}<br />
<br /><br />
<br />
===Response example===<br />
<br />
Example of a good response:<br />
<pre><br />
<data><br />
<hashCode>202cb962ac59075b964b07152d234b70</hashCode><br />
<error></error><br />
<error_message></error_message><br />
<is_error_message></is_error_message><br />
<version>2.2.0</version><br />
</data><br />
</pre><br />
<br />
Example of a response with an error:<br />
<pre><br />
<data><br />
<error>506</error><br />
<error_message>Your X-Payments connector module supports API version "1.9". This X-Payments supports the following API versions only: "1.1, 1.2, 1.3, 1.4, 1.5, 1.6".</error_message><br />
<is_error_message></is_error_message><br />
</data><br />
</pre><br />
<br /><br />
<br />
==Payment initialisation request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal init<br />
|-<br />
| colspan="1" | confId<br />
| colspan="1" | Y<br />
| colspan="1" | integer<br />
| colspan="1" | Payment module configuration ID<br />
|-<br />
| colspan="1" | refId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Order ID in the online store<br />
|-<br />
| colspan="1" | returnUrl<br />
| colspan="1" | Y<br />
| colspan="1" | URL, 255<br />
| colspan="1" | URL of the page to redirect the customer after payment<br />
|-<br />
| colspan="1" | callbackUrl<br />
| colspan="1" | Y<br />
| colspan="1" | URL, 255<br />
| colspan="1" | URL to which X-Payments sends background requests with service information<br />
|-<br />
| colspan="1" | language<br />
| colspan="1" | N<br />
| colspan="1" | code of ISO 639-1 (Alpha-2)<br />
| colspan="1" | Language code. If not specified - en<br />
|-<br />
| colspan="1" | cart<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with addresses description<br />
|-<br />
| colspan="1" | cart/billingAddress<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with the billing address description<br />
|-<br />
| colspan="1" | cart/billingAddress/firstname<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/lastname<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/company<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/address<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/city<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/state<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/country<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/zipcode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/email<br />
| colspan="1" | Y<br />
| colspan="1" | emai, 255l<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/phone<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/billingAddress/fax<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with the shipping address description<br />
|-<br />
| colspan="1" | cart/shippingAddress/firstname<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/lastname<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/company<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/address<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/city<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/state<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/country<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/zipcode<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/email<br />
| colspan="1" | Y<br />
| colspan="1" | email, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/phone<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/shippingAddress/fax<br />
| colspan="1" | N<br />
| colspan="1" | string, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/items<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with product description<br />
|-<br />
| colspan="1" | cart/items/sku<br />
| colspan="1" | Y<br />
| colspan="1" | string, 64<br />
| colspan="1" | SKU (product code)<br />
|-<br />
| colspan="1" | cart/items/name<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" | Product name<br />
|-<br />
| colspan="1" | cart/items/price<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | Product item price<br />
|-<br />
| colspan="1" | cart/items/quantity<br />
| colspan="1" | N<br />
| colspan="1" | integer<br />
| colspan="1" | Ordered number of products. If not specified - 1<br />
|-<br />
| colspan="1" | cart/login<br />
| colspan="1" | Y<br />
| colspan="1" | string, 255<br />
| colspan="1" | Unique customer ID in the online store (login, username, userid, etc.)<br />
|-<br />
| colspan="1" | cart/currency<br />
| colspan="1" | N<br />
| colspan="1" | string, 3<br />
| colspan="1" | Payment currency code (ISO 4217 Alpha-3). If not specified, default payment configuration currency is used<br />
|-<br />
| colspan="1" | cart/shippingCost<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Shipping cost. By default - 0<br />
|-<br />
| colspan="1" | cart/taxCost<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Tax amount. By default - 0<br />
|-<br />
| colspan="1" | cart/discount<br />
| colspan="1" | -<br />
| colspan="1" | currency<br />
| colspan="1" | Discount amount. By default - 0<br />
|-<br />
| colspan="1" | cart/totalCost<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | Total payment amount. Must equal to a sum of cart/items/price * cart/items/quantity + cart/shippingCost + cart/taxCost - cart/discount<br />
|-<br />
| colspan="1" | cart/description<br />
| colspan="1" | -<br />
| colspan="1" | string, 65536<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/merchantEmail<br />
| colspan="1" | Y<br />
| colspan="1" | email, 255<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | cart/forceTransactionType<br />
| colspan="1" | -<br />
| colspan="1" | one of values: A or S or empty <br />A - authorize <br />S - sale<br />
| colspan="1" | A flag of forced Sale or Authorize operation. Overrides the setting from the payment configuration. If the value is empty or the field is omitted, the operation is performed according to the payment configuration settings.<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|-<br />
| colspan="1" | template <br />(''supported by API 1.3 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | The name of a template in X-Payments requested by the store. Forces the use of the specified template for the payment. If the string passed in this field does not match any template available in X-Payments, it will be ignored.<br />
|-<br />
| colspan="1" | saveCard <br />(''supported by API 1.3 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | Customer's choice at checkout (“Y” if customer would like to save the card)<br />
|-<br />
| colspan="1" | cart/kountCustomerUniq <br />(''supported by API 1.6 and later'')<br />
| colspan="1" | N<br />
| colspan="1" | string, 32<br />
| colspan="1" | This field is a unique customer identifier in the Kount system, which is send as a UNIQ field.<br />
|}<br />
<br /><br />
'''List of template names in X-Payments 2.1.x (API v1.3)''':<br />
:* '''default''': A template for the separate page. Used if the payment form is displayed on a separate page of your checkout process (not iframe).<br />
:* '''fast''': Iframe for X-Cart 4 Fast Lane Checkout. Used for X-Cart 4 with the Fast Lane Checkout module. The payment form is displayed at the last step of the checkout process.<br />
:* '''lite''': Iframe for X-Cart 4 One Page Checkout. Used for X-Cart 4 with the One Page Checkout module. The payment form is displayed in the payment section at checkout.<br />
:* '''magento_iframe''': Iframe for Magento. Use this template for Magento and iframe.<br />
:* '''mobile''': Template for mobile devices. Used with the X-Cart Mobile module.<br />
:* '''xc5''': Iframe for X-Cart 5. Used for X-Cart 5 and iframe.<br />
<br />
===Request example===<br />
<br />
<pre><br />
<confId>8</confId><br />
<refId>1120</refId><br />
<cart><br />
<login>customer</login><br />
<billingAddress><br />
<firstname>John</firstname><br />
<lastname>Smith</lastname><br />
<address>10 Main street</address><br />
<city>Fillmore</city><br />
<state>UT</state><br />
<country>US</country><br />
<zipcode>84631</zipcode><br />
<company>IQ testing</company><br />
<email>bit-bucket@x-cart.com</email><br />
<phone>927348572</phone><br />
<fax></fax><br />
</billingAddress><br />
<shippingAddress><br />
<firstname>John</firstname><br />
<lastname>Smith</lastname><br />
<address>10 Main street</address><br />
<city>Fillmore</city><br />
<state>UT</state><br />
<country>US</country><br />
<zipcode>84631</zipcode><br />
<company>IQ testing</company><br />
<email>bit-bucket@x-cart.com</email><br />
<phone>927348572</phone><br />
<fax></fax><br />
</shippingAddress><br />
<items type="cell"><br />
<sku>SKU17513</sku><br />
<name>Three Stone Princess Cut Diamond Ring</name><br />
<price>399.99</price><br />
<quantity>1</quantity><br />
</items><br />
<currency>USD</currency><br />
<shippingCost>15</shippingCost><br />
<taxCost>0</taxCost><br />
<discount>0</discount><br />
<totalCost>414.99</totalCost><br />
<description>Order(s) #1120</description><br />
<merchantEmail>bit-bucket@x-cart.com</merchantEmail><br />
<forceTransactionType></forceTransactionType><br />
</cart><br />
<returnUrl>https://example.com/xcart/payment/cc_xpc.php</returnUrl><br />
<callbackUrl>https://example.com/xcart/payment/cc_xpc.php</callbackUrl><br />
<language>ru</language><br />
<target>payment</target><br />
<action>init</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | token<br />
| colspan="1" | string,32<br />
| colspan="1" | Temporary payment token, expires immediately after the customer has submitted the cardholder data form<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | string,32<br />
| colspan="1" | A unique payment ID. Is used for all further requests to this payment through the API.<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<token>41b2ef3b34698d4f6ed73151ae7307d2</token><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Redirecting a customer to the cardholder data entering page==<br />
<br />
A POST form is created that sends data to the URL <XPayments_web_root>/payment.php; the form contains the following fields:<br />
<br />
* target - has the value "main";<br />
* token - uses the value from the token field received in the response to the payment initialisation request.<br />
<br />
Request protocol - HTTPS <br /><br />
The form must be sent by the POST method. All data must also be sent as POST variables.<br />
<br />
==Payment information request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get_info<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | refresh<br />
| colspan="1" | N<br />
| colspan="1" | 0 или 1<br />
| colspan="1" | A flag specifying that the data in X-Payments must be overwritten by the data from the payment gateway. By default - 0<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<refresh>0</target><br />
<target>payment</target><br />
<action>get_info</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Payment status codes|Payment status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Human readable message containing the payment status<br />
|-<br />
| colspan="1" | isFraudStatus<br />
| colspan="1" | 0 or 1<br />
| colspan="1" | Means that the payment is blocked by the gateway, because the customer has not passed the gateway security check<br />
|-<br />
| colspan="1" | currency<br />
| colspan="1" | string, 3<br />
| colspan="1" | Payment currency code<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | currency<br />
| colspan="1" | Payment total<br />
|-<br />
| colspan="1" | authorized<br />
| colspan="1" | currency<br />
| colspan="1" | Authorized payment total<br />
|-<br />
| colspan="1" | chargedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Charged payment total<br />
|-<br />
| colspan="1" | capturedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Captured amount of the authorized amount<br />
|-<br />
| colspan="1" | capturedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized and can be captured<br />
|-<br />
| colspan="1" | voidedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized but voided<br />
|-<br />
| colspan="1" | voidedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that is authorized and can be voided<br />
|-<br />
| colspan="1" | refundedAmount<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded<br />
|-<br />
| colspan="1" | refundedAmountAvail<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded<br />
|-<br />
| colspan="1" | fraudAuthorized<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the authorized amount that was blocked by the gateway because the customer had not passed the gateway security check<br />
|-<br />
| colspan="1" | fraudCharged<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the charged amount that was blocked by the gateway because the customer had not passed the gateway security check<br />
|-<br />
| colspan="1" | authorizeInProgress<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the authorized amount that is being handled by the gateway<br />
|-<br />
| colspan="1" | chargeInProgress<br />
| colspan="1" | currency<br />
| colspan="1" | A part of the charged amount that is being handled by the gateway<br />
|-<br />
| colspan="1" | transactionInProgress<br />
| colspan="1" | 0 или 1<br />
| colspan="1" | Are there any payment transactions handled by the gateway?<br />
|-<br />
| colspan="1" | capturedAmountAvailMin<br />
| colspan="1" | currency<br />
| colspan="1" | Minimum amount that can be captured from the authorized amount<br />
|-<br />
| colspan="1" | capturedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be captured from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | capturedAmountAvailMinGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Minimum amount that can be captured from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | voidedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be voided from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | refundedAmountAvailGateway<br />
| colspan="1" | currency<br />
| colspan="1" | Amount that can be refunded from the authorized amount through the gateway<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | lastMessage<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Last gateway message<br />
|-<br />
| colspan="1" | error<br />
| colspan="1" | string, 128<br />
| colspan="1" | Error code<br />
|-<br />
| colspan="1" | error_message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Error message<br />
|}<br />
<br />
{{Note|Fields ending in "Gateway" contain amounts that can be used in transactions through the gateway. For example, if a sum of $100 was authorized, and then a capture transaction was emulated for $100, the next refund operation will be available in the emulation mode only. The value of the refundedAmountAvailGateway field will be equal to 0.}}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>2</status><br />
<message>Payment is authorized</message><br />
<isFraudStatus></isFraudStatus><br />
<currency>USD</currency><br />
<amount>414.99</amount><br />
<authorized>414.99</authorized><br />
<chargedAmount>0.00</chargedAmount><br />
<capturedAmount>0.00</capturedAmount><br />
<capturedAmountAvail>414.99</capturedAmountAvail><br />
<voidedAmount>0.00</voidedAmount><br />
<voidedAmountAvail>414.99</voidedAmountAvail><br />
<refundedAmount>0.00</refundedAmount><br />
<refundedAmountAvail>0.00</refundedAmountAvail><br />
<fraudAuthorized>0.00</fraudAuthorized><br />
<fraudCharged>0.00</fraudCharged><br />
<authorizeInProgress>0.00</authorizeInProgress><br />
<chargeInProgress>0.00</chargeInProgress><br />
<transactionInProgress></transactionInProgress><br />
<capturedAmountAvailMin>0.00</capturedAmountAvailMin><br />
<capturedAmountAvailGateway>414.99</capturedAmountAvailGateway><br />
<capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway><br />
<voidedAmountAvailGateway>414.99</voidedAmountAvailGateway><br />
<refundedAmountAvailGateway>0.00</refundedAmountAvailGateway><br />
<txnId>8e67e0da23ce7ed451b2c1adbbd7373c</txnId><br />
<lastMessage>Success</lastMessage><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Detailed payment and transaction information request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal get_additional_info<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | A unique payment ID received in the payment initialisation request response<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>get_additional_info</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | payment<br />
| colspan="1" | container<br />
| colspan="1" | Payment information request response<br />
|-<br />
| colspan="1" | transactions<br />
| colspan="1" | container<br />
| colspan="1" | Transaction list<br />
|-<br />
| colspan="1" | transactions/date<br />
| colspan="1" | integer, 11<br />
| colspan="1" | Transaction date (Unix timestamp)<br />
|-<br />
| colspan="1" | transactions/action<br />
| colspan="1" | string, 255<br />
| colspan="1" | Transaction name<br />
|-<br />
| colspan="1" | transactions/status<br />
| colspan="1" | string, 255<br />
| colspan="1" | Transaction status<br />
|-<br />
| colspan="1" | transactions/message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|-<br />
| colspan="1" | transactions/total<br />
| colspan="1" | string, 32<br />
| colspan="1" | Transaction amount and currency<br />
|-<br />
| colspan="1" | transactions/txnid<br />
| colspan="1" | string, 255<br />
| colspan="1" | Gateway transaction unique ID<br />
|-<br />
| colspan="1" | transactions/payment_status<br />
| colspan="1" | string, 255<br />
| colspan="1" | The payment status after the transaction<br />
|-<br />
| colspan="1" | transactions/fields<br />
| colspan="1" | container<br />
| colspan="1" | Transaction additional fields list<br />
|-<br />
| colspan="1" | transactions/fields/name<br />
| colspan="1" | string, 255<br />
| colspan="1" | Field name<br />
|-<br />
| colspan="1" | transactions/fields/name<br />
| colspan="1" | string, 255<br />
| colspan="1" | Field value<br />
|-<br />
| colspan="1" | payment/cardValidation <br />(API 1.5 and later)<br />
| colspan="1" | container<br />
| colspan="1" | container for Address validation system (AVS)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_z <br />(API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS ZIP-code ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_c (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS cardholder name ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/avs_a (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for AVS street address ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/cardValidation/cvv (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Flag for CVV/CVV2/CVD ("0" - unknown, "1" - matches, "2" - does not match)<br />
|-<br />
| colspan="1" | payment/maskedCardData (API 1.5 and later)<br />
| colspan="1" | container<br />
| colspan="1" | container for Credit Card details (which are allowed to store and display by PA-DSS)<br />
|-<br />
| colspan="1" | payment/maskedCardData/first6 (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | First six digits of the credit card number<br />
|-<br />
| colspan="1" | payment/maskedCardData/last4 (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Last four digits of the credit card number<br />
|-<br />
| colspan="1" | payment/maskedCardData/type (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card type: VISA, MC, AMEX, etc<br />
|-<br />
| colspan="1" | payment/maskedCardData/expire_month (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card expiration month<br />
|-<br />
| colspan="1" | payment/maskedCardData/expire_year (API 1.5 and later)<br />
| colspan="1" | string<br />
| colspan="1" | Credit card expiration year<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<payment><br />
<status>2</status><br />
<message>Payment is authorized</message><br />
<isFraudStatus>1</isFraudStatus><br />
<currency>USD</currency><br />
<amount>10.61</amount><br />
<authorized>10.61</authorized><br />
<chargedAmount>0.00</chargedAmount><br />
<capturedAmount>0.00</capturedAmount><br />
<capturedAmountAvail>10.61</capturedAmountAvail><br />
<voidedAmount>0.00</voidedAmount><br />
<voidedAmountAvail>10.61</voidedAmountAvail><br />
<refundedAmount>0.00</refundedAmount><br />
<refundedAmountAvail>0.00</refundedAmountAvail><br />
<fraudAuthorized>0.00</fraudAuthorized><br />
<fraudCharged>0.00</fraudCharged><br />
<authorizeInProgress>0.00</authorizeInProgress><br />
<chargeInProgress>0.00</chargeInProgress><br />
<advinfo><br />
<Message></Message><br />
<Response code>1</Response><br />
<txn_id>6583</txn_id><br />
<Authorization number>ET154399</Authorization><br />
<AVS>5: Cardholder name incorrect, billing address and postal code match</AVS><br />
<Bank message>Approved</Bank><br />
<Bank response code>100</Bank><br />
<CVV2>M: CVV2 / CVC2/CVD Match.</CVV2><br />
<Processing status>Transaction Normal</Processing><br />
<Transarmor Token>8393008475641111</Transarmor><br />
<[Kount] 702650>Distance from Device to Billing &gt; 1000km</[Kount] 702650><br />
<[Kount] 702656>Billing Country not equal to BIN Country (Visa/MC)</[Kount] 702656><br />
<[Kount] 702662>Billing Country not equal to Device Country</[Kount] 702662><br />
<[Kount] Auto>R</[Kount] Auto><br />
<[Kount] Errors></[Kount] Errors><br />
<[Kount] Score>26</[Kount] Score><br />
<[Kount] Transaction ID>3Z7903KDCTT0</[Kount] Transaction ID><br />
<[Kount] Warnings></[Kount] Warnings><br />
</advinfo><br />
<transactionInProgress></transactionInProgress><br />
<capturedAmountAvailMin>0.00</capturedAmountAvailMin><br />
<capturedAmountAvailGateway>10.61</capturedAmountAvailGateway><br />
<capturedAmountAvailMinGateway>0.00</capturedAmountAvailMinGateway><br />
<voidedAmountAvailGateway>10.61</voidedAmountAvailGateway><br />
<refundedAmountAvailGateway>0.00</refundedAmountAvailGateway><br />
<cardValidation><br />
<avs_z>1</avs_z><br />
<avs_c>2</avs_c><br />
<avs_a>1</avs_a><br />
<cvv>1</cvv><br />
</cardValidation><br />
<maskedCardData><br />
<first6>411111</first6><br />
<last4>1111</last4><br />
<type>VISA</type><br />
<expire_month>03</expire_month><br />
<expire_year>2020</expire_year><br />
</maskedCardData><br />
</payment><br />
<transactions type="cell"><br />
<date>1438098759</date><br />
<action>Authorize</action><br />
<status>Success</status><br />
<message>Transaction Normal</message><br />
<total>10.61 USD</total><br />
<txnid>57629270</txnid><br />
<fields type="cell"><br />
<name>Authorization number</name><br />
<value>ET154399</value><br />
</fields><br />
<fields type="cell"><br />
<name>AVS</name><br />
<value>5: Cardholder name incorrect, billing address and postal code match</value><br />
</fields><br />
<fields type="cell"><br />
<name>Bank message</name><br />
<value>Approved</value><br />
</fields><br />
<fields type="cell"><br />
<name>Bank response code</name><br />
<value>100</value><br />
</fields><br />
<fields type="cell"><br />
<name>CVV2</name><br />
<value>M: CVV2 / CVC2/CVD Match.</value><br />
</fields><br />
<fields type="cell"><br />
<name>Processing status</name><br />
<value>Transaction Normal</value><br />
</fields><br />
<fields type="cell"><br />
<name>Transarmor Token</name><br />
<value>8393008475641111</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702650</name><br />
<value>Distance from Device to Billing &gt; 1000km</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702656</name><br />
<value>Billing Country not equal to BIN Country (Visa/MC)</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] 702662</name><br />
<value>Billing Country not equal to Device Country</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Auto</name><br />
<value>R</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Score</name><br />
<value>26</value><br />
</fields><br />
<fields type="cell"><br />
<name>[Kount] Transaction ID</name><br />
<value>3Z7903KDCTT0</value><br />
</fields><br />
<payment_status>Charged</payment_status><br />
</transactions><br />
<error></error><br />
<error_message></error_message><br />
<is_error_message></is_error_message><br />
<version>2.2.0</version><br />
</data><br />
</pre><br />
<br />
<br /><br />
''The following pertains to API 1.5 and later:''<br /><br />
If the transaction was checked by Kount antifraud screening service, the "advinfo" and "tansaction/fields" containers contain information of kount results. The field names related to Kount start with the [Kount] prefix. The information can be extracted as follows:<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1"| [Kount] %%%%%, where %%%%% is some number<br />
| colspan="1"| triggered rule, the number is the number of this rule<br />
|-<br />
| colspan="1"| [Kount] Auto<br />
| colspan="1"| The status of the transaction in Kount ("R" - review, "D" - declined, "A" - approved)<br />
|-<br />
| colspan="1"| [Kount] Errors<br />
| colspan="1"| list of errors (if any)<br />
|-<br />
| colspan="1"| [Kount] Warnings: <br />
| colspan="1"| list of warnings (if any)<br />
|-<br />
| colspan="1"| [Kount] Score<br />
| colspan="1"| Risk score<br />
|-<br />
| colspan="1"| [Kount] Transaction ID<br />
| colspan="1"| Transaction ID in Kount, can be used to display the direct link to the transaction in Kount, https://awc.test.kount.net/workflow/detail.html?id=%%%%%% for test mode or https://awc.kount.net/workflow/detail.html?id=%%%%%%, where %%%%% should be replaced with the transaction ID<br />
|}<br />
<br /><br />
<br />
==Capture authorized transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string,128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal capture<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | The amount to capture from the previously authorized transaction. By default equals the amount of the authorized transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
<br />
=== Request example ===<br />
<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>capture</action><br />
</pre><br />
<br />
===Response example===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
Response example <pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Void authorized transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal void<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | Amount to void of the authorized transaction. By default equals to the amount of the authorized transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>void</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Refund captured transaction request==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal capture<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | N<br />
| colspan="1" | currency<br />
| colspan="1" | Amount to be refunded to the customer of the previously captured transactions. By default equals to the amount of captured transactions<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<target>payment</target><br />
<action>refund</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Blocked by gateway transaction accept request (Accept)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal accept<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>accept</action><br />
</pre><br />
<br />
===Response example===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
Response example <pre><data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
==Blocked by gateway transaction decline request (Decline)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal decline<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<target>payment</target><br />
<action>decline</action><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | message<br />
| colspan="1" | string, 65536<br />
| colspan="1" | Gateway transaction message<br />
|}<br />
<br />
===Response example===<br />
<br />
<pre><br />
<data><br />
<status>1</status><br />
<message>Success</message><br />
<error></error><br />
<error_message></error_message><br />
</data><br />
</pre><br />
<br />
<br />
==Charge again transaction request (Tokenization)==<br />
<br />
===Request specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | target<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal payment<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | Y<br />
| colspan="1" | string, 128<br />
| colspan="1" | Must equal recharge<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | Y<br />
| colspan="1" | string, 32<br />
| colspan="1" | Unique payment ID which references the token that will be used to identify the payment on the side of the payment gateway<br />
|-<br />
| colspan="1" | amount<br />
| colspan="1" | Y<br />
| colspan="1" | currency<br />
| colspan="1" | The amount for which the "saved" card is to be charged using the token from the previous successful transaction<br />
|-<br />
| colspan="1" | description<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Description of the transaction<br />
|-<br />
| colspan="1" | api_version<br />
| colspan="1" | Y<br />
| colspan="1" | string<br />
| colspan="1" | Must equal one of the following: 1.2, 1.3, 1.4, 1.5 etc.<br />
|-<br />
| colspan="1" | refId (supported by API 1.4 and later)<br />
| colspan="1" | N<br />
| colspan="1" | string, 128<br />
| colspan="1" | Order ID in the online store<br />
|}<br />
<br />
===Request example===<br />
<br />
<pre><br />
<txnId>e7f398cee98ec062abac0d2c937da181</txnId><br />
<amount>50.00</amount><br />
<description>Recurring payment for the new issue of Playboy</description><br />
<target>payment</target><br />
<action>recharge</action><br />
<api_version>1.2</api_version><br />
</pre><br />
<br />
===Response specification===<br />
<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | integer, 1<br />
| colspan="1" | [[#Operation status codes|Operation status code]]<br />
|-<br />
| colspan="1" | data<br />
| colspan="1" | array<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[status]<br />
| colspan="1" | integer<br />
| colspan="1" | Status of the new payment (See [[#Payment status codes|Payment status codes]])<br />
|-<br />
| colspan="1" | data[transaction_id]<br />
| colspan="1" | string<br />
| colspan="1" | ID of the created payment for further references (capture/void/refund etc)<br />
|-<br />
| colspan="1" | data[error]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[error_message]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|-<br />
| colspan="1" | data[is_error_message]<br />
| colspan="1" | string<br />
| colspan="1" |<br />
|}<br />
<br /><br /><br />
<br />
==Callback request with service payment information==<br />
<br />
This is a background request that X-Payments sends to the store after a payment has been completed and it’s result (accepted, declined, etc) has been received from the payment gateway. The request is sent via HTTP POST to the callbackURL defined in the Payment initialisation request. Once this request has been sent, the customer is redirected back to the store.<br />
<br />
===POSTed data===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Value'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | callback<br />
| colspan="1" | fixed string<br />
| colspan="1" | Identifies the callback request<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string (MD5 hash)<br />
| colspan="1" | A unique ID of the payment on the side of X-Payments<br />
|-<br />
| colspan="1" | updateData<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string<br />
| colspan="1" | Encrypted response from X-Payments<br />
|}<br />
<br />
X-Payments does not expect a response from the store for this request; however, if the HTTP status of the response is not 200 OK, the request is considered failed, and a special notification is sent to the X-Payments admin. The store needs to decrypt the encrypted part of the response and update the order on its side accordingly. Once the updateData value has been decrypted, it is an XML document with the same structure as the [[X-Payments:API#Response_specification_2|response for Payment information request]].<br />
<br /><br /><br />
<br />
==Check cart callback request==<br />
<br />
After the customer has submitted credit card data, right before sending this data to the payment gateway, X-Payments connects to the store to verify the cart total and contents.<br />
<br />
The HTTP POST request is sent to the '''callbackURL''' defined in the '''Payment initialisation request'''.<br />
<br />
===POSTed data===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Value'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | action<br />
| colspan="1" | check_cart<br />
| colspan="1" | fixed string<br />
| colspan="1" | Identifies the check-cart callback request<br />
|-<br />
| colspan="1" | txnId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string (MD5 hash)<br />
| colspan="1" | A unique ID of the payment on the side of X-Payments<br />
|-<br />
| colspan="1" | refId<br />
| colspan="1" | (mixed)<br />
| colspan="1" | string<br />
| colspan="1" | Order ID (or any other reference) in the online store<br />
|}<br />
<br /><br />
As of API v1.3, the store must respond to this callback request. The response must be an encrypted XML document (i.e. the same way as for other communication between the store and X-Payments).<br />
<br />
===Encrypted response for check-cart callback request===<br />
{| cellspacing="0" cellpadding="2" border="1"<br />
| colspan="1" | '''Field'''<br />
| colspan="1" | '''Required'''<br />
| colspan="1" | '''Type'''<br />
| colspan="1" | '''Description'''<br />
|-<br />
| colspan="1" | status<br />
| colspan="1" | Y<br />
| colspan="1" | fixed string<br />
| colspan="1" | Should be “cart-changed” or "cart-not-changed"<br />
|-<br />
| colspan="1" | cart<br />
| colspan="1" | Y<br />
| colspan="1" | container<br />
| colspan="1" | A container with cart/order description. See [[X-Payments:API#Request_specification|Payment initialisation request specification]] for details. This container must be included for "status = cart-changed" and is not necessary for "status = cart-not-changed"<br />
|-<br />
| colspan="1" | saveCard<br />
| colspan="1" | N<br />
| colspan="1" | string<br />
| colspan="1" | Whether the customer has chosen to save their card for future use (“Y” if the customer would like to save the card)<br />
|}<br />
<br /><br /><br />
<br />
==Communication between X-Payments iframe and the store==<br />
<br />
===Communication structure===<br />
Communication between the online store (parent frame) and X-Payments (iframe) is implemented with the help of the javascript Window.postMessage method. Notifictions to both the sides represent stringified JSON formatted texts that consist of a service message (string) and an optional list of parameters:<br />
:* '''height''': height of the iframe<br />
:* '''error''': human readable message<br />
:* '''type''': message type. X-Payments sends it as 2, which indicates that the online store should re-initialize the payment. In API v1.3 no other values are supported.<br />
<br />
===Messages sent from the online store to X-Payments===<br />
'''Submit payment form'''<br /><br />
X-Payments’ iframe does not have a Submit button, so instead of it the payment form should be submitted from the parent window by any kind of “Submit order” or “Place order” button at checkout. At the same time, the special message '''submitPaymentForm''' with no parameters should be sent.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'submitPaymentForm',<br />
:::params: {}<br />
}<br />
-----------------------------------------------------------<br />
<br />
<br /><br /><br />
===Messages sent from X-Payments to the online store===<br />
'''Iframe is loaded and ready'''<br /><br />
The message ready notifies the parent window that the payment form is ready. The actual height of the iframe is included in the parameters, so the parent window (checkout page) can perform the necessary adjustments.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'ready',<br />
:::params: {<br />
::::::height: $(document).height()<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Payment form submitted with an error'''<br /><br />
The message '''paymentFormSubmitError''' with no parameters is sent in the case of any validation error. This may be the case, for example, if the customer’s credit card expiration date is in the past, or the credit card number does not match the card type (e.g. VISA, MasterCard), or when a required field has not been submitted (e.g. CVV2). Once the message '''paymentFormSubmitError''' with no parameters has been received, the store should not proceed to the next step of the checkout process, but should expect the payment form to be submitted again.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Internal error'''<br /><br />
The '''paymentFormSubmitError''' message with a special set of parameters is used to notify the store if something is wrong outside X-Payments, and X-Payments cannot do anything about it (for example, if the payment gateway has sent an unknown/unexpected piece of data).<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {<br />
::::::height: $(document).height(),<br />
::::::error: 'Internal error',<br />
::::::type: '2'<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Session is expired'''<br /><br />
For security reasons the length of the session is limited to 15 minutes. After this period the store has to re-initialize the payment. In this case X-Payments sends the '''paymentFormSubmitError''' message with the “Payment session expired” error.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmitError',<br />
:::params: {<br />
::::::height: $(document).height(),<br />
::::::error: 'Payment session expired',<br />
::::::type: '2'<br />
:::}<br />
}<br />
-----------------------------------------------------------<br />
<br /><br />
'''Payment form in Iframe is submitted''' (supported by API v1.4 and later)<br /><br />
The message '''paymentFormSubmit''' notifies the parent window that the payment form has been submitted from the X-Payments side; for example, if a customer clicks the Enter key inside the iframe. Once the store receives this message, it should operate in the same way as though the customer has clicked the Place order button at checkout.<br />
-----------------------------------------------------------<br />
{<br />
:::message: 'paymentFormSubmit',<br />
:::params: {}<br />
}<br />
<br />
-----------------------------------------------------------<br />
<br /><br /><br />
<br />
==Appendix A. Status codes.==<br />
<br />
===Payment status codes===<br />
: 1 - New<br />
: 2 - Authorized<br />
: 3 - Declined<br />
: 4 - Charged<br />
: 5 - Refunded<br />
: 6 - Partially refunded<br />
<br />
===Operation status codes===<br />
: 0 - transaction failed<br />
: 1 - transaction is successful<br />
: 2 - transaction is successful and is duplicate<br />
<br />
<br />
<br />
==See also==<br />
<br />
* [http://lu53.crtdev.local/%7Emixon/google-cache-w.php?q=/index.php?title=X-Cart:X-Payments_Connector X-Cart:X-Payments Connector]<br />
<br />
[[Category:X-Payments Developer Guide]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=500X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-17T12:03:29Z<p>Alex “Ambal” Mulin: /* X-Cart Payments versioning policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.Z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
* X - major release version number that gets incremented when high impact changes are introduced and certified under PA-DSS requirements;<br />
* Y - minor release version number that gets incremented when low impact changes are added to X-Cart Payments package;<br />
* Z - maintenance/bug-fix release version number that gets incremented when no impact changes are done to X-Cart Payments package.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=499X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-17T12:02:10Z<p>Alex “Ambal” Mulin: /* X-Cart Payments versioning policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.Z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
* X - major version number that gets incremented when high impact changes are introduced and certified under PA-DSS requirements;<br />
* Y - minor version number that gets incremented when low impact changes are added to X-Cart Payments package;<br />
* Z - bug-fix version number that gets incremented when no impact changes are done to X-Cart Payments package.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=498X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-17T12:00:59Z<p>Alex “Ambal” Mulin: /* X-Cart Payments versioning policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.Z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
* X - major version number that gets incremented when a high impact change is introduced and certified under PA-DSS requirements;<br />
* Y - minor version number that gets incremented when a low impact change is added to X-Cart Payments package;<br />
* Z - bug-fix version number that gets incremented when a no impact change is done to X-Cart Payments package.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=497X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-17T12:00:12Z<p>Alex “Ambal” Mulin: /* X-Cart Payments versioning policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.Z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
X - major version number that gets incremented when a high impact change is introduced and certified under PA-DSS requirements;<br />
<br />
Y - minor version number that gets incremented when a low impact change is added to X-Cart Payments package;<br />
<br />
Z - bug-fix version number that gets incremented when a no impact change is done to X-Cart Payments package.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=496X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-17T11:58:31Z<p>Alex “Ambal” Mulin: /* X-Cart Payments version policy */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments versioning policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.Z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
X - major version number that gets incremented when a high impact change is introduced and certified under PA-DSS requirements;<br />
Y - minor version number that gets incremented when a low impact change is added to X-Cart Payments package;<br />
Z - bug-fix version number that gets incremented when a no impact change is done to X-Cart Payments package.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=495X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-17T11:56:49Z<p>Alex “Ambal” Mulin: /* Introduction */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== X-Cart Payments version policy ==<br />
<br />
X-Cart Payments version number must look like "X.Y.Z" (e.g. 1.0.6, 2.0.1, 2.2.1, 3.0.0), where<br />
<br />
X - major version number that gets incremented when a high impact change is introduced and certified under PA-DSS requirements;<br />
Y - minor version number that gets incremented when a low impact change is added to X-Cart Payments package;<br />
Z - bug-fix version number that gets incremented when a no impact change is done to X-Cart Payments package.<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=494X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-14T14:26:58Z<p>Alex “Ambal” Mulin: /* Access control */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
There are no built-in/default user accounts in '''X-Cart Payments'''.<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=493X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-14T14:25:00Z<p>Alex “Ambal” Mulin: /* See also */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=492X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-14T14:24:06Z<p>Alex “Ambal” Mulin: /* Remote access */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
* [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=491X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-14T14:23:24Z<p>Alex “Ambal” Mulin: /* Cardholder data storage */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over using "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
* [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=490X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-14T14:21:41Z<p>Alex “Ambal” Mulin: /* Encryption Key Management */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PA DSS v3.1 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
* [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulinhttps://www.x-payments.com/help/?title=X-Payments:PCI_DSS_implementation_guide_for_X-Payments_2.2&diff=489X-Payments:PCI DSS implementation guide for X-Payments 2.22015-12-14T13:47:38Z<p>Alex “Ambal” Mulin: /* Cardholder data storage */</p>
<hr />
<div>== Introduction ==<br />
<br />
This guide covers '''X-Cart Payments''' 1.0, 2.0, 2.1, 2.2 and is intended for merchants and integrators who wish to implement the application in accordance with guidelines set by the PCI Data Security Standard (PCI DSS).<br />
<br />
== PCI DSS ==<br />
<br />
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.<br />
<br />
{| border<br />
| Build and Maintain a Secure Network<br />
|<br />
<br />
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data<br />
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters<br />
|-<br />
| Protect Cardholder Data<br />
|<br />
<br />
* Requirement 3: Protect stored cardholder data<br />
* Requirement 4: Encrypt transmission of cardholder data across open, public networks<br />
|-<br />
| Maintain a Vulnerability Management Program<br />
|<br />
<br />
* Requirement 5: Use and regularly update anti-virus software<br />
* Requirement 6: Develop and maintain secure systems and applications<br />
|-<br />
| Implement Strong Access Control Measures<br />
|<br />
<br />
* Requirement 7: Restrict access to cardholder data by business need-to-know<br />
* Requirement 8: Assign a unique ID to each person with computer access<br />
* Requirement 9: Restrict physical access to cardholder data<br />
|-<br />
| Regularly Monitor and Test Networks<br />
|<br />
<br />
* Requirement 10: Track and monitor all access to network resources and cardholder data<br />
* Requirement 11: Regularly test security systems and processes<br />
|-<br />
| Maintain an Information Security Policy<br />
|<br />
<br />
* Requirement 12: Maintain a policy that addresses information security<br />
|}<br />
<br />
Specifically, relevant elements to an e-commerce business' PCI compliance status include:<br />
<br />
* Properly using your payment application. For this purpose, carefully review the section below for information on how to use '''X-Cart Payments''' in a way that ensures PCI compliance.<br />
<br />
* Using a PCI compliant Web hosting environment<br />
<br />
* Using a PCI compliant payment provider<br />
<br />
You can find and review the complete specification by visiting [https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/]<br />
<br />
This guide is intended to help merchants implement the '''X-Cart Payments''' application in a way that is compliant with version 2.0 of the PCI DSS.<br />
<br />
== Payment Card Industry Data Security Standard ('''PCI DSS''') ==<br />
<br />
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.<br />
<br />
'''X-Cart Payments''' has been designed and certified to meet all of the requirements of the '''PA-DSS''' version 2.0. This does not automatically make you, the merchant, PCI DSS compliant. To ensure PCI DSS compliance, it is necessary that you follow the recommendations and instructions provided in this guide.<br />
<br />
For additional information about '''PCI DSS''' please visit the [https://www.pcisecuritystandards.org Official PCI Security Standards Council Site].<br />
<br />
== Cardholder data storage==<br />
<br />
'''X-Cart Payments''' has [[X-Payments:General_settings#Cardholder_Data | the ability to store parts of cardholder data temporarily]] for performing 3D Secure verification and certain types of transactions for some of the integrated payment processors. While stored cardholder data is encrypted using special [[X-Payments:Encryption_keys | cryptographic algorithm]]. The data is removed automatically when its storing period is over.<br />
<br />
'''X-Cart Payments''' can not be configured to store permanently in the database the following types of data:<br />
<br />
* unmasked PAN<br />
* PIN<br />
* CVV<br />
* magnetic stripe (track data)<br />
<br />
Merchants and/or developers implementing '''X-Cart Payments''' should not attempt to customize this as a feature.<br />
<br />
'''X-Cart Payments''' can display masked PAN on "Payment details" pages and in "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. '''X-Cart Payments''' does not have the ability to display full PAN anywhere and there are no settings that can change this behavior of the user interface.<br />
<br />
==Configuring and using '''X-Cart Payments''' in PCI compliant manner ==<br />
<br />
===Installation===<br />
<br />
Follow the [[X-Payments:Installation | standard procedure]] for deployment of X-Cart Payments files to the web server.<br />
<br />
{{Note1|Once installed, X-Cart Payments WILL NEVER:<br/><br />
* store unmasked credit card numbers (PANs)<br />
* send credit card data or any other information to Qualiteam for debug purposes}}<br />
<br />
===Access control===<br />
<br />
You must carefully control access to '''X-Cart Payments'''. Follow these rules:<br />
<br />
* Restrict the number of employees who have access to '''X-Cart Payments''' to only those who have a business need.<br />
* Always provide unique usernames for each person who needs access.<br />
* Do not use system-default usernames and/or passwords<br />
* Web server must be run under a non-privileged user account. Application must access the database from a limited privilege user account.<br />
* All default user accounts use secure authentication mechanisms and password policy settings that comply with all the standard requirements:<br />
** user accounts inactive for more than 3 days are blocked<br />
** password lifetime is set to 30 days<br />
<br />
:: To set password lifetime:<br />
<br />
::# Login to '''X-Cart Payments'''<br />
::# Go to <u>Settings -> General Settings</u><br />
::# Enter the number of days the user account password will be valid for in the "User account password lifetime" field. The maximum allowed password lifetime is 90 days.<br />
<br />
:* minimum password length is 8 characters<br />
:* password must contain both lower and upper case characters and numbers<br />
:* the last 4 passwords must be unique<br />
:* user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password<br />
:* user is logged off after inactivity period of 10 minutes<br />
<br />
<div> Please note that changing default password policy settings will lead to breaking PCI DSS standard requirements.</div><br />
<br />
===Enabling SSL (Secure Socket Layer)===<br />
<br />
SSL protects data that is transmitted between a browser and your web server. It is critical that you have SSL enabled on your web server, and this should be among the first steps taken after installation.<br />
<br />
* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required)<br />
* You will need to have a certificate issued for your web domain. Read [http://help.qtmsoft.com/index.php?title=Instant_SSL_certificate guidelines on installing Comodo's Instant SSL certificates].<br />
<br />
If a web server does not have SSL enabled '''X-Cart Payments''' will not function or will be notifying users depending on '''allow_insecure_protocol''' parameter set in <u>config.ini.php</u> file (disabled by default).<br />
<br />
===Data Collected while Testing===<br />
<br />
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:<br />
<br />
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.<br />
# If you ever collect credit card information to troubleshoot a problem that one of your customers is having, then please note the following:<br />
#* Such data must be stored only in specific, known locations with limited access<br />
#* Only collect a limited amount of such data as needed to solve a specific problem<br />
#* Sensitive authentication data must be encrypted while stored. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.<br />
# Such data must be securely deleted immediately after use.<br />
<br />
===Encryption Key Management===<br />
<br />
As part of your PCI DSS v2.0 requirements, encryption key must be changed annually (changing every 90 days is recommended). You should also change the key any time an employee with access to the key leaves your company. Always replace the key if you know or suspect it has been compromised by any means.<br />
<br />
To change the encryption keys:<br />
<br />
# Log in to '''X-Cart Payments'''<br />
# Go to <u>Maintenance -> Encryption keys</u><br />
# Click "Generate new keys"<br />
<br />
===Use unique user IDs and secure authentication to access PCs, servers and databases ===<br />
<br />
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:<br />
<br />
# For your Web hosting account administration area (Web hosting account where your online store is hosted)<br />
# For FTP access to the Web server<br />
# For Remote Desktop Connection to the Web server (if available)<br />
# To connect to the MySQL server that contains your store data.<br />
<br />
The passwords for the accounts mentioned above must also meet the following requirements:<br />
<br />
* be at least 8 characters in length<br />
* contain both numbers and letters in lower and upper case<br />
* not coincide with any part of your email address<br />
* not coincide with any of the last four passwords you have used<br />
* have a lifetime of less than 90 days<br />
* account lockout threshold must be set to 6.<br />
* account lockout duration must be set to 30 minutes (or until unblocked by the administrator).<br />
* user must be logged off after 15 minutes of inactivity<br />
<br />
===Audit trails===<br />
<br />
Audit trails are automatically enabled with the default installation of X-Cart Payments. There is no option to disable audit logging. The log files are created in the <u>var/log/</u> directory. Make sure you restrict access to the log files by business need-to-know.<br />
<br />
The following types of activity are logged:<br />
<br />
* All actions taken by any individual with root or administrative privileges<br />
* Successes and failures of all individual accesses to application sections and functions<br />
<br />
* Initialization of the audit logs<br />
* User sign in and sign out.<br />
<br />
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to files access.log and error.log.<br />
<br />
Each log event includes:<br />
<br />
* Type of event<br />
* Date and time of event<br />
* Username and IP address<br />
* Success or failure indication<br />
* Action which led to the event<br />
<br />
* Component which led to the event<br />
<br />
There is also a meta-log which contains information about other log files being created.<br />
<br />
=== OS-level audit trails ===<br />
<br />
Make sure you have a system-level auditing software properly configured to monitor users' activity on server. This software should:<br />
<br />
* warn on a checksum change of any of X-Cart Payments source code files except of log file and database files<br />
* record any file writing operations related to X-Cart Payments files<br />
<br />
===Encrypting network traffic===<br />
<br />
X-Cart Payments uses encryption, such as TLS or IPSEC, for:<br />
<br />
* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.<br />
* providing remote web-based access to the application<br />
<br />
If you use tools to remotely access the application, you should encrypt all communication using technologies such as TLS or IPSEC.<br />
<br />
As per PCI DSS requirement 4.2, cardholder data should never be sent unencrypted by e-mail, and X-Cart Payments does meet this requirement '''never''' sending cardholder data by e-mail or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.<br />
<br />
===Wireless communications===<br />
<br />
If you use wireless networking to access '''X-Cart Payments''', it is your responsibility to ensure your wireless security con figuration follows the PCI DSS requirements.<br />
<br />
* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.<br />
* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.<br />
* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.<br />
* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:<br />
* Use with a minimum 104-bit encryption key and 24 bit-initialization value<br />
* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS<br />
* Rotate shared WEP keys quarterly (or automatically if the technology permits)<br />
* Rotate shared WEP keys whenever there are changes in personnel with access to keys<br />
* Restrict access based on media access cod e (MAC) address.<br />
* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.<br />
<br />
===Remote access===<br />
<br />
X-Cart Payments provides web-based access using two-factor authentication based on one-time PIN codes. Detailed information can be found at [[X-Payments:Managing_PIN_codes | Managing PIN codes]] page.<br />
<br />
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:<br />
<br />
* Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer)<br />
* Allow connections only from specific (known) IP/MAC addresses<br />
* Use strong authentication or complex passwords for logins<br />
* Enable encrypted data transmission<br />
* Enable account lockout after a certain number of failed login attempts<br />
* Configure the system so a remote user must establish a Virtual Private Network (“VPN”) connection via a firewall before access is allowed<br />
* Enable any logging or auditing functions<br />
* Restrict access to customer passwords to authorized reseller/integrator personnel<br />
* Establish customer passwords according to PCI DSS requirements 8.1, 8.2, 8.4, 8.5<br />
<br />
Qualiteam does not provide software updates via remote access on an automated basis.<br />
<br />
==See also==<br />
<br />
* [[X-Payments:PCI_FAQs | PCI FAQs]]<br />
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]<br />
* [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]<br />
<br />
<br />
<noinclude>{{pdf_single}}</noinclude><br />
<br />
<br />
[[Category:X-Payments Developer Guide]]<br />
[[Category:PCI DSS]]</div>Alex “Ambal” Mulin