PCI compliance question ATTN: X-Cart and CS-Cart

I have a question about PCI standards.

In my evaluating different shopping cart systems I looked at CS-Cart X-cart and a few others.

I thought I had decided on CS-Cart due to the fact that they are promoting PCI Compliance. However today I was doing some more research and I noticed on X-Carts FAQ page they talk about how the shopping cart program doesn’t need to be PCI compliant, only the Merchant account.
Can someone please explain this to me?

X-Cart: so if I have a customer who checks out and I am using the X-Cart system is the customer taken to another site where they can enter their CC info? Sorry, I wanted to ask this question on your companies Forums but they are locked down for customers only for some reason. Also, I notice you have Innovativegateway but no quickbooks merchant services? Both are Intuit software, why no support for both?

So my other question is: What does CS-Cart do different that allows them to claim PCI compliance in their marketing pages.

This is important because it will really affect my descission on what cart software I may go with.

Hi Everyone,

I just want you to know that we did release X-Payments and it is PA-DSS certified (see announcement on our web-site at http://www.x-cart.com/news/xpayments_released.html).

It integrates with X-Cart v4.3+, Magento and can be integrated with CS-Cart, ZenCart and many others with help of API.

Your web application or shopping cart need to be PCI complaint only if you accept credit card information on your web pages. If your customer pays and enter credit card information on other merchant websites such as paypal, 2checkout, google checkout then your websites do not need to be PCI complaint.

Ya, I think that was my question to X-Cart


Thank you for your question.

Actually, I can’t see where we claim being PCI compliant (may I ask you to point me in case something is wrong?) and, as X-Cart also says correctly on their website, we shouldn’t - since PCI compliance involves not only software, but also web server hardware, software, security policies etc. And both CS-Cart and X-Cart are only components of that.

However, our software is capable of proper storage of a sensitive data, and many of our customers were certified as PCI compliant using CS-Cart as a software platform.

I hope this clarifies your question, however, if there’s any other information needed from our side - please, just ask.

PCI compliance is getting tougher every day. Realistically, unless you’re using a hosted solution, you’re NOT PCI compliant. Here’s why …to truly be PCI compliant, you will need 3 servers or at a minimum 1 server partitioned into 3 “virtual” servers.

1 server - Shoppingcart functions
1 server - credit card processing
1 server - credit card info storage (or skip trying to have recurring billing)

So you can see that these applications are not set up for 3 servers …only 1.

Now please don’t ask me to get any more technical than this as I cannot. This was all explained to me by a very sharp person over at Rackspace. And after they gave me the monthly hosting price of $3,000+ for all these servers and backup yada yada, my mind went numb and then I searched out a hosted solution to avoid the high price tag of doing it myself.

I hope this helps


There are many levels of PCI Compliance and it a lot of it depends on what information you chose to store. You most certainly do not need three servers to be PCI Compliant if you are not storing sensitive information.

Hi Brandon

Not to sound like I’m pumping up Rackspace, as they are very expensive, but they do offer some great expertise. They will also send you the PCI documents with all the credit card rules and the stiff (up to $10K per occurrence) penalties for non-compliance.

I think everyone should read over these PCI documents 1st hand rather than take the word of anyone on any forum …including mine. Since I’m handing out 2nd hand info, and not really a technical expert, I won’t argue your point …I would just warn everyone that credit card processing is not a trivial matter and must be done according to a specific set of rules …and they’re getting tighter.

Sorry, i have not answered the question before. Let me please clarify PCI compliance point here.

As was mentioned, generally there are 3 compliance issues:

  1. PA-DSS compliance
  2. VISA PA-DSS mandate compliance
  3. PCI-DSS compliance

If you are going to use any web-based payment gateway in X-Cart (it means that customers are redirected to a gateway side and provide all credit card related information there) , then your X-Cart store is not a subject for PCI-compliance at all (since it doesn’t store, process or transmit credit card numbers).

However some store owners prefer customers stay on the storefront during the whole checkout process, so credit card numbers are sent to payment gateways ‘behind the scene’. So if you are going to use such background payment gateways, then your store becomes a subject to the rules mentioned before. In this case X-Cart should become PA-DSS compliant, and the server should be configured properly to be PCI compliant.

And we are going to release a special payment module that would be certified as PA-DSS compliant. With this module customers will be able to set up their X-Cart stores process payments in PCI compliance form. All instructions for setup process will be provided.

XCart - when will you be releasing a special payment module that is certified as PA-DSS compliant?

We should release X-Payments before summer (see X-Cart roadmap at http://help.qtmsoft.com/index.php?title=X-Cart:Roadmap)

X-Payments is being certified currently (it is almost ready, we just need to pass certification and this creates some delay).

Good to know, thanks Amber!