X-Payments Help - User contributions [en]

X-Payments:Payment gateways supported by X-Payments 3.1

2020-02-14T10:05:17Z

Ambal:

The table below provides a list of payment gateways supported by X-Payments 3.1.
 
'''Legend:'''

* '''Auth''': Allows to authorize the availability of funds for a transaction (The buyer's funds are temporarily placed on hold to ensure the availability of the authorization amount for capture).
* '''Capture''': Allows to capture the amount of the authorization (The money authorized for the order is moved from the buyers's account to the merchant's account).
* '''Sale''': Supports transactions of 'Sale' type (Authorization and capture actions are completed simultaneously at the time the payment is processed).
* '''Void''': Allows the removal of an authorization hold from the buyer's account by the merchant.
* '''Refund''': Allows to issue refunds (The money is returned to the buyer's account).
* '''Get Status''': Can provide information about the status of a transaction to X-Payments.
* '''Get Card''': Can provide new/updated information about a saved credit card. For example, if a credit card gets re-issued, it is possible to get the renewed expiration date. If any other information changes, like the credit card number or the billing address, it is possible to access this updated credit card information as well.
* '''Accept''', '''Decline''': Allows to accept or reject transactions with a higher likelihood of risk.
* '''Test''': Can test whether the merchant account details entered in X-Payments are valid.
* '''3D-Secure via Cardinal Commerce''': Supports 3-D Secure payer authentication via Cardinal Commerce (both 3-D Secure v1 and v2 are supported). Best for PSD 2 in the European Union.
* '''Tokenization''': Supports tokenization (Allows to charge customer credit cards again - without X-Payments storing cardholder data).
* '''p''': Supports partial transactions (For example, "Capture + p" = Allows to capture a partial amount of the authorization).
* '''m''': Supports multiple transactions (For example, "Capture + m" = Allows to perform the capture action multiple times).

{| class="wikitable" width=90%
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayFlow Pro
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayPal Payments Pro (PayPal API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayPal Payments Pro (Payflow API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.anz.com/ Australia and New Zealand Banking Group Limited]
| ANZ eGate
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://paymentgateway.americanexpress.com/ American Express]
| American Express Web-Services API Integration
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
||
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.authorize.net Authorize.Net LLC]
| Authorize.Net
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.bambora.com/ Beanstream Internet Commerce, Inc.]
| Bambora (Beanstream)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.beanstream.com/ Beanstream]
| Beanstream (legacy API)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [https://www.bendigobank.com.au Bendigo Bank]
| Bendigo Bank  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://billriant.com Billriant.com]
| BillriantPay
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://bluepay.com/xpayments-partner-page BluePay]
| BluePay  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://home.bluesnap.com/ BlueSnap Inc.]
| BlueSnap Payment API (XML)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.braintreepayments.com/ Braintree, a division of PayPal, Inc.]
| Braintree, direct integration with CC storing
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.caledoncard.com/ Blue Pay Canada (formerly Caledon Computer Systems, Inc.)]
| Blue Pay Canada (formerly Caledon)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.cardinalcommerce.com/ CardinalCommerce Corporation]
| Cardinal Commerce Centinel
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| Built-in, only 3-D Secure v1
|
|
|- style="vertical-align:top;"
| [http://www.chasepaymentech.com/ Chase Paymentech]
| Chase Paymentech Orbital  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.commbank.com.au/ CommWeb - Commonwealth Bank of Australia]
| CommWeb - Commonwealth Bank  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.cybersource.com/ CyberSource]
| CyberSource - SOAP toolkit API  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.dibspayment.com/ DIBS Payment Services AB]
| DIBS
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.securepay.com.au/ SecurePay Pty Ltd]
| [http://www.directone.com.au/ DirectOne - Direct Interface]  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://secure.5thdl.com Sparrow (formerly 5th Dimension Logisitics, LLC)]
| Sparrow (formerly 5th Dimension Gateway)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.echo-inc.com/ Electronic Clearing House, Inc.]
| ECHO NVP
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.elavon.com/ Elavon, Inc.]
| Elavon (Realex API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.barclaycardbusiness.co.uk/about_us.html Barclaycard Business]
| ePDQ MPI XML (Phased out)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.eprocessingnetwork.com/Info.html eProcessing Network, LLC]
| eProcessing Network - Transparent Database Engine
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.moneris.com/ Moneris Solutions]
| eSELECTplus  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]
| eWay Rapid - Direct Connection
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]
| eWay Realtime Payments XML
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.globalpaymentsinc.com Global Payments, Inc]
| Global Iris/HSBC - RealAuth Remote
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.goemerchant.com/ GoEmerchant, LLC]
| GoEmerchant - XML Gateway API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.heidelpay.de Heidelberger Payment GmbH]
| HeidelPay
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.innovativegateway.com/ Intuit, Inc. Innovative Gateway]
| Innovative Gateway
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.itransact.com/ iTransact, Inc.]
| iTransact XML  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.firstdata.com/ First Data Corporation]
| First Data Payeezy Gateway (formerly Global Gateway e4)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.merituspayment.com/ Meritus Payment Solutions]
| Meritus Web Host
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]] (works only in "Sale" mode, is disabled in "Auth only" mode)
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.nab.com.au/ NAB - National Australia Bank]
| NAB - National Australia Bank
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.netbilling.com/ Netbilling, Inc.]
| Netbilling - Direct Mode  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://netevia.com/ Netevia]
| Netevia
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.nmi.com/ Network Merchants, LLC Merchant One]
| NMI (Network Merchants Inc.)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.netregistry.com.au/ Netregistry Pty Ltd]
| NetRegistry  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.ogone.com/ Ingenico Payment Services (formerly Ogone)]
| Ingenico ePayments (Ogone e-Commerce)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.paygate.net/ PayGate]
| PayGate Korea  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.psigate.com/ Payment Services Interactive Gateway Inc.]
| PSiGate XML API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.quantumgateway.com/ Quantum Services LLC]
| QuantumGateway - Transparent QGWdatabase Engine
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.quantumgateway.com/ Quantum Services LLC]
| QuantumGateway - XML Requester
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://quickpay.net/ QuickPay ApS]
| QuickPay  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://payments.intuit.com/ Intuit Inc.]
| Intuit QuickBooks Payments  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.globalpaymentsinc.com/ Global Payments Inc.]
| Global Payments (formerly Realex)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.sagepay.com/ Sage Pay]
| Sage Pay Go - Direct Interface
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [https://paya.com/ Paya]
| Paya
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.securepay.com/ SecurePay.com Inc.]
| SecurePay USA  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.securepay.com.au/ SecurePay - A Business of Australia Post]
| SecurePay Australia
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://www.simplify.com/commerce/ MasterCard]
| Simplify Commerce by MasterCard
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.emerchant.com/skipjack-gateway/ Skipjack Financial Services, Inc.]
| SkipJack
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.suncorp.com.au/ Suncorp]
| Suncorp
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.usaepay.com/ GorCorp Inc.]
| USA ePay - Transaction Gateway API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [https://www.myvirtualmerchant.com/VirtualMerchant/ Elavon, Inc.]
| Elavon Converge (ex VirtualMerchant)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.plugnpay.com/ Plug and Pay Technologies]
| WebXpress
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.worldpay.com/ Worldpay]
| Worldpay Corporate Gateway - Direct Model
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| Built-in, only 3-D Secure v1
|
|
|- style="vertical-align:top;"
| [http://www.worldpay.us/ WorldPay US, Inc.]
| WorldPay Total US  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [http://www.worldpay.us/ WorldPay US, Inc.]
| WorldPay US (Lynk Systems)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|}

[[Category:X-Payments User Manual]]

X-Payments:Payment gateways supported by X-Payments 3.1

2020-02-14T10:04:22Z

Ambal:

The table below provides a list of payment gateways supported by X-Payments 3.1.
 
'''Legend:'''

* '''Auth''': Allows to authorize the availability of funds for a transaction (The buyer's funds are temporarily placed on hold to ensure the availability of the authorization amount for capture).
* '''Capture''': Allows to capture the amount of the authorization (The money authorized for the order is moved from the buyers's account to the merchant's account).
* '''Sale''': Supports transactions of 'Sale' type (Authorization and capture actions are completed simultaneously at the time the payment is processed).
* '''Void''': Allows the removal of an authorization hold from the buyer's account by the merchant.
* '''Refund''': Allows to issue refunds (The money is returned to the buyer's account).
* '''Get Status''': Can provide information about the status of a transaction to X-Payments.
* '''Get Card''': Can provide new/updated information about a saved credit card. For example, if a credit card gets re-issued, it is possible to get the renewed expiration date. If any other information changes, like the credit card number or the billing address, it is possible to access this updated credit card information as well.
* '''Accept''', '''Decline''': Allows to accept or reject transactions with a higher likelihood of risk.
* '''Test''': Can test whether the merchant account details entered in X-Payments are valid.
* '''3D-Secure via Cardinal Commerce''': Supports 3-D Secure payer authentication via Cardinal Commerce (both 3-D Secure v1 and v2 are supported). Best for PSD 2 in the European Union.
* '''Tokenization''': Supports tokenization (Allows to charge customer credit cards again - without X-Payments storing cardholder data).
* '''p''': Supports partial transactions (For example, "Capture + p" = Allows to capture a partial amount of the authorization).
* '''m''': Supports multiple transactions (For example, "Capture + m" = Allows to perform the capture action multiple times).

{| class="wikitable" width=90%
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayFlow Pro
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayPal Payments Pro (PayPal API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayPal Payments Pro (Payflow API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.anz.com/ Australia and New Zealand Banking Group Limited]
| ANZ eGate
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://paymentgateway.americanexpress.com/ American Express]
| American Express Web-Services API Integration
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
||
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.authorize.net Authorize.Net LLC]
| Authorize.Net
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.bambora.com/ Beanstream Internet Commerce, Inc.]
| Bambora (Beanstream)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.beanstream.com/ Beanstream]
| Beanstream (legacy API)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [https://www.bendigobank.com.au Bendigo Bank]
| Bendigo Bank  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://billriant.com Billriant.com]
| BillriantPay
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://bluepay.com/xpayments-partner-page BluePay]
| BluePay  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://home.bluesnap.com/ BlueSnap Inc.]
| BlueSnap Payment API (XML)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.braintreepayments.com/ Braintree, a division of PayPal, Inc.]
| Braintree, direct integration with CC storing
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.caledoncard.com/ Blue Pay Canada (formerly Caledon Computer Systems, Inc.)]
| Blue Pay Canada (formerly Caledon)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.cardinalcommerce.com/ CardinalCommerce Corporation]
| Cardinal Commerce Centinel
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| Built-in, only 3-D Secure v1
|
|
|- style="vertical-align:top;"
| [http://www.chasepaymentech.com/ Chase Paymentech]
| Chase Paymentech Orbital  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.commbank.com.au/ CommWeb - Commonwealth Bank of Australia]
| CommWeb - Commonwealth Bank  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.cybersource.com/ CyberSource]
| CyberSource - SOAP toolkit API  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.dibspayment.com/ DIBS Payment Services AB]
| DIBS
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.securepay.com.au/ SecurePay Pty Ltd]
| [http://www.directone.com.au/ DirectOne - Direct Interface]  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://secure.5thdl.com Sparrow (formerly 5th Dimension Logisitics, LLC)]
| Sparrow (formerly 5th Dimension Gateway)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.echo-inc.com/ Electronic Clearing House, Inc.]
| ECHO NVP
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.elavon.com/ Elavon, Inc.]
| Elavon (Realex API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.barclaycardbusiness.co.uk/about_us.html Barclaycard Business]
| ePDQ MPI XML (Phased out)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.eprocessingnetwork.com/Info.html eProcessing Network, LLC]
| eProcessing Network - Transparent Database Engine
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.moneris.com/ Moneris Solutions]
| eSELECTplus  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]
| eWay Rapid - Direct Connection
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]
| eWay Realtime Payments XML
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.globalpaymentsinc.com Global Payments, Inc]
| Global Iris/HSBC - RealAuth Remote
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.goemerchant.com/ GoEmerchant, LLC]
| GoEmerchant - XML Gateway API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.heidelpay.de Heidelberger Payment GmbH]
| HeidelPay
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.innovativegateway.com/ Intuit, Inc. Innovative Gateway]
| Innovative Gateway
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.itransact.com/ iTransact, Inc.]
| iTransact XML  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.firstdata.com/ First Data Corporation]
| First Data Payeezy Gateway (formerly Global Gateway e4)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.merituspayment.com/ Meritus Payment Solutions]
| Meritus Web Host
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]] (works only in "Sale" mode, is disabled in "Auth only" mode)
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.nab.com.au/ NAB - National Australia Bank]
| NAB - National Australia Bank
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.netbilling.com/ Netbilling, Inc.]
| Netbilling - Direct Mode  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://netevia.com/ Netevia]
| Netevia
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.nmi.com/ Network Merchants, LLC]
| NMI (Network Merchants Inc.) used by Merchant One  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.netregistry.com.au/ Netregistry Pty Ltd]
| NetRegistry  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.ogone.com/ Ingenico Payment Services (formerly Ogone)]
| Ingenico ePayments (Ogone e-Commerce)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.paygate.net/ PayGate]
| PayGate Korea  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.psigate.com/ Payment Services Interactive Gateway Inc.]
| PSiGate XML API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.quantumgateway.com/ Quantum Services LLC]
| QuantumGateway - Transparent QGWdatabase Engine
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.quantumgateway.com/ Quantum Services LLC]
| QuantumGateway - XML Requester
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://quickpay.net/ QuickPay ApS]
| QuickPay  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://payments.intuit.com/ Intuit Inc.]
| Intuit QuickBooks Payments  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.globalpaymentsinc.com/ Global Payments Inc.]
| Global Payments (formerly Realex)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.sagepay.com/ Sage Pay]
| Sage Pay Go - Direct Interface
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| Built-in, only 3-D Secure v1
| [[File:Check.svg|25px]]
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [https://paya.com/ Paya]
| Paya
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.securepay.com/ SecurePay.com Inc.]
| SecurePay USA  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.securepay.com.au/ SecurePay - A Business of Australia Post]
| SecurePay Australia
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://www.simplify.com/commerce/ MasterCard]
| Simplify Commerce by MasterCard
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.emerchant.com/skipjack-gateway/ Skipjack Financial Services, Inc.]
| SkipJack
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.suncorp.com.au/ Suncorp]
| Suncorp
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.usaepay.com/ GorCorp Inc.]
| USA ePay - Transaction Gateway API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [https://www.myvirtualmerchant.com/VirtualMerchant/ Elavon, Inc.]
| Elavon Converge (ex VirtualMerchant)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.plugnpay.com/ Plug and Pay Technologies]
| WebXpress
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.worldpay.com/ Worldpay]
| Worldpay Corporate Gateway - Direct Model
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| Built-in, only 3-D Secure v1
|
|
|- style="vertical-align:top;"
| [http://www.worldpay.us/ WorldPay US, Inc.]
| WorldPay Total US  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [http://www.worldpay.us/ WorldPay US, Inc.]
| WorldPay US (Lynk Systems)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|}

[[Category:X-Payments User Manual]]

X-Payments:X-Cart 4.7.8 Connector and Subscriptions updates

2019-10-16T11:49:30Z

Ambal:

Recently we’ve added multiple updates to X-Payments Connector for X-Cart Classic. Most likely you’ve read about a couple of most significant of them in [https://www.x-cart.com/blog/x-cart-4-7-8.html X-Cart 4.7.8 release] announcement. This article is to tell you about all the new changes.

==X-Payments Connector Improvements and Fixes==

The new connector comes with the following issues fixed:

<ul>
<li>PHP error when iframe is disabled;</li>
<li>Charge instead of authorization when saving a card in customer’s profile;</li>
<li>Problems related to address book editing from the administrator back-end side;</li>
<li>Checkout freezing when switching between shipping methods with the same fee;</li>
<li>Redirect to empty cart after failed recharge.</li>
</ul>

Also, now it supports API 1.7 to get the payment fraud check data (from NoFraud/ Signifyd) and made some security updates.

Starting from X-Payments 3.1.0 the allowed callback IP address will be included in the Configuration bundle. The new connector will be able to recognize this data and use accordingly in X-Cart.

==X-Payments Subscriptions and Installments Module Update==

We’ve optimized the process of assigning credit cards to subscriptions. Now your customers can pick a credit card among those saved in their profile to be used for a new subscription instead of adding the card details manually. Besides, they can update the credit card used for the existing subscription at any time without the need to stop it and re-subscribe with the new card.

Previously, a subscription started only after the payment was captured. If you want it to start as soon as the payment is authorized, you can do so due to the additional new setting.

If and anonymous customer adds a subscription product to cart, he will be able to complete an order only after login or signup.

The update of this feature includes a couple of fixes, too: the one related to extra pending orders upon Subscriptions cron execution and another one related to subscription failed payments issues.

In order to start using the new features, make sure you upgrade the modules. You’re welcome to contact us at support@x-payments.com for assistance.

X-Payments:KOUNT Antifraud screening

2019-04-22T08:28:26Z

Ambal:

<noinclude>{{XP_manual_TOC}}</noinclude>

__NOTOC__

To help you protect your business against fraud, X-Payments versions 2.1 and later provide integration with a powerful fraud detection and prevention solution by [http://www.kount.com/?utm_source=x-cart&utm_medium=home&utm_campaign=partner Kount]. Kount delivers an all-in-one, SaaS model fraud and risk management platform for merchants operating in card-not-present (CNP) environments and looking to root out fraudsters and increase revenue. For each transaction, Kount’s real-time "decisioning" engine analyzes hundreds of relevant variables and activity across the globe. Kount applies a multitude of proven and patented technologies including Multi-layered Device Fingerprinting®, Proxy Piercer® geolocation tools, statistical scoring, rules-based fraud detection, cross-merchant linking, and Persona behavioral modeling. Kount's proprietary technology has reviewed hundreds of millions of transactions and provides maximum protection for some of the world's best-known brands.
 
To start using Kount for online payment fraud screening in X-Payments, complete the following steps: 
# Sign up for a Merchant account with Kount at [http://www.kount.com/?utm_source=x-cart&utm_medium=home&utm_campaign=partner http://www.kount.com]. You will be provided with some credentials that you will need to configure Kount fraud screening in X-Payments: your Merchant ID and your Site ID. Take note of this information. 
# In the Kount Agent Web Console (AWC), create your API Key(s). [[File:Kount_api_keys.png|668px|border]] API Keys are required to authenticate to Kount. Note that Kount has separate environments for testing and production, and API Keys must be created and used for each of the environments separately. Kount's instructions for creating API Keys can be found here: [https://support.kount.com/s/article/Create-an-API-Key https://support.kount.com/s/article/Create-an-API-Key]. 
# In the Kount Agent Web Console (AWC), adjust credit card validation rules for your online store. 
# Log in to X-Payments and locate the payment configuration for which you want to use Kount fraud screening. For the sake of example, we are going to enable KOUNT for the payment configuration "First Data Payeezy Gateway (ex- Global Gateway e4)". [[File:Firstdata_pconf.png|668 px|border]] Open the details of the chosen payment configuration for editing.
# In the payment configuration details, check the '''Antifraud service''' setting. If you haven't been using any antifraud service for the current payment configuration so far, this field will be set to "Not enabled". [[File:Antifraud_service.png|668 px|border]] Reset this field to "KOUNT Antifraud screening". [[File:Kount_selected.png|668 px|border]] Click '''Save''' to save the changes. 
# Configure KOUNT for the current payment configuration:
## Click Configure. [[File:Kount_configure.png|668px|border]] The KOUNT settings page for the current payment configuration opens: [[File:Firstdata_kount.png|668 px|border]] 
## Adjust the KOUNT settings: [[File:Xp_kount_settings.png|668px|border]] 
##* '''Status''' (Not configured / Enable / Disable): This setting indicates whether KOUNT module is active. For now just leave it as is. After you provide the rest of the required settings (below) and save the changes, KOUNT module will be enabled automatically. You will then be able to use this setting to disable/re-enable KOUNT for your current payment configuration as you require.
##* '''Merchant ID''': Specify your Merchant ID as was provided to you by Kount.
##* '''Site ID''': Specify your Site ID.
##* '''Test/Live mode''': Use this to set the operation mode for Kount fraud screening service - ''Test'' or ''Live''. For access to the Kount AWC in Live mode use the address https://awc.kount.net, in Test mode - the address https://awc.test.kount.net.
##* '''Description of products''': Common name of the products sold by your store. 
##* '''Mode for RIS update request''': Choose one of the available options (''X: Update data and re-validate transaction against rules'' or ''U: Update transaction data only''). Mode X is recommended if rules are based on the AVS information returned from the payment gateway. Note that additional charges may apply for Mode X.
##* '''API key''': Enter the API key you have created in the AWC. It will be used for authentication. Note that Kount API has been updated and, starting with X-Payments 3.1.4, Kount certificates (RIS Certificates) are no longer supported. You must use an API key. You must also obtain a Configuration key for the field below.
##* '''Configuration key''': Specify your Configuration key; this one needs to be obtained from Kount.
## Click '''Save''' to save your settings.
# Make sure Kount fraud screening is enabled: [[File:Kount_enabled.png|668px|border]] 

Once Kount antifraud screening has been configured and enabled for a specific payment configuration, any new payment transactions for this payment configuration will be screened by Kount. '''Important:''' Kount will not screen transactions made using a previously saved credit card. In the store where the transaction originated, the order to which the transaction pertains will be marked with an icon. For example, here's an order list from an X-Cart 5 based online store with an order of Aug 30, 2018 screened by Kount: 
::[[File:Kount_orderlist.png|668px|border]] 
If Kount can identify a transaction as potentially fraudulent, it will provide a warning so you can decide whether you wish to accept or decline this transaction. Here's what it looks like on the payment details page in X-Payments:
::[[File:Kount_warning.png|668px|border]] 
A similar warning appears in the store. For example, here's what it looks like in an X-Cart 5 store:
::[[File:Kount_warning_xc.png|668px|border]] 
You will be able to view the results of screening by Kount on the Payment details page in X-Payments:
::[[File:Kount_passed.png|668px|border]]
It is also possible to view the results of screening by Kount on the order details page in the store:
::[[File:Kount_results_xc.png|668px|border]]

[[Category:X-Payments User Manual]]

X-Payments:Payment gateways supported by X-Payments 3.1

2019-04-12T12:00:24Z

Ambal:

The table below provides a list of payment gateways supported by X-Payments 3.1.
 
'''Legend:'''

* '''Auth''': Allows to authorize the availability of funds for a transaction (The buyer's funds are temporarily placed on hold to ensure the availability of the authorization amount for capture).
* '''Capture''': Allows to capture the amount of the authorization (The money authorized for the order is moved from the buyers's account to the merchant's account).
* '''Sale''': Supports transactions of 'Sale' type (Authorization and capture actions are completed simultaneously at the time the payment is processed).
* '''Void''': Allows the removal of an authorization hold from the buyer's account by the merchant.
* '''Refund''': Allows to issue refunds (The money is returned to the buyer's account).
* '''Get Status''': Can provide information about the status of a transaction to X-Payments.
* '''Get Card''': Can provide new/updated information about a saved credit card. For example, if a credit card gets re-issued, it is possible to get the renewed expiration date. If any other information changes, like the credit card number or the billing address, it is possible to access this updated credit card information as well.
* '''Accept''', '''Decline''': Allows to accept or reject transactions with a higher likelihood of risk.
* '''Test''': Can test whether the merchant account details entered in X-Payments are valid.
* '''3D-Secure via Cardinal Commerce''': Supports 3-D Secure payer authentication via Cardinal Commerce. Best for PSD2 in European Union.
* '''Tokenization''': Supports tokenization (Allows to charge customer credit cards again - without X-Payments storing cardholder data).
* '''p''': Supports partial transactions (For example, "Capture + p" = Allows to capture a partial amount of the authorization).
* '''m''': Supports multiple transactions (For example, "Capture + m" = Allows to perform the capture action multiple times).

{| class="wikitable" width=90%
|-
! scope="col" style="width: 15%;"| '''Payment service provider'''
! scope="col" style="width: 20%;"| '''Payment system'''
! scope="col" style="width: 6%;"| '''Sale'''
! scope="col" style="width: 6%;"| '''Auth'''
! scope="col" style="width: 10%;"| '''Capture'''
! scope="col" style="width: 6%;"| '''Void'''
! scope="col" style="width: 10%;"| '''Refund'''
! scope="col" style="width: 6%;"| '''Get status'''
! scope="col" style="width: 6%;"| '''Get card'''
! scope="col" style="width: 6%;"| '''Accept'''
! scope="col" style="width: 6%;"| '''Decline'''
! scope="col" style="width: 6%;"| '''Test'''
! scope="col" style="width: 6%;"| '''3D-Secure via Cardinal Commerce'''
! scope="col" style="width: 6%;"| '''Tokenization'''
! scope="col" style="width: 6%;"| '''Account updater'''
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayFlow Pro
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| 3d Secure built in
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayPal Payments Pro (PayPal API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.paypal.com/ PayPal]
| PayPal Payments Pro (Payflow API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.anz.com/ Australia and New Zealand Banking Group Limited]
| ANZ eGate
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://paymentgateway.americanexpress.com/ American Express]
| American Express Web-Services API Integration
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
||
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.authorize.net Authorize.Net LLC]
| Authorize.Net
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.bambora.com/ Beanstream Internet Commerce, Inc.]
| Bambora (Beanstream)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.beanstream.com/ Beanstream]
| Beanstream (legacy API)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [https://www.bendigobank.com.au Bendigo Bank]
| Bendigo Bank  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://billriant.com Billriant.com]
| BillriantPay
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://bluepay.com/xpayments-partner-page BluePay]
| BluePay  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://home.bluesnap.com/ BlueSnap Inc.]
| BlueSnap Payment API (XML)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.braintreepayments.com/ Braintree, a division of PayPal, Inc.]
| Braintree, direct integration with CC storing
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.caledoncard.com/ Blue Pay Canada (formerly Caledon Computer Systems, Inc.)]
| Blue Pay Canada (formerly Caledon)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.cardinalcommerce.com/ CardinalCommerce Corporation]
| Cardinal Commerce Centinel
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| 3d Secure built in
|
|
|- style="vertical-align:top;"
| [http://www.chasepaymentech.com/ Chase Paymentech]
| Chase Paymentech  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [https://www.commbank.com.au/ CommWeb - Commonwealth Bank of Australia]
| CommWeb - Commonwealth Bank  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.cybersource.com/ CyberSource]
| CyberSource - SOAP toolkit API  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.dibspayment.com/ DIBS Payment Services AB]
| DIBS
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.securepay.com.au/ SecurePay Pty Ltd]
| [http://www.directone.com.au/ DirectOne - Direct Interface]  
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://secure.5thdl.com Sparrow (formerly 5th Dimension Logisitics, LLC)]
| Sparrow (formerly 5th Dimension Gateway)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.echo-inc.com/ Electronic Clearing House, Inc.]
| ECHO NVP
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
| [[File:Check.svg|25px]]
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.elavon.com/ Elavon, Inc.]
| Elavon (Realex API)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| 3d Secure built in
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.barclaycardbusiness.co.uk/about_us.html Barclaycard Business]
| ePDQ MPI XML (Phased out)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.eprocessingnetwork.com/Info.html eProcessing Network, LLC]
| eProcessing Network - Transparent Database Engine
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| 3d Secure built in
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.moneris.com/ Moneris Solutions]
| eSELECTplus  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]
| eWay Rapid - Direct Connection
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.eway.com.au/Company/Company.aspx Web Active Corporation Pty Ltd]
| eWay Realtime Payments XML
| [[File:Check.svg|25px]]
|
|
|
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.globalpaymentsinc.com Global Payments, Inc]
| Global Iris/HSBC - RealAuth Remote
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
| 3d Secure built in
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.goemerchant.com/ GoEmerchant, LLC]
| GoEmerchant - XML Gateway API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.heidelpay.de Heidelberger Payment GmbH]
| HeidelPay
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.innovativegateway.com/ Intuit, Inc. Innovative Gateway]
| Innovative Gateway
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.itransact.com/ iTransact, Inc.]
| iTransact XML  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.firstdata.com/ First Data Corporation]
| First Data Payeezy Gateway (formerly Global Gateway e4)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.merituspayment.com/ Meritus Payment Solutions]
| Meritus Web Host
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]] (works only in "Sale" mode, is disabled in "Auth only" mode)
|
|- style="vertical-align:top;"
| [http://www.nab.com.au/ NAB - National Australia Bank]
| NAB - National Australia Bank
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.netbilling.com/ Netbilling, Inc.]
| Netbilling - Direct Mode  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://netevia.com/ Netevia]
| Netevia
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.nmi.com/ Network Merchants, LLC]
| NMI (Network Merchants Inc.)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.netregistry.com.au/ Netregistry Pty Ltd]
| NetRegistry  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.ogone.com/ Ingenico Payment Services (formerly Ogone)]
| Ingenico ePayments (Ogone e-Commerce)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.paygate.net/ PayGate]
| PayGate Korea  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.psigate.com/ Payment Services Interactive Gateway Inc.]
| PSiGate XML API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.quantumgateway.com/ Quantum Services LLC]
| QuantumGateway - Transparent QGWdatabase Engine
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.quantumgateway.com/ Quantum Services LLC]
| QuantumGateway - XML Requester
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://quickpay.net/ QuickPay ApS]
| QuickPay  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://payments.intuit.com/ Intuit Inc.]
| Intuit QuickBooks Payments  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.globalpaymentsinc.com/ Global Payments Inc.]
| Global Payments (formerly Realex)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
| 3d Secure built in
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.sagepay.com/ Sage Pay]
| Sage Pay Go - Direct Interface
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| 3d Secure built in
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://paya.com/ Paya]
| Paya
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.securepay.com/ SecurePay.com Inc.]
| SecurePay USA  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.securepay.com.au/ SecurePay - A Business of Australia Post]
| SecurePay Australia
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [https://www.simplify.com/commerce/ MasterCard]
| Simplify Commerce by MasterCard
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.emerchant.com/skipjack-gateway/ Skipjack Financial Services, Inc.]
| SkipJack
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.suncorp.com.au/ Suncorp]
| Suncorp
| [[File:Check.svg|25px]]
|
|
|
|
|
|
|
|
|
|
|
|
|- style="vertical-align:top;"
| [http://www.usaepay.com/ GorCorp Inc.]
| USA ePay - Transaction Gateway API
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [https://www.myvirtualmerchant.com/VirtualMerchant/ Elavon, Inc.]
| Elavon Converge (ex VirtualMerchant)
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|- style="vertical-align:top;"
| [http://www.plugnpay.com/ Plug and Pay Technologies]
| WebXpress
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|
|- style="vertical-align:top;"
| [http://www.worldpay.com/ Worldpay]
| Worldpay Corporate Gateway - Direct Model
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
|
|
|
|
| 3d Secure built in
|
|
|- style="vertical-align:top;"
| [http://www.worldpay.us/ WorldPay US, Inc.]
| WorldPay Total US  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p, m
|
| [[File:Check.svg|25px]]
|
|
|
|
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
|- style="vertical-align:top;"
| [http://www.worldpay.us/ WorldPay US, Inc.]
| WorldPay US (Lynk Systems)  
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]]
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
| [[File:Check.svg|25px]] + p
|
|
|
|
|
|
| [[File:Check.svg|25px]]
|
|}

[[Category:X-Payments User Manual]]

X-Payments:PA-DSS implementation guide for X-Cart Payments 3

2019-03-04T11:07:58Z

Ambal: /* Hardware and software */

==Introduction==
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.
 
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].
 
The document provides instructions on how to implement the application in a PCI DSS compliant manner.
 
Full product name - X-Cart Payments. 
Product version - 3.1.x.
 
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.
 
This PA-DSS Implementation Guide should be updated:
:* at least annually;
:* after changes in the payment application (if required);
:* after changes in the PCI DSS and PA-DSS standards.
 
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.
 
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.
 
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' 
{| class="wikitable" width=90%
|-
! scope="col" style="width: 10%;"| '''Author'''
! scope="col" style="width: 10%;"| '''Date'''
! scope="col" style="width: 10%;"| '''Number'''
! scope="col" style="width: 60%;"| '''Change description'''
|- style="vertical-align:top;"
| Alex Mulin
| 05/17/2016
| 01
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1
|-
| Alex Mulin
| 05/17/2017
| 02
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2
|-
| Alex Mulin
| 05/05/2018
| 03
| Updated versions
|-
|}
 

==Data protection==
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext. 
Cardholder data includes:
:* Primary Account Number (PAN)
:* Cardholder Name
:* Expiration Date
:* Service Code
 
Sensitive authentication data (SAD) includes:
:* Full track data (magnetic-stripe data or equivalent on a chip)
:* CAV2/CVC2/CVV2/CID
:* PINs/PIN blocks
 
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.
 
X-Cart Payments may not be configured to store permanently in the database the following types of data:
:* Full PAN
:* Full track data (magnetic-stripe data or equivalent on a chip)
:* CAV2/CVC2/CVV2/CID
:* PINs/PIN blocks
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.
 
The payment application masks PAN on display (except for the moment when the user enters the card number).
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.
 

==Data Collected while Testing==
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:
#* Such data must be stored only in specific, known locations with limited access.
#* Only collect a limited amount of data (no more than is needed to solve the problem).
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.
# Sensitive authentication data must be securely deleted immediately after use.
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.
 
==Authentication and access==
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules:
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.
:* Always provide unique usernames for each person who needs access.
:* Do not use system-default usernames and/or passwords.
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.
 
To set password lifetime:
# Log in to X-Cart Payments.
# Go to Settings -> General Settings.
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.
The following related rules apply:
:* The minimum password length is 8 characters.
:* A password must contain both numbers and lower- and uppercase characters.
:* The last 4 passwords must be unique.
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.
:* A user is logged off after an inactivity period of 15 minutes.
 
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);
:* For FTP access to the Web server;
:* For Remote Desktop Connection to the Web server (if available);
:* To connect to the MySQL server that contains your store data.
 
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.
Accounts for access to the operating system are managed by the Linux administrator.
For Linux operating system accounts, you must configure the following attributes of the password policy:
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;
:* changes to user passwords at least once every 90 days;
:* require a minimum length of at least seven characters;
:* contain both numeric and alphabetic characters;
:* do not use last four passwords used previously;
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).
 
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:
:* something you know, such as a password or a passphrase;
:* something you have, such as a token device or a smart card;
:* something you are, such as a biometric.
 

== Logging==
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.
The log files are created in the var/log/ directory. In X-Cart Payments 3.1, logs can be viewed via the X-Cart Payments admin back end. Make sure you restrict access to the log files by business need-to-know.
The following types of activity are logged:
:* All actions taken by any individual with root or administrative privileges.
:* Successes and failures of all individual accesses to application sections and functions.
:* Initialization of the audit logs.
:* User sign in and sign out.
 
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log.
Each log event includes:
:* Type of event;
:* Date and time of event;
:* Username and IP address;
:* Success or failure indication;
:* Action which led to the event;
:* Component which led to the event.
 
There is also a meta-log which contains information about other log files being created.
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should:
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;
:* record any file writing operations related to X-Cart Payments files.
 

==Communication==
LAN channel or other available connection method can be used as a communication channel.
X-Cart Payments payment application supports the following data formats:
{| class="wikitable" width=90%
|-
| scope="col" style="width: 20%;"| '''Protocol'''
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server
|- style="vertical-align:top;"
| '''Data transmission method'''
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)
|- style="vertical-align:top;"
| '''Data format'''
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS
|- style="vertical-align:top;"
| '''Port'''
| X-Cart Payments payment application uses ports 80, 443
|-
|}
 
'''Network traffic encryption''' 
X-Cart Payments uses encryption, such as TLS or IPSEC, for:
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.
:* providing remote web-based access to the application.
 
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC.
 
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.
 
'''Enable TLS''' 
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS.
:* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required).
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.
 
If a web server does not have TLS enabled, X-Cart Payments will not function.
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.
 
'''Wireless communications''' 
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements.
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.
::* Restrict access based on media access code (MAC) address.
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.
 
'''Remote access''' 
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page.
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).
:* Allow connections only from specific (known) IP/MAC addresses.
:* Use strong authentication or complex passwords for logins.
:* Enable encrypted data transmission.
:* Enable account lockout after a certain number of failed login attempts.
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.
:* Enable any logging or auditing functions.
:* Restrict access to customer passwords to authorized reseller/integrator personnel.
:* Establish customer passwords according to PCI DSS requirements.
Qualiteam does not provide software updates via remote access on an automated basis.
 

==Hardware and software==
The following requirements must be met for X-Cart Payments payment application self-service terminals: 
'''Operating System''' 
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later 
'''DBMS''' 
MySQL 5.6 or later 
'''Software''' 
PHP 7.1.x or PHP 7.2.x (For security reasons, the latest PHP version in the branch is required.) 
Apache 2.4 or later
 

==Product versioning methodology==
{| class="wikitable" width=90%
|-
! scope="col" style="width: 15%;"| '''Version number changes'''
! scope="col" style="width: 45%;"| '''Software changes'''
! scope="col" style="width: 15%;"| '''Description'''
! scope="col" style="width: 15%;"| '''PA-DSS changes'''
|- style="vertical-align:top;"
| Version number does not change
| Change of the software name Change of the vendor name
| Changes not related to the software development process
| Administrative
|- style="vertical-align:top;"
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)
| - Changes to the user interface - Changes to the database schema - Changes to supported payment gateway integrations / Addition of new payment gateway integrations
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security
| No Impact
|- style="vertical-align:top;"
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*
| Software changes satisfy the following conditions: - Fewer than 4 sections of the standard (from 1 to 12) involved; - Fewer than a half of all the requirements of the standard (sections 1 to 12) involved; - Less than a half of the software functions (or code) modified; - Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products. - Addition/removal of supported payment processors. - Recompilation of the source code using a new compiler or different compiler settings. - Changes of the software versioning policy. - Changes of the software not related to security.
| - Changes in the software affecting payment card data mechanisms. - Changes addressing the identified vulnerabilities of the application. - Changes related to the completion of the annual cycle of development (if there are other changes).
| Low Impact
|- style="vertical-align:top;"
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*
| Software changes satisfy the following conditions: - 4 or more sections of the standard (from 1 to 12) involved; - More than a half of all the requirements of the standard (sections 1 to 12) involved; - More than a half of the software functions (or code) modified; - Addition of new supported platforms/OS versions.
| Major changes in the software architecture, global alterations of code
| High Impact
|}
 
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.
 

==New patches and updates delivery==

New patches, updates, installation instructions and MD5 checksum files are delivered via secure HelpDesk system located at https://secure.x-cart.com using "File Area" section in users accounts there.
We send newsletters about new patches and updates originating from x-cart.com domain name via verified and well-known email delivery system.

==See also==

* [[X-Payments:PCI_FAQs | PCI FAQs]]
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]

<noinclude>{{pdf_single}}</noinclude>

[[Category:X-Payments Developer Guide]]
[[Category:PCI DSS]]

X-Payments:How It Works

2018-10-09T06:16:43Z

Ambal:

<noinclude>{{XP_manual_TOC}}</noinclude>

==X-Payments flow via diagram==
:[[File:XP-diagram.png|700px|border]]

===API Call===

1) Store initiates an API call to X-Payments to create a payment (Created payments can be [[X-Payments:User_manual#Viewing_Payments|viewed]] on the 'Payments' page in X-Payments back end). At this step store sends to X-Payments all information about the customer (billing and shipping address) and the products being purchased (product quantities and cost). In addition to that, store instructs X-Payments as to which payment configuration should be used.

2) X-Payments validates this initial request from the store: checks whether the requested [[X-Payments:User_manual#Payment_Configurations|payment configuration]] is [[X-Payments:Managing store connections#Editing Online Store Details|active]], whether the payment currency passed on to X-Payments by the store matches the currency specified in the respective payment configuration in X-Payments, and makes some other internal checks; for instance, a check is conducted to ensure that the template files for the page where customers enter cardholder data have not been modified without approval by X-Payments admin. If everything is fine, X-Payments returns a [[X-Payments:API#Response_specification | payment "token"]] to the store (The token serves as a temporary identifier of the payment in X-Payments; it is generated as a result of the API call and is removed after the customer is redirected back to the store when the payment is completed). If a problem is detected, no token is sent to the store, and an internal error is generated in X-Payments. Detailed information about such errors can be found in the X-Payments and X-Cart logs: 
* X-Payments: See the <xpay-dir>/var/log/api/YYYY-MM-DD/ directory
* X-Cart: See the <xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php file

===Payment===

3) Customer is redirected to the X-Payments secure page where the form for entering credit card details is located. If the iframe is used, this redirect is not visible to customer, as the form is embedded into the checkout page.

4) Customer enters credit card details and submits the form. These details are sent to the payment gateway along with other data previously received by X-Payments (address details, products being purchased, etc).

5) Payment gateway operates with the bank to charge the card (or authorize the funds in case of an "auth only" transaction) and sends back to X-Payments the information about the transaction.

The log of communication between X-Payments and the payment gateway can be found in the <xpay-dir>/var/log/payment/YYYY-MM-DD/ directory.

===Callback from gateway (PayPal) to X-Payments===

6) Some payment gateways also send back to X-Payments an additional "callback" request. This "callback" request provides detailed information about the transaction and also helps to validate/confirm the transaction. Currently only PayPal Payments PRO operates in X-Payments in such a way. As an additional protection, X-Payments allows you to specify the IP addresses from which the gateway's callback requests can be received. Provided with a list of trusted Call-back IPs for PayPal, X-Payments will only accept "callback" requests coming from PayPal's server and ignore all other requests coming from anywhere else, should such requests be made. The list of PayPal's IP addresses can be found here: https://ppmts.custhelp.com/app/answers/detail/a_id/92
If you wish to use this additional protection, you can enter the necessary IP addresses into [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments#PayPalPaymentsProPayPalAPIconfsettings|PayPal payment configuration settings]] in X-Payments back end.

The log of payment gateway callback request processing is saved to the <xpay-dir>/var/log/callback/YYYY-MM-DD/ directory.

===Invoice===

7) Customer is redirected back to the store where the Invoice page is displayed.
If the transaction is declined by the payment gateway for some reason, the error page is displayed. Additional information about the reasons of the transaction being declined can be found in the X-Payments admin back end on the 'Payment details' page.

===Callback from X-Payments to the store===

8) Detailed information about the payment is sent to the store via a "callback" request.
The same functionality ("callback" requests) is used to notify the store if the payment has been changed via X-Payments admin back end; for example, if a secondary transaction took place ('Capture' or 'Void' for an authorized transaction, 'Refund' for a charge).

X-Cart allows additional protection for callback requests from X-Payments: thus you can specify the IP addresses for X-Payments callbacks in X-Payments connector module settings: http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector. X-Cart will accept only those callback requests that come from the specified IP addresses, others will be ignored.

'''Important''': On some server configurations the IP address from which the callback request comes may not match the IP of the server where X-Payments is installed as illustrated below:

:[[File:XP-diagram1.png|700px|border]]

Even if X-Payments is installed on the 172.18.0.3 IP address, and is accessible via web by it, the outgoing request is received from the "proxy" of 172.18.0.0. So, it is recommended to verify the IP address for outgoing HTTPS connections with your hosting provider.

{{Note|If you use a '''X-Payments Hosted''' plan, you need to use IP address '''52.36.122.200'''.}}

The log of the X-Payments callback requests processing is saved to the following locations: 
* X-Cart: See the <xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php file if any error occurred.
* X-Payments: See the <xpay-dir>/var/log/payment/YYYY-MM-DD/ directory for the initial Authorize or Sale (Authorize and Capture at the same time or Auto settle) transaction and <xpay-dir>/var/log/admin/YYYY-MM-DD/ directory for the secondary Capture, Void or Refund transaction.

[[Category:X-Payments User Manual]]

X-Payments:X-Payments-Hosted-FAQ

2018-10-09T06:16:10Z

Ambal:

===What do I need to put as "Callback IP"?===

If you use X-Payments Hosted at "*.xpayments.com" domain you need to specify '''52.36.122.200'''.

===How to configure an FTP client to connect to the yourdomain.x-checkout.com to access skins and logs?===

X-Payments 3.x does not support FTP connections. You can use XP 3.x admin back-end to access skins and logs in this version.

The instructions below are valid only for X-Payments versions 2.x and earlier.

To establish an FTP connection, you should use the details from the email received when your account was created:

:* host: yourdomain.x-checkout.com 
:* user: skins@yourdomain.x-checkout.com 
:* password: the one that you've received 

Please make sure that the "Explicit FTP over TLS" mode is used. This is required because plain text authentication is not allowed for PCI compliance.

Instructions for FileZilla FTP Client:

# Start FileZilla
# Go to File -> Site Manager
# Click New site
# Enter the connection settings:
#* Host: yourdomain.x-checkout.com 
#* Port: leave blank 
#* Protocol: FTP - File Transfer Protocol 
#* Encryption: Require explict FTP over TLS 
#* Logon type: Normal 
#* user: skins@yourdomain.x-checkout.com 
#* password: the one that you've received [[File:Filezilla.png]] 
# Click the Connect button

[[Category:X-Payments User Manual]]

X-Payments:How It Works

2018-10-09T06:15:02Z

Ambal:

<noinclude>{{XP_manual_TOC}}</noinclude>

==X-Payments flow via diagram==
:[[File:XP-diagram.png|700px|border]]

===API Call===

1) Store initiates an API call to X-Payments to create a payment (Created payments can be [[X-Payments:User_manual#Viewing_Payments|viewed]] on the 'Payments' page in X-Payments back end). At this step store sends to X-Payments all information about the customer (billing and shipping address) and the products being purchased (product quantities and cost). In addition to that, store instructs X-Payments as to which payment configuration should be used.

2) X-Payments validates this initial request from the store: checks whether the requested [[X-Payments:User_manual#Payment_Configurations|payment configuration]] is [[X-Payments:Managing store connections#Editing Online Store Details|active]], whether the payment currency passed on to X-Payments by the store matches the currency specified in the respective payment configuration in X-Payments, and makes some other internal checks; for instance, a check is conducted to ensure that the template files for the page where customers enter cardholder data have not been modified without approval by X-Payments admin. If everything is fine, X-Payments returns a [[X-Payments:API#Response_specification | payment "token"]] to the store (The token serves as a temporary identifier of the payment in X-Payments; it is generated as a result of the API call and is removed after the customer is redirected back to the store when the payment is completed). If a problem is detected, no token is sent to the store, and an internal error is generated in X-Payments. Detailed information about such errors can be found in the X-Payments and X-Cart logs: 
* X-Payments: See the <xpay-dir>/var/log/api/YYYY-MM-DD/ directory
* X-Cart: See the <xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php file

===Payment===

3) Customer is redirected to the X-Payments secure page where the form for entering credit card details is located. If the iframe is used, this redirect is not visible to customer, as the form is embedded into the checkout page.

4) Customer enters credit card details and submits the form. These details are sent to the payment gateway along with other data previously received by X-Payments (address details, products being purchased, etc).

5) Payment gateway operates with the bank to charge the card (or authorize the funds in case of an "auth only" transaction) and sends back to X-Payments the information about the transaction.

The log of communication between X-Payments and the payment gateway can be found in the <xpay-dir>/var/log/payment/YYYY-MM-DD/ directory.

===Callback from gateway (PayPal) to X-Payments===

6) Some payment gateways also send back to X-Payments an additional "callback" request. This "callback" request provides detailed information about the transaction and also helps to validate/confirm the transaction. Currently only PayPal Payments PRO operates in X-Payments in such a way. As an additional protection, X-Payments allows you to specify the IP addresses from which the gateway's callback requests can be received. Provided with a list of trusted Call-back IPs for PayPal, X-Payments will only accept "callback" requests coming from PayPal's server and ignore all other requests coming from anywhere else, should such requests be made. The list of PayPal's IP addresses can be found here: https://ppmts.custhelp.com/app/answers/detail/a_id/92
If you wish to use this additional protection, you can enter the necessary IP addresses into [[X-Payments:Configuring_PayPal_payment_modules_in_X-Payments#PayPalPaymentsProPayPalAPIconfsettings|PayPal payment configuration settings]] in X-Payments back end.

The log of payment gateway callback request processing is saved to the <xpay-dir>/var/log/callback/YYYY-MM-DD/ directory.

===Invoice===

7) Customer is redirected back to the store where the Invoice page is displayed.
If the transaction is declined by the payment gateway for some reason, the error page is displayed. Additional information about the reasons of the transaction being declined can be found in the X-Payments admin back end on the 'Payment details' page.

===Callback from X-Payments to the store===

8) Detailed information about the payment is sent to the store via a "callback" request.
The same functionality ("callback" requests) is used to notify the store if the payment has been changed via X-Payments admin back end; for example, if a secondary transaction took place ('Capture' or 'Void' for an authorized transaction, 'Refund' for a charge).

X-Cart allows additional protection for callback requests from X-Payments: thus you can specify the IP addresses for X-Payments callbacks in X-Payments connector module settings: http://help.x-cart.com/index.php?title=X-Cart:X-Payments_Connector. X-Cart will accept only those callback requests that come from the specified IP addresses, others will be ignored.

'''Important''': On some server configurations the IP address from which the callback request comes may not match the IP of the server where X-Payments is installed as illustrated below:

:[[File:XP-diagram1.png|700px|border]]

Even if X-Payments is installed on the 172.18.0.3 IP address, and is accessible via web by it, the outgoing request is received from the "proxy" of 172.18.0.0. So, it is recommended to verify the IP address for outgoing HTTPS connections with your hosting provider.

{{Note|If you use a '''X-Payments Hosted''' plan, you need to use IP address '''104.200.146.25'''.}}

The log of the X-Payments callback requests processing is saved to the following locations: 
* X-Cart: See the <xcart-dir>/var/log/x-errors_xpay_connector-YYMMDD.php file if any error occurred.
* X-Payments: See the <xpay-dir>/var/log/payment/YYYY-MM-DD/ directory for the initial Authorize or Sale (Authorize and Capture at the same time or Auto settle) transaction and <xpay-dir>/var/log/admin/YYYY-MM-DD/ directory for the secondary Capture, Void or Refund transaction.

[[Category:X-Payments User Manual]]

X-Payments:PA-DSS implementation guide for X-Cart Payments 3

2018-07-05T11:14:33Z

Ambal: /* Introduction */

==Introduction==
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.
 
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].
 
The document provides instructions on how to implement the application in a PCI DSS compliant manner.
 
Full product name - X-Cart Payments. 
Product version - 3.1.x.
 
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.
 
This PA-DSS Implementation Guide should be updated:
:* at least annually;
:* after changes in the payment application (if required);
:* after changes in the PCI DSS and PA-DSS standards.
 
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.
 
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.
 
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' 
{| class="wikitable" width=90%
|-
! scope="col" style="width: 10%;"| '''Author'''
! scope="col" style="width: 10%;"| '''Date'''
! scope="col" style="width: 10%;"| '''Number'''
! scope="col" style="width: 60%;"| '''Change description'''
|- style="vertical-align:top;"
| Alex Mulin
| 05/17/2016
| 01
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1
|-
| Alex Mulin
| 05/17/2017
| 02
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2
|-
| Alex Mulin
| 05/05/2018
| 03
| Updated versions
|-
|}
 

==Data protection==
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext. 
Cardholder data includes:
:* Primary Account Number (PAN)
:* Cardholder Name
:* Expiration Date
:* Service Code
 
Sensitive authentication data (SAD) includes:
:* Full track data (magnetic-stripe data or equivalent on a chip)
:* CAV2/CVC2/CVV2/CID
:* PINs/PIN blocks
 
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.
 
X-Cart Payments may not be configured to store permanently in the database the following types of data:
:* Full PAN
:* Full track data (magnetic-stripe data or equivalent on a chip)
:* CAV2/CVC2/CVV2/CID
:* PINs/PIN blocks
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.
 
The payment application masks PAN on display (except for the moment when the user enters the card number).
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.
 

==Data Collected while Testing==
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:
#* Such data must be stored only in specific, known locations with limited access.
#* Only collect a limited amount of data (no more than is needed to solve the problem).
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.
# Sensitive authentication data must be securely deleted immediately after use.
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.
 
==Authentication and access==
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules:
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.
:* Always provide unique usernames for each person who needs access.
:* Do not use system-default usernames and/or passwords.
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.
 
To set password lifetime:
# Log in to X-Cart Payments.
# Go to Settings -> General Settings.
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.
The following related rules apply:
:* The minimum password length is 8 characters.
:* A password must contain both numbers and lower- and uppercase characters.
:* The last 4 passwords must be unique.
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.
:* A user is logged off after an inactivity period of 15 minutes.
 
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);
:* For FTP access to the Web server;
:* For Remote Desktop Connection to the Web server (if available);
:* To connect to the MySQL server that contains your store data.
 
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.
Accounts for access to the operating system are managed by the Linux administrator.
For Linux operating system accounts, you must configure the following attributes of the password policy:
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;
:* changes to user passwords at least once every 90 days;
:* require a minimum length of at least seven characters;
:* contain both numeric and alphabetic characters;
:* do not use last four passwords used previously;
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).
 
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:
:* something you know, such as a password or a passphrase;
:* something you have, such as a token device or a smart card;
:* something you are, such as a biometric.
 

== Logging==
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.
The log files are created in the var/log/ directory. In X-Cart Payments 3.1, logs can be viewed via the X-Cart Payments admin back end. Make sure you restrict access to the log files by business need-to-know.
The following types of activity are logged:
:* All actions taken by any individual with root or administrative privileges.
:* Successes and failures of all individual accesses to application sections and functions.
:* Initialization of the audit logs.
:* User sign in and sign out.
 
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log.
Each log event includes:
:* Type of event;
:* Date and time of event;
:* Username and IP address;
:* Success or failure indication;
:* Action which led to the event;
:* Component which led to the event.
 
There is also a meta-log which contains information about other log files being created.
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should:
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;
:* record any file writing operations related to X-Cart Payments files.
 

==Communication==
LAN channel or other available connection method can be used as a communication channel.
X-Cart Payments payment application supports the following data formats:
{| class="wikitable" width=90%
|-
| scope="col" style="width: 20%;"| '''Protocol'''
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server
|- style="vertical-align:top;"
| '''Data transmission method'''
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)
|- style="vertical-align:top;"
| '''Data format'''
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS
|- style="vertical-align:top;"
| '''Port'''
| X-Cart Payments payment application uses ports 80, 443
|-
|}
 
'''Network traffic encryption''' 
X-Cart Payments uses encryption, such as TLS or IPSEC, for:
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.
:* providing remote web-based access to the application.
 
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC.
 
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.
 
'''Enable TLS''' 
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS.
:* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required).
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.
 
If a web server does not have TLS enabled, X-Cart Payments will not function.
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.
 
'''Wireless communications''' 
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements.
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.
::* Restrict access based on media access code (MAC) address.
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.
 
'''Remote access''' 
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page.
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).
:* Allow connections only from specific (known) IP/MAC addresses.
:* Use strong authentication or complex passwords for logins.
:* Enable encrypted data transmission.
:* Enable account lockout after a certain number of failed login attempts.
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.
:* Enable any logging or auditing functions.
:* Restrict access to customer passwords to authorized reseller/integrator personnel.
:* Establish customer passwords according to PCI DSS requirements.
Qualiteam does not provide software updates via remote access on an automated basis.
 

==Hardware and software==
The following requirements must be met for X-Cart Payments payment application self-service terminals: 
'''Operating System''' 
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later 
'''DBMS''' 
MySQL 5.6 or later 
'''Software''' 
PHP v 5.6.34, v 7.0.29, v 7.1.15, v 7.2.3 or newer versions in corresponding branches 
Apache 2.4 or later
 

==Product versioning methodology==
{| class="wikitable" width=90%
|-
! scope="col" style="width: 15%;"| '''Version number changes'''
! scope="col" style="width: 45%;"| '''Software changes'''
! scope="col" style="width: 15%;"| '''Description'''
! scope="col" style="width: 15%;"| '''PA-DSS changes'''
|- style="vertical-align:top;"
| Version number does not change
| Change of the software name Change of the vendor name
| Changes not related to the software development process
| Administrative
|- style="vertical-align:top;"
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)
| - Changes to the user interface - Changes to the database schema - Changes to supported payment gateway integrations / Addition of new payment gateway integrations
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security
| No Impact
|- style="vertical-align:top;"
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*
| Software changes satisfy the following conditions: - Fewer than 4 sections of the standard (from 1 to 12) involved; - Fewer than a half of all the requirements of the standard (sections 1 to 12) involved; - Less than a half of the software functions (or code) modified; - Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products. - Addition/removal of supported payment processors. - Recompilation of the source code using a new compiler or different compiler settings. - Changes of the software versioning policy. - Changes of the software not related to security.
| - Changes in the software affecting payment card data mechanisms. - Changes addressing the identified vulnerabilities of the application. - Changes related to the completion of the annual cycle of development (if there are other changes).
| Low Impact
|- style="vertical-align:top;"
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*
| Software changes satisfy the following conditions: - 4 or more sections of the standard (from 1 to 12) involved; - More than a half of all the requirements of the standard (sections 1 to 12) involved; - More than a half of the software functions (or code) modified; - Addition of new supported platforms/OS versions.
| Major changes in the software architecture, global alterations of code
| High Impact
|}
 
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.
 

==New patches and updates delivery==

New patches, updates, installation instructions and MD5 checksum files are delivered via secure HelpDesk system located at https://secure.x-cart.com using "File Area" section in users accounts there.
We send newsletters about new patches and updates originating from x-cart.com domain name via verified and well-known email delivery system.

==See also==

* [[X-Payments:PCI_FAQs | PCI FAQs]]
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]

<noinclude>{{pdf_single}}</noinclude>

[[Category:X-Payments Developer Guide]]
[[Category:PCI DSS]]

X-Payments:PA-DSS implementation guide for X-Cart Payments 3

2018-07-05T11:13:29Z

Ambal: /* Hardware and software */

==Introduction==
The purpose of this PA-DSS Implementation Guide is to inform employees of organizations using the X-Cart Payments payment application by Qualiteam Software Limited about the methods and means of protection of account data in the X-Cart Payments software.
 
The methods include the need for compliance with the information security standards in the payment card industry developed by the international payment systems Visa and MasterCard - Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). For additional information about PCI DSS, please visit the [https://www.pcisecuritystandards.org/ Official PCI Security Standards Council Site].
 
The document provides instructions on how to implement the application in a PCI DSS compliant manner.
 
Full product name - X-Cart Payments. 
Product version - 3.1.x.
 
Any servers used to run the X-Cart Payments payment application must be configured according to this PA-DSS Implementation Guide.
 
This PA-DSS Implementation Guide should be updated:
:* at least annually;
:* after changes in the payment application (if required);
:* after changes in the PCI DSS and PA-DSS standards.
 
The updated Version of the PA-DSS Implementation Guide has to be sent to all the merchants using X-Cart Payments.
 
The history of changes to the X-Cart Payments PA-DSS Implementation Guide is provided in the table below.
 
'''Table.1. X-Cart Payments PA-DSS Implementation Guide history of changes''' 
{| class="wikitable" width=90%
|-
! scope="col" style="width: 10%;"| '''Author'''
! scope="col" style="width: 10%;"| '''Date'''
! scope="col" style="width: 10%;"| '''Number'''
! scope="col" style="width: 60%;"| '''Change description'''
|- style="vertical-align:top;"
| Alex Mulin
| 05/17/2016
| 01
| The original version of the document, designed to meet the requirements of PCI DSS version 3.1 and PA DSS version 3.1
|-
| Alex Mulin
| 05/17/2017
| 02
| The original version of the document, designed to meet the requirements of PCI DSS version 3.2 and PA DSS version 3.2
|-
|}
 

==Data protection==
The PCI DSS and PA-DSS standards prohibit storage of sensitive authentication data (after authorization) or cardholder data in cleartext. 
Cardholder data includes:
:* Primary Account Number (PAN)
:* Cardholder Name
:* Expiration Date
:* Service Code
 
Sensitive authentication data (SAD) includes:
:* Full track data (magnetic-stripe data or equivalent on a chip)
:* CAV2/CVC2/CVV2/CID
:* PINs/PIN blocks
 
X-Cart Payments has the ability to store parts of cardholder data temporarily to perform 3D Secure verification and certain types of transactions for some of the integrated payment processors. During storage, cardholder data is encrypted using RSA 2048 algorithm and AES 256 for key encryption. When its storage period is over, the data is removed automatically via "cron" software that needs to be installed and configured to run X-Cart Payments periodic tasks.
 
X-Cart Payments may not be configured to store permanently in the database the following types of data:
:* Full PAN
:* Full track data (magnetic-stripe data or equivalent on a chip)
:* CAV2/CVC2/CVV2/CID
:* PINs/PIN blocks
Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature.
 
The payment application masks PAN on display (except for the moment when the user enters the card number).
X-Cart Payments can display masked PAN on the "Payment details" pages and in the "View details" pop-up windows for some of the integrated payment processors in the following format: 123456******1234 MM/YY or **********1234 MM/YY. The same data (partially masked with asterisks) may be passed via the API to the integrated software products. X-Cart Payments does not have the ability to display full PAN anywhere, and there are no settings that can change this behavior of the user interface.
 

==Data Collected while Testing==
Delete any sensitive authentication data (pre-authorization) gathered as a result of testing or troubleshooting your X-Cart Payments:
# Sensitive authentication data (pre-authorization) must only be collected when needed to solve a specific problem. You should never use real credit card information when testing your store. Instead, contact your payment gateway and ask them for special credit card numbers that you can use while testing.
# If you ever choose to collect credit card information to troubleshoot a problem that a customer of yours is having, then please note the following:
#* Such data must be stored only in specific, known locations with limited access.
#* Only collect a limited amount of data (no more than is needed to solve the problem).
#* Sensitive authentication data must be encrypted during storage. Make sure to encrypt it before storing it. There are many encryption software packages that you can install on your computer to do so.
# Sensitive authentication data must be securely deleted immediately after use.
To prevent uncontrolled storage of cardholder data (for example, in case of operating system failure), it is recommended to disable the swap file or move it to a specially prepared encrypted partition.
 
==Authentication and access==
The X-Cart Payments payment application has an only user type. This type cannot get access to payment card numbers and does not have any administrative privileges that may affect PA-DSS compliance.
There are no built-in/default user accounts in X-Cart Payments. You must carefully control access to X-Cart Payments. Follow these rules:
:* Restrict the number of employees who have access to X-Cart Payments to only those who have a business need.
:* Always provide unique usernames for each person who needs access.
:* Do not use system-default usernames and/or passwords.
:* Ensure that web server is run under a non-privileged user account and the application has access to the database from a limited privilege user account.
 
To set password lifetime:
# Log in to X-Cart Payments.
# Go to Settings -> General Settings.
# In the "User account password lifetime" field, enter the number of days for which the user account password needs to be valid. The maximum allowed password lifetime is 90 days.
The following related rules apply:
:* The minimum password length is 8 characters.
:* A password must contain both numbers and lower- and uppercase characters.
:* The last 4 passwords must be unique.
:* A user account must be blocked for a specified period (30 minutes by default) after 6 unsuccessful attempts to enter a password.
:* A user is logged off after an inactivity period of 15 minutes.
 
PCI compliance requires that you use unique user names and secure authentication to access any PCs, servers, and databases with payment applications and/or cardholder data. This means that you should use different user names/passwords:
:* For your Web hosting account administration area (Web hosting account where your online store is hosted);
:* For FTP access to the Web server;
:* For Remote Desktop Connection to the Web server (if available);
:* To connect to the MySQL server that contains your store data.
 
Linux authentication mechanism is used for login in the servers with running X-Cart Payments.
Accounts for access to the operating system are managed by the Linux administrator.
For Linux operating system accounts, you must configure the following attributes of the password policy:
:* use personal accounts, do not use any group, shared, or generic accounts and passwords;
:* changes to user passwords at least once every 90 days;
:* require a minimum length of at least seven characters;
:* contain both numeric and alphabetic characters;
:* do not use last four passwords used previously;
:* block account after six invalid logon attempts (minimum 30 minutes or until an administrator enables the user ID).
 
Two-factor authentication must be used for remote access to the operating system. The authentication methods, also known as factors, are:
:* something you know, such as a password or a passphrase;
:* something you have, such as a token device or a smart card;
:* something you are, such as a biometric.
 

== Logging==
Audit trails are automatically enabled with the default installation of X-Cart Payments. Users do not have the ability to disable or change the logging parameters of X-Cart Payments. X-Cart Payments log journal does not contain cardholder data. It is implemented at the source code level. The setting of an event log journal does not require any additional action from users.
The log files are created in the var/log/ directory. In X-Cart Payments 3.1, logs can be viewed via the X-Cart Payments admin back end. Make sure you restrict access to the log files by business need-to-know.
The following types of activity are logged:
:* All actions taken by any individual with root or administrative privileges.
:* Successes and failures of all individual accesses to application sections and functions.
:* Initialization of the audit logs.
:* User sign in and sign out.
 
Individual access to cardholder data is not logged, because cardholder data is not stored before and after authentication. Access to audit trails must be provided on the operating system level. Audit trails are written to the file system, to the files access.log and error.log.
Each log event includes:
:* Type of event;
:* Date and time of event;
:* Username and IP address;
:* Success or failure indication;
:* Action which led to the event;
:* Component which led to the event.
 
There is also a meta-log which contains information about other log files being created.
Make sure you have a system-level auditing software properly configured to monitor users' activity on the server. This software should:
:* warn on a checksum change of any of X-Cart Payments source code files except for the log file and the database files;
:* record any file writing operations related to X-Cart Payments files.
 

==Communication==
LAN channel or other available connection method can be used as a communication channel.
X-Cart Payments payment application supports the following data formats:
{| class="wikitable" width=90%
|-
| scope="col" style="width: 20%;"| '''Protocol'''
| scope="col" style="width: 70%;"| HTTP protocol (RFC 2616: HTTP/1.1) is used for data transfer between client and server
|- style="vertical-align:top;"
| '''Data transmission method'''
| Only encrypted cardholder data (RSA 2048 and AES 256) is transferred. RAW POST method is used for data transmission - (data stream is transmitted in the body of the request that is sent from client to server)
|- style="vertical-align:top;"
| '''Data format'''
| Data is transmitted in XML format (Extensible Markup Language (XML) 1.0) or in plain text using POST query via HTTPS
|- style="vertical-align:top;"
| '''Port'''
| X-Cart Payments payment application uses ports 80, 443
|-
|}
 
'''Network traffic encryption''' 
X-Cart Payments uses encryption, such as TLS or IPSEC, for:
:* transmission of cardholder data over public networks, per PCI DSS requirement 4.1.
:* providing remote web-based access to the application.
 
If you use some tools to remotely access the application, you should encrypt all the communication using such technologies as TLS or IPSEC.
 
As per PCI DSS requirement, cardholder data must never be sent unencrypted by email, and X-Cart Payments does meet this requirement never sending cardholder data by email or by IMs. Merchants and/or developers implementing X-Cart Payments should not attempt to customize this as a feature unless an encryption solution is also implemented.
 
'''Enable TLS''' 
TLS protects data that is transmitted between a browser and your web server. It is critical that you have TLS enabled on your web server, and one of the first steps you should take after the installation is to enable TLS.
:* Your web server must be configured to use TLS v1.2 protocols with strong encryption (128-bit or longer key is required).
:* You will need to have a certificate issued for your web domain. Read guidelines on installing Comodo's Instant TLS certificates.
 
If a web server does not have TLS enabled, X-Cart Payments will not function.
X-Cart Payments does not support remote administrative access. Strong encryption must be used for remote access to the server.
The connection of servers with X-Cart Payments payment application to the Internet must be protected by a firewall. In X-Cart Payments configurations involving more than one server, server connections should take place in network segments separated from the Internet via stateful inspection firewalls.
 
'''Wireless communications''' 
If you use wireless networking to access X-Cart Payments, it is your responsibility to ensure your wireless security configuration follows the PCI DSS requirements.
:* Personal firewall software should be installed on any mobile and employee-owned computers that have direct access to the internet and are also used to access your network.
:* Change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
:* Encrypt wireless transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or TLS.
:* Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
::* Use with a minimum 104-bit encryption key and 24 bit-initialization value.
::* Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or TLS.
::* Rotate shared WEP keys quarterly (or automatically if the technology permits).
::* Rotate shared WEP keys whenever there are changes in personnel with access to keys.
::* Restrict access based on media access code (MAC) address.
::* Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or to control any traffic if it is necessary for business purposes.
 
'''Remote access''' 
X-Cart Payments provides web-based access using two-factor authentication based on one-time codes. Detailed information can be found on the [[X-Payments:Two-factor_authentication | X-Payments:Two-factor authentication]] page.
If you enable remote access to your network and the cardholder data environment, you must implement two-factor authentication. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on TLS 1.2 or IPSEC) with individual certificates. You should make sure that any remote access software is securely configured by keeping in mind the following:
:* Change the default settings in the remote access software (for example, change the default passwords and use unique passwords for each customer).
:* Allow connections only from specific (known) IP/MAC addresses.
:* Use strong authentication or complex passwords for logins.
:* Enable encrypted data transmission.
:* Enable account lockout after a certain number of failed login attempts.
:* Configure the system so a remote user must establish a Virtual Private Network ("VPN") connection via a firewall before access is allowed.
:* Enable any logging or auditing functions.
:* Restrict access to customer passwords to authorized reseller/integrator personnel.
:* Establish customer passwords according to PCI DSS requirements.
Qualiteam does not provide software updates via remote access on an automated basis.
 

==Hardware and software==
The following requirements must be met for X-Cart Payments payment application self-service terminals: 
'''Operating System''' 
Linux Ubuntu 16 or later, Linux Debian 6.0 or later, Linux CentOS 6 or later 
'''DBMS''' 
MySQL 5.6 or later 
'''Software''' 
PHP v 5.6.34, v 7.0.29, v 7.1.15, v 7.2.3 or newer versions in corresponding branches 
Apache 2.4 or later
 

==Product versioning methodology==
{| class="wikitable" width=90%
|-
! scope="col" style="width: 15%;"| '''Version number changes'''
! scope="col" style="width: 45%;"| '''Software changes'''
! scope="col" style="width: 15%;"| '''Description'''
! scope="col" style="width: 15%;"| '''PA-DSS changes'''
|- style="vertical-align:top;"
| Version number does not change
| Change of the software name Change of the vendor name
| Changes not related to the software development process
| Administrative
|- style="vertical-align:top;"
| Increment of the minor version number to reflect a change not affecting the certification. For example, change of the version number from 1.0.5 to 1.0.6 (for the certification of 1.0.x)
| - Changes to the user interface - Changes to the database schema - Changes to supported payment gateway integrations / Addition of new payment gateway integrations
| Changes that have no impact on the PA-DSS requirements compliance or Payment Application security
| No Impact
|- style="vertical-align:top;"
| Increment of the second version number. For example, change of the version number from 1.1.* to 1.2.*
| Software changes satisfy the following conditions: - Fewer than 4 sections of the standard (from 1 to 12) involved; - Fewer than a half of all the requirements of the standard (sections 1 to 12) involved; - Less than a half of the software functions (or code) modified; - Changes implemented for compatibility with the updated versions of previously tested OS, DBMS and third party software products. - Addition/removal of supported payment processors. - Recompilation of the source code using a new compiler or different compiler settings. - Changes of the software versioning policy. - Changes of the software not related to security.
| - Changes in the software affecting payment card data mechanisms. - Changes addressing the identified vulnerabilities of the application. - Changes related to the completion of the annual cycle of development (if there are other changes).
| Low Impact
|- style="vertical-align:top;"
| Increment of the first version number. For example, change of the version number from 1.0.* to 2.0.*
| Software changes satisfy the following conditions: - 4 or more sections of the standard (from 1 to 12) involved; - More than a half of all the requirements of the standard (sections 1 to 12) involved; - More than a half of the software functions (or code) modified; - Addition of new supported platforms/OS versions.
| Major changes in the software architecture, global alterations of code
| High Impact
|}
 
The release of each new version is accompanied with a notification to all the application users (agents), which indicates the new application version number and a list of main changes in the new version.
 

==New patches and updates delivery==

New patches, updates, installation instructions and MD5 checksum files are delivered via secure HelpDesk system located at https://secure.x-cart.com using "File Area" section in users accounts there.
We send newsletters about new patches and updates originating from x-cart.com domain name via verified and well-known email delivery system.

==See also==

* [[X-Payments:PCI_FAQs | PCI FAQs]]
* [https://www.pcisecuritystandards.org/ PCI Security Standards Council website]

<noinclude>{{pdf_single}}</noinclude>

[[Category:X-Payments Developer Guide]]
[[Category:PCI DSS]]