X-Cart Setting Up Your Store

Table of Contents
1 X-Cart:General Settings....................................................................................................................................................................................................1
2 X-Cart:Store Security........................................................................................................................................................................................................2
2.1 Introduction......................................................................................................................................................................................................2
2.2 The importance of X-Cart security...................................................................................................................................................................2
2.3 Hosting X-Cart in a secure environment..........................................................................................................................................................2
2.4 How to secure your X-Cart..............................................................................................................................................................................3
2.5 How do I set up secure login, registration and checkout in my X-Cart store?.................................................................................................4
2.6 How do I set up password protection for my X-Cart admin and provider areas?............................................................................................6
2.7 Seven security features that you might not know yet......................................................................................................................................6
2.8 Maintaining X-Cart security.............................................................................................................................................................................8
2.9 See also...........................................................................................................................................................................................................8
3 X-Cart:Geographical Settings...........................................................................................................................................................................................9
3.1 Geographical settings in X-Cart.......................................................................................................................................................................9
3.2 Roles in geographical settings management...................................................................................................................................................9
4 X-Cart:Shipping Settings................................................................................................................................................................................................10
4.1 Overview........................................................................................................................................................................................................10
4.2 Roles in shipping settings management........................................................................................................................................................10
4.3 Shipping Methods..........................................................................................................................................................................................10
4.4 Real-time Shipping Calculators.....................................................................................................................................................................14
4.5 Shipping Charges..........................................................................................................................................................................................15
4.6 Shipping Markups..........................................................................................................................................................................................16
4.7 Setting up Shipping (manually defined rates)................................................................................................................................................17
4.8 Troubleshooting.............................................................................................................................................................................................19
4.9 FAQ...............................................................................................................................................................................................................19
5 X-Cart:Real-time Shipping Calculators..........................................................................................................................................................................22

5.1 Video tutorial..................................................................................................................................................................................................22
6 X-Cart:Tax Settings.........................................................................................................................................................................................................23
6.1 Tax settings in X-Cart....................................................................................................................................................................................23
6.2 Roles in tax settings management................................................................................................................................................................23
6.3 Video tutorial..................................................................................................................................................................................................23
6.4 Taxes.............................................................................................................................................................................................................23
6.5 Tax Rates......................................................................................................................................................................................................25
6.6 Tax Formula Editor........................................................................................................................................................................................29
6.7 Tax Options...................................................................................................................................................................................................29
6.8 Applying Taxes to Products...........................................................................................................................................................................31
6.9 Examples of Configuring Taxes.....................................................................................................................................................................32
6.10 FAQ.............................................................................................................................................................................................................33
6.11 Troubleshooting...........................................................................................................................................................................................34
7 X-Cart:Payment Settings.................................................................................................................................................................................................35
8 X-Cart:Modules and Add-ons.........................................................................................................................................................................................36

8.1 Modules.........................................................................................................................................................................................................36
8.2 Add-ons.........................................................................................................................................................................................................36
9 X-Cart:PCI-DSS................................................................................................................................................................................................................38
9.1 Contents.........................................................................................................................................................................................................38
9.2 About PCI DSS..............................................................................................................................................................................................38
9.3 Configuring X-Cart to meet PCI DSS (cardholder data is not stored)............................................................................................................38
9.4 Configuring X-Cart to meet PCI DSS with X-Payments application..............................................................................................................40
9.5 Passing network security scans....................................................................................................................................................................40
9.6 Submitting a self-assessment questionnaire.................................................................................................................................................40
9.7 FAQs.............................................................................................................................................................................................................40
9.8 See also.........................................................................................................................................................................................................41
10 blog to your store..........................................................................................................................................................................................................42

10.1 Why need blog.............................................................................................................................................................................................42
10.2 Major blog engines on the market...............................................................................................................................................................42
10.3 Setting up blog with your store....................................................................................................................................................................42
i
1 X-Cart:General Settings
You can adjust the overall configuration of your store using the 'General settings' section of X-Cart Admin area. In X-Cart versions 4.3.0 and later, the
'General settings' section can be found at Settings menu -> General settings; in earlier X-Cart versions, this page can be found at Administration menu
-> General settings. The 'General settings' section allows you to access and control both the settings affecting X-Cart's core functionality and the
settings of X-Cart's modules.
The following pages within the 'General settings' section pertain to X-Cart's core functionality:
3D-Secure Transaction options: This page allows you to enable Cardinal Centinel payment authentication platform support in your store.
Appearance Options: This page allows you to adjust preferences that affect the overall appearance of your store.
Company options: This page allows you to provide your company details and contact information (name, address, phone/fax numbers, email
addresses, etc). Your company name, address and phone/fax numbers will be displayed on the storefront and included into customer email
notifications. Email addresses of specific departments of your store will be used by X-Cart to send administrator and provider notifications.
Company address will be used in real-time shipping rate calculations.
Contact us form options: This page allows you to configure the 'Contact us' form. You can define, which of the 'Contact us' form fields should
be active (visible to customers), and completion of which fields should be required (mandatory). If necessary, you can also add your own
(custom) fields to the 'Contact us' form.
Email options: This page allows you to define options that affect sending of email notifications and newsletters.
Email notifications options: This page allows you to define, which of the available email notifications should be sent to the customers,
administrator(s), provider(s), users department and orders department of your store.
General options: This page allows you to adjust the general configuration of your store.
Logging options allows you to define what kind of logs you wish to be kept in your store.
Product search options: This page allows you to define, which fields should be included into the Product search form in the Customer area,
and set default values for these fields.
SEO options: This page allows you to adjust options that can improve your site's ranking with search engines.
Security options: This page allows you to adjust options that affect your store security (options that affect encryption methods used in your
store, HTTPS options, etc).
Shipping options: This page allows you to adjust options that affect the calculation of shipping rates in your store.
User Profiles options: This page allows you to configure your store's user profile forms. You can define which of the user profile fields should
be active (included into the user profile forms), and completion of which fields should be required (mandatory). If necessary, you can also add
your own (custom) fields for use in user profiles.
Information on the settings pages pertaining to X-Cart modules is available in the Modules section of this manual.
1
2 X-Cart:Store Security
2.1 Introduction
X-Cart makes it easy for nearly anyone with the desire to establish an e-commerce store to do so, however not everyone has the background
knowledge to know to address security issues. Many store owners begin designing, adding products, and focusing on sales and SEO without ensuring
that their x-cart e-commerce store is developed in a secure environment with a focus on security. Once established often x-cart store owners are not
aware of what is required to maintain their x-cart in a manner that keeps it secure over time.
The purpose of this tutorial is to assist you in understanding:
The importance of X-Cart security

Hosting X-Cart in a secure environment
How to secure your X-Cart
Maintenance of X-Cart security
2.2 The importance of X-Cart security

Website security should always be a priority, but is absolutely crucial when dealing with e-commerce stores that transact and store sensitive customer
data such as email addresses, phone numbers, addresses, and credit card information. Reading through the x-cart forums you will find many x-cart
store owners who have had the misfortune of having their x-cart hacked/exploited. Having worked with x-cart since 2002, I?ve had many of those store
owners come to me asking what can be done to fix their store, and I have repeatedly heard the common response that nobody had ever talked to them
about security and they were unaware of anything that needed to be done. Believe me when I say that if you are not aware of what is required to secure
and maintain your x-cart, it is by sheer luck that your x-cart has not been hacked or exploited and it is only a matter of time before you become a victim.
That said, by reading this tutorial you are well on your way to understanding and performing x-cart security to keep you and your customers safe.
2.3 Hosting X-Cart in a secure environment

The environment on which your x-cart is hosted is the base for all security, and if your host and/or server is not secure, all the security settings on your
x-cart are not going to keep you from being exploited. There are generally two types of hosting: a shared server where you purchase a plan with a host
and they provide you space for your site to reside on a server with many other clients, or a dedicated server, which is a computer where you can host
your site(s) exclusively (a VPS is essentially a combination allowing dedicated server privileges in an environment shared with less users than with
shared hosting).
2.3.1 Secured Shared Hosting
The main benefits of shared hosting is the reduced cost available by sharing the server with other users, and having the server company manage the
server security. These same benefits can also pose a security threat however, as the sites of other clients can jeopardize your security if their sites are
breached, and if you rely on a server company to secure a server and they fail to do so correctly, you can find yourself in serious trouble. To combat
these potential problems, it is imperative that you host with a trusted hosting provider who makes server security a priority. View our recommended
X-Cart Hosting providers.
2.3.2 Dedicated unmanaged server
I unfortunately often see x-cart store owners establish or move to an unmanaged dedicated server without knowing the onus of security that falls on
them in doing so. When working with an unmanaged server, you are responsible for ALL server security. This includes the configuration of all your
server settings, as well as keeping your kernel, os, php/mysql, control panel, etc. up-to-date as new branches and patches are released. This is a
daunting task for anyone not very experienced with server security, and is not recommended for the average user.
2.3.3 Dedicated managed server
Surprisingly, having a managed server does not necessarily mean your server is secure. When purchasing a managed plan, it is important to know what
the server provider will and won?t do as part of your managed plan; it is not uncommon for someone to established a managed server and setup their
site(s) thinking the host will take care of security, only to find their server exploited to which the server company responds saying they only perform
security tasks upon request. If you rely on your host for a fully managed security package it is important that you work with a trusted hosting provider
who takes security seriously, and ensure that all aspects of security are accounted for.
2.3.4 Server Management Companies
Personally, I recommend an unmanaged dedicated server package and then using the services of a server management company such as EZSM or
ServerWizards. These companies will configure your initial security settings, put processes in place to manage your security, and keep your server
up-to-date as upgrades and patches are made available.
2
2.4 How to secure your X-Cart
After securing the hosting environment, it is necessary to address security with x-cart itself. Taking the following steps will make great strides in securing
your x-cart:
1. Ensure you have a secure https connection for your store using a valid SSL certificate.
For more details please refer to How do I set up secure login, registration and checkout in my X-Cart store?.
2. Do not use the "master" x-cart admin account. To change this, login using your "master" x-cart admin account, create a new administrator with a
username that is less generic. Log in as that new user and delete the "master" user account.
3. Immediately password protect your admin and provider directories. You can usually password protect these directories using a control panel such as
cPanel, or you can use .htaccess and .htpasswd files (Please find an example here, or run a quick google search if you are unsure how).
4. Be aware of your site?s file permissions, as having loose file permissions in conjunction with an exploit, can allow someone to write and execute files
on your website ? this is a very common exploit against x-cart so take this seriously. In general your file chmod permissions should appear as follows:
File Type Permission
*.php 644
*.tpl 644
*.pl 755
*.sh 755
/catalog/ 777
/files/ 777
/images/ 777
/var/ 777
/var/* folders 777
/var/* files 666
For more details please refer to:
Setting up file permissions in X-Cart
5. Turn off the option of sending credit card information in e-mails in the General Settings -> E-Mail Options section of your x-cart admin section.
6. Unless you are using the subscriptions module, do not store credit card information in your database. To disable, or to ensure that this setting is
disabled, open your config.php file and ensure the $store_cc variable is set to false:
$store_cc = false;
7. It is always a good idea to log into your x-cart admin section using https so that the data you transact during the x-cart session is encrypted. The
following code will force your x-cart admins/providers to login using htt?s:// by redirecting them when htt?:// is used.
Add this code to the .htaccess of your admin section (adjust your url):
# Force https on the admin section
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/admin/$1 [R=301,L]
Add this code to the .htaccess of your provider section (adjust your url):
# Force https on the provider section
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/provider/$1 [R=301,L]
8. The following .htaccess code, which can be placed in an .htaccess file in your store?s root directory (same directory as / and cart.php), will prevent
access to sensitive areas of the x-cart file structure. If you are on a server that does not support .htaccess files, you will want to find alternate ways to
block access to these files.
Options +SymlinksIfOwnerMatch -Indexes
RewriteEngine on
3
# Block access to sensitive directories
RedirectMatch permanent ^.*/.pgp/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/patch..*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/sql/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/schemes/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/skin1_original/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/Smarty.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/upgrade/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php
# Block access to sensitive file types
RedirectMatch permanent ^.*.(ini|tpl|sql|log|conf|bak)$ http://www.yourdomain.com/x-cart-path/error_message.php
# Block access to sensitive files
RedirectMatch permanent ^.*/COPYRIGHT http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/INSTALL.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/NEW.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/README http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/UPGRADE.*$ http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/VERSION http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/include/version.php http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/config.php http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/top.inc.php http://www.yourdomain.com/x-cart-path/error_message.php
RedirectMatch permanent ^.*/install.php$ http://www.yourdomain.com/x-cart-path/error_message.php
X-Cart 4.4or above

Note: If you use X-Cart 4.4 replace this line:
with these lines:
<FilesMatch !"\.(css|js)$">
</FilesMatch>
Otherwise speed-up tool for Javascript and CSS will not work!
Note: Change http://www.yourdomain.com/x-cart-path/ to the url to your error_message.php file.
2.5 How do I set up secure login, registration and checkout in my X-Cart store?
Firstly, you should obtain an SSL certificate and have it properly installed and configured on your web server.
The majority of hosting companies help their customers to purchase SSL certificates or provide their own Shared SSL URLs. If your hosting company
doesn't render such services, you will need to purchase a certificate on your own.
We will be glad to assist you with this issue. You can purchase SSL certificates from our company. We sell SSL certificates provided by the world's
leading Certification Authority, Comodo Group. For details, conditions and prices, please see http://www.x-cart.com/ssl/.
If you are on a dedicated server, we can offer you our service on analyzing and configuring your server and/or install the SSL Certificate on it. Please
note: we will need the 'root' access to your server over SSH or the 'Administrator' access over MS Remote Access Desktop to complete these tasks.
Secondly, once you have the SSL certificate installed and configured, you should configure the HTTPS server in X-Cart. To do it, modify the
<xcart_dir>/config.php file and set the $xcart_https_host variable properly:
/**
* X-Cart HTTP & HTTPS host and web directory
*
* This section defines the location of your X-Cart installation. If X-Cart is
* installed using Web installation, the variables of this section are
* configured via the Installation Wizard. If you install X-Cart manually, use
* this section to provide your web server details manually.
*
4
* $xcart_http_host - Host name of the server on which your X-Cart software is
* to be installed;
* $xcart_https_host - Host name of the secure server that will provide access
* to your X-Cart-based store via the HTTPS protocol;
* $xcart_web_dir - X-Cart web directory.
*
* NOTE:
* The variables $xcart_http_host and $xcart_https_host must contain hostnames
* ONLY (no http:// or https:// prefixes, no trailing slashes).
*
* Web dir is the directory where your X-Cart is installed as seen from the Web,
* not the file system.
*
* Web dir must start with a slash and have no slash at the end. An exception to
* this rule is when you install X-Cart in the site root, in which case you need
* to leave the variable empty.
*
* EXAMPLE 1:
* $xcart_http_host ="www.yourhost.com";
* $xcart_https_host ="www.securedirectories.com/yourhost.com";
* $xcart_web_dir ="/xcart";
* will result in the following URLs:
* http://www.yourhost.com/xcart
* https://www.securedirectories.com/yourhost.com/xcart
*
* EXAMPLE 2:
* $xcart_http_host ="www.yourhost.com";
* $xcart_https_host ="www.yourhost.com";
* $xcart_web_dir ="";
* will result in the following URLs:
* http://www.yourhost.com/
* https://www.yourhost.com/
*/
Finally, enable the secure checkout at your store by selecting the HTTPS protocol for the payment methods to be secure on the Payment Methods
page. You can also adjust these HTTPS options on the 'General settings/Security options' page:
Use HTTPS for users' login and registration

Use secure login form on a separate page (HTTPS)
Optionally, if you need secure certain php scripts you should add https scripts to <xcart_dir>/https.php file, 'https_scripts' array. You can find some
examples in <xcart_dir>/https.php file:
$https_scripts[] = 'login.php';
$https_scripts[] = array(
'cart.php',
"mode=checkout",
);
Optionally, if you want to switch the whole x-cart to secure mode edit https.php file. Find the line
function is_https_link($link, $https_scripts) {
and replace it with
function is_https_link($link, $https_scripts) {

return true;
Now, if your web server does not use SSL certificates, and you are running an HTTPS Proxy instead, you may need to make additional settings to
enable your X-Cart work over SSL (secure connection). In the include/https_detect.php file, define the proxy IP address and set the $HTTPS variable to
'true':
if ($_SERVER['REMOTE_ADDR'] == '192.160.1.1') {
$HTTPS_RELAY = true;
$HTTPS = true;
}
If you are not sure whether your web server uses SSL certificates or runs behind an HTTPS Proxy, contact your hosting service provider or server
administrator or email our technical support - we will help you find that out.
If you experience problems with external services (payment / shipping) working over https while using curl/libcurl as the https module, try adding the
following line to top.inc.php:
define('USE_CURLOPT_SSL_VERIFYPEER', 1);
after
$xcart_dir = rtrim(realpath($xcart_dir), XC_DS);
5
2.6 How do I set up password protection for my X-Cart admin and provider areas?
Generally, the password protection can be done as follows (assuming that you want to use "abc123" and "123" as login/password):
1. In X-Cart Admin area, open the Summary page.
2. In the Environment info section, find and copy the X-Cart directory path (something like /home/user/www/xcart). You will need it a bit later.
3. Generate .htpasswd file.
If you have shell access to your hosting server and enter the following command:
htpasswd -c .htpasswd abc123
and then press Enter. Now enter the merchant key (password) two times.
Alternatively, you can use one of the on-line htpasswd generators to generate an entry for your .htpasswd file (for example
http://www.htaccesstools.com/htpasswd-generator/), then copy the generated entry into your .htpasswd file.
So, the content of your .htpasswd file will look like:
abc123:$apr1$H1wVgYiJ$cRFQbQnqZGvmZ2Im.u9q30
4. Copy the .htpasswd file to the X-Cart's admin and provider directories.
5. Open admin/.htaccess and paste the following data to it:
AuthType Basic
AuthName "Restricted Admin Area"
# In the line below, replace /home/user/www/xcart/ with
# the actual X-Cart path shown on your Admin summary page.
AuthUserFile /home/user/www/xcart/admin/.htpasswd
require valid-user
6. Open provider/.htaccess and paste the following data to it:
AuthType Basic
AuthName "Restricted Provider Area"
# In the line below, replace /home/user/www/xcart/ with
# the actual X-Cart path shown on your Admin summary page.
AuthUserFile /home/user/www/xcart/provider/.htpasswd
require valid-user
Alternatively, you can password-protect the admin and provider areas using the password protection setup facility in the Control Panel of your hosting
account.
2.7 Seven security features that you might not know yet
2.7.1 SECURITY_BLOCK_UNKNOWN_ADMIN_IP
The mode of enhanced protection. It allows you to control from which IP addresses users can access your x-cart.
By default, it is disabled. To turn it on, edit config.php file. Set this value
SECURITY_BLOCK_UNKNOWN_ADMIN_IP
to 'true', i.e.
define("SECURITY_BLOCK_UNKNOWN_ADMIN_IP", true);
Immediately you enable this mode, you should login to x-cart admin so that your own IP address is registered in the system. After that, no user will be
able to login to the admin back end until you register his/her IP address: all login attempts will be denied and the users will get an error message.
If login/password, submitted by a user, are correct (i.e. correspond to the login/password of an existing user, and this user belongs to a type with
permissions to access this x-cart zone), a request to register the user's IP address will be sent to x-cart administrator email.
This notification will have information about the time of the login attempt, the username and the IP address. Thus you can consider whether or not to
grant access to this user: by simply clicking on a link in the email. As a result, the IP address will be registered in your store's list of allowed IP
addresses.
More information: X-Cart:User Access Control
6
2.7.2 System Fingerprints
X-Cart uses MD5 (Message-Digest algorithm 5) for data integrity control. Using this tool you can create lists of MD5 checksums of all the files in X-Cart
installation directory and compare checksum lists generated at different periods of time to verify the integrity of your X-Cart files.
In X-Cart, a list of MD5 checksums of all the files is called "system fingerprint". The first system fingerprint in your store is generated automatically during
x-cart installation.
Any system fingerprint can be compared with the current state of the store or with any other fingerprint. This process allows detecting any changes in
/xcart directory. You get a list of files which have been modified, added or lost (removed from the system or renamed so they cannot be identified).
You can use this tool to track the changed and suspicious files. For ex, you think your store has been hacked. You get the full list of the changed files
and check/repair them manually.
More information: X-Cart:System Fingerprints
2.7.3 Protection from CSRF attacks (cross site request forgery attacks)
There is a built-in protection from CSRF attacks. Each form in the backend has a unique identifier which ensures that this form is valid. This unique
forms are used for the protection.
Unique form identifiers are generated within a user session and assigned to each x-cart page which is loaded in the user's browser and which contains
an HTML form for submitting data via POST. The main purpose of these identifiers is to ensure authenticity of the form when the form is submitted by
the user: if the submitted form contains a valid form identifier, the form is recognized as that generated by X-Cart in the current user's session, and
therefore it detected as valid and safe for use. If there is no valid form identifier, the form is treated as suspicious and the submit process is canceled.
Information about the CSRF attacks: http://en.wikipedia.org/wiki/Cross-site_request_forgery
There are sooooo many web applications that just don't have such a protection :-(
2.7.4 FRAME_NOT_ALLOWED
It is possible to forbid calling X-Cart in IFRAME / FRAME tags.
If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can enable this option as an additional security measure. It
prevents such attacks that the attackers display X-Cart through a frame and, using browser vulnerabilities, intercept the information entered in the form.
To enable this feature, edit the following line in config.php:
define("FRAME_NOT_ALLOWED", false);
2.7.5 Blowfish encryption (merchant key)
Blowfish data encryption (based on Merchant key) is more secure than the usual encryption method. In this method, you create a Merchant key - a
password that allows you to encrypt the details of your customers' orders and to decrypt previously encrypted order details when you wish to view them.
Such a higher level of security is because the key, used to encrypt and decrypt order details, is not stored anywhere in the system. The only thing that is
stored is an MD5 signature of the key. When you need to access the details of a certain order, you manually enter your Merchant key into a special form
on the 'Order details' page. In the next session, you will have to re-enter the Merchant key to get access to order details.
So if somebody steals your database and all files, he will not be able to steal the credit card numbers anyway.
More information: X-Cart:Blowfish
2.7.6 PHPIDS
PHPIDS (PHP Intrusion Detection System) is an open source PHP Web Application Intrusion Detection System. PHPIDS detects Cross-site scripting
(XSS), SQL injection, header injection, Directory traversal, Remote File Execution, Local File Inclusion, Denial of Service (DoS). It is simple to use and
well structured. It provides impact of every attack by analyzing any chosen input variables as POST, GET, SESSION, COOKIE. Find out more at
http://phpids.org/
2.7.7 $admin_allowed_ip
By default there's no IP-based limitations on accessing X-Cart admin area. To make your admin area more secure you can define IP-based restrictions
by editing the $admin_allowed_ip parameter in the config.php file located in the X-Cart root directory as shown below.
Example:
$admin_allowed_ip = "192.168.0.1, 127.0.0.1";
7
This will make the access limited to users from IP addresses 192.168.0.1 and 127.0.0.1.
2.8 Maintaining X-Cart security

A big mistake I see with users of software is thinking they can setup the software and run the software for an indefinite period of time. It is imperative
with x-cart, and all software you run for that matter, that you apply security patches and upgrade as new releases are available. While the patches and
upgrades do require time and/or money to apply, neglecting to do so can be potentially fatal to your business and they need to be made a priority.
X-Cart provides security and release bulletins that you can sign up for in your Qualiteam Account. Be sure to sign-up for these bulletins and stay on top
of your security.
Hint: If you need to walk away from your computer for whatsoever reason even for just a few moments, log off from the admin area of your store or lock
your workstation.
2.9 See also

X-Cart:Security Options
X-Cart:Security related tips
Article copyright 2007 WebsiteCM.com http://www.websitecm.com/x-cart-tutorials/x-cart-security/
8
3 X-Cart:Geographical Settings
3.1 Geographical settings in X-Cart

Adjustment of your store's geographical settings includes defining countries, states, counties and destination zones.
Countries, states and counties are countries, states and counties from which you allow customer registrations and to which your store's products can be
sold and shipped. Names of your store's active countries, states and counties appear in drop-down boxes on all the pages where addresses can be
entered ('Profile details' form, General settings->General options section, General settings->Company options section) so that store users can use them
as address components when entering addresses. They are also used to define destination zones.
Destination zones are unities consisting of territories to which your products can be sold and shipped, and for which shipping and tax rates are the
same. Defining the store's destination zones correctly is very important, because destination zones serve as a basis for adjusting shipping charges and
tax rates for different locations.
3.2 Roles in geographical settings management

If you are an X-Cart GOLD/GOLD PLUS administrator/provider:
You can manage countries (Study the section Countries):

define what countries need to appear in 'Country' drop-down boxes in form sections intended for entering addresses;
define what countries have states (required for JavaScript state and county selector);
edit names of countries;
define country names in all the languages used by your store.
You can manage states (See the section States):

define names and codes for the states that need to appear in 'State' drop-down boxes in form sections intended for entering
addresses;
edit state names and codes;
delete states.
You can create and manage counties (See the section Counties):
enable usage of counties in your store;
define which states have counties;
define names for the counties that need to appear in 'County' drop-down boxes in form sections intended for entering addresses;
edit names of counties;
delete counties.
You can define and manage destination zones (Check out the section Destination zones).
If you are an X-Cart PLATINUM/PRO administrator:
You can manage countries (Study the section Countries):

define what countries need to appear in 'Country' drop-down menus on all the forms used to specify billing/shipping addresses;
define what countries have states (required for JavaScript state and county selector);
edit names of countries;
define country names in all the languages used by your store.
You can manage states (See the section States):

define names and codes for the states that need to appear in 'State' drop-down menus on all billing/shipping address forms;
edit state names and codes;
delete states.
You can create and manage counties (See the section Counties):
enable usage of counties in your store;
define which states have counties;
define names for the counties that need to appear in 'County' drop-down menus on all billing/shipping address forms;
edit names of counties;
delete counties.
If you are an X-Cart PLATINUM/PRO provider:
You can define destination zones and manage your own destination zones (Check out the section Destination zones). You cannot manage
destination zones created by other providers.
9
4 X-Cart:Shipping Settings
4.1 Overview
X-Cart can be set up to calculate the cost of shipping for products being ordered by customers.
By default, shipping calculation in your store is disabled. If you wish to provide shipping cost calculation to your customers, you must enable this
functionality by selecting the check box ENABLE SHIPPING in the 'General settings/Shipping options' section of the store's Admin area.
After you enable shipping cost calculation, you will need to set up the shipping methods that your store will use to deliver orders to customers. You can
either define your own shipping methods or use the pre-defined shipping methods provided by such popular carriers as USPS, UPS, FedEx,
DHL/Airborne, Canada Post and Australia Post.
If you decide to use your own shipping methods, the shipping rates for these methods will need to be entered into X-Cart manually.
If you decide to use the shipping methods provided by the carrier companies like USPS, UPS, FedEx, etc, the shipping rates for these methods will
need to be obtained from the respective carrier companies. These rates will need to be entered into X-Cart manually or to be obtained in real time from
the online shipping calculators provided by the respective carrier companies or InterShipper service.
Shipping setup:
No shipping calculation
ENABLE SHIPPING (General settings/Shipping options) = off
Real-time shipping calculation
ENABLE SHIPPING (General settings/Shipping options) = on

Enable real-time shipping calculation (General settings/Shipping options) = on
Activate the real-time shipping methods that you wish to use:
a) Go to the 'Shipping methods' page.
b) In the 'Real-time calculated shipping methods' section of the 'Shipping methods' page, enable the methods you wish to use.
Enable your store to use real-time shipping cost calculators
Non-real time shipping calculation
ENABLE SHIPPING (General settings/Shipping options) = on

Enable real-time shipping calculation (General settings/Shipping options) = off
4.2 Roles in shipping settings management

You can define the shipping methods that will be used by your store. The methods can be real-time and non-real time (See the chapter
Shipping Methods).
If you decide to use real-time shipping methods, you can enable your store to use real-time shipping cost calculators (See the chapter
Real-time Shipping Calculators).
If you decide to use non-real time shipping methods, you can adjust shipping rates for them (See the chapter Shipping Charges).
For real-time shipping methods, you can adjust markups (See the chapter Shipping Markups).
You can define the shipping methods that will be used by your store. The methods can be real-time and non-real time (See the chapter
Shipping Methods).
If you decide to use real-time shipping methods, you can enable your store to use real-time shipping cost calculators (See the chapter
Real-time Shipping Calculators).
You can adjust shipping rates for non-real time shipping methods (See the chapter Shipping Charges).
You can adjust markups for real-time shipping methods (See the chapter Shipping Markups).
4.3 Shipping Methods

Before you start configuring your shipping methods, you must enable shipping in your store: Go to the General settings->Shipping options section and
activate shipping by selecting the 'ENABLE SHIPPING' check box.
After this you will be able to set up shipping methods on the 'Shipping Methods' page of the Admin area. In X-Cart versions 4.4.0 and later, this page
10
can be found at Shipping and Taxes menu -> Shipping methods; in X-Cart versions 4.3.0-4.3.2, this section can be found at Settings menu -> Shipping
methods; in earlier versions, this section can be found at Management menu -> Shipping methods.
The 'Shipping methods' page looks like this (or similar to this - with minor variations depending on the version):
There are two types of shipping methods that you can use:
User-defined methods (These can be added using the 'Add shipping method' section; after you add them, they appear in the
'Defined shipping methods' section). Shipping rates for methods of this type can be defined manually via the 'Shipping charges'
section.
Real-time calculated shipping methods (These can be selected using the ?Real-time calculated shipping methods? section).
Methods of this type can be set up to obtain rates in real time from real-time calculation services (for this purpose, X-Cart provides
integration modules for InterShipper and real-time calculation services by UPS, USPS, FedEx, Airborne, etc). If you do not intend to
obtain rates for these methods in real time, you can define charges for these methods manually via the 'Shipping charges' section;
in this case, your customers will be provided with an approximate estimation of shipping cost based on your settings, which may be
different from the actual fees charged by the respective shipping carrier companies.
4.3.1 Setting up real-time calculated shipping methods
Real-time calculated shipping methods that you intend to use at your store can be selected in the 'Real-time calculated shipping methods' section of the
'Shipping methods' page.
X-Cart versions 4.6.1 and later:

By default, all real-time calculated shipping methods are disabled. The 'Real-time calculated shipping methods' section looks as follows:
11
To set up real-time shipping methods:
1. Click the Add/remove real-time shipping methods button. This opens the 'Add/remove real-time shipping methods' page providing the list of
available carrier companies and their specific shipping methods (The method names are hidden from view and can be viewed by clicking on
the [+] icon next to the carrier company name).
2. Locate the shipping methods you wish to use and select the Active check boxes next to their names.
3. After selecting all the shipping methods you require, click Apply changes. The methods will be activated for your store and added to the list of
methods in the 'Real-time calculated shipping methods' section.
X-Cart versions 4.6.0 and earlier:

By default, all real-time calculated shipping methods are enabled. You need to disable the methods you do not intend to use. The 'Real-time calculated
shipping methods' section looks as follows:
12
To set up real-time shipping methods:
1. Go through the list of carrier companies displayed in the 'Real-time calculated shipping methods' section and expand the hidden list of
methods for each company by clicking th [+] icon next to the company name.
2. Use the 'Uncheck all' links to deselect all the methods for carriers you do not intend to use. For carriers that you will use, go through the list of
shipping method names and leave the Active check box selected only for the methods that you wish to use.
3. After selecting all the shipping methods you require, click Apply changes.
All X-Cart versions:

To receive shipping rates for the selected methods in real time, you must also adjust the configuration settings for the respective real-time shipping
calculation modules (See X-Cart:Shipping_Settings#Real-time_Shipping_Calculators).
4.3.2 Adding your own user defined shipping methods
You can create your own shipping methods. To add a new shipping method:
1. In Admin area, go to the Shipping Methods page.

2. Use the 'Add shipping method' section to specify the details for your new shipping method:
Delivery time: Delivery time in days.
Weight limit: Weight limit (set the value of these fields to zero if there are no limitations).
Destination: Select National or International from the DESTINATION drop-down box, depending on whether this shipping method
can be used for shipping goods to national or international locations. If you select National, this shipping method will not be
available to international customers and customers who are not logged in. International shipping methods are only displayed to
customers from countries different from the country of shop location.
Pos.: Position number (the number affecting the order in which the shipping methods are displayed to your customers).
Active: Whether the method is available to customers.
COD: Whether Cash on delivery payment method is available for this shipping method.
3. Click the Apply changes button. The new method will be added to the list in the 'Defined shipping methods' subsection.
13
4.3.3 Editing shipping methods
To edit a shipping method:

2. Locate the shipping method you want to edit.
3. Adjust the shipping method's details as required.
Note: For real-time calculated methods, the weight limit settings limit not the total order weight, but the weight of one shipping package. All
orders above the weight limit will be split into several packages so that the weight of each package is below the limit. X-Cart calculates
shipping charges for each package and then adds them together to get the total order shipping cost.
4. Click the Apply changes button.
4.3.4 Activating/deactivating shipping methods
To change the availability of a shipping method:
(Instructions for user defined methods in all X-Cart versions and for real-time methods in X-Cart versions 4.6.0 and earlier):

2. Locate the shipping method you need to activate/deactivate and select/unselect the check box in the Active column next to its name.
3. Click Apply changes.
(Instructions for real-time methods in X-Cart versions 4.6.1 and later):

2. In the 'Real-time calculated shipping methods' section, click the Add/remove real-time shipping methods button.
3. On the 'Add/remove real-time shipping methods' page, locate the shipping method you need to activate/deactivate and select/unselect the
check box in the Active column next its name.
4. Click Apply changes.
4.3.5 Deleting shipping methods
You can delete shipping methods you created. To delete a shipping method:
1. In Admin area, open the Shipping Methods page.

2. In the 'Defined shipping methods' section, locate the shipping method you wish to delete and click the Delete button on the line of this method.
4.4 Real-time Shipping Calculators

Some carrier companies (like UPS, USPS, FedEx, DHL/Airborne, Canada Post and Australia Post) provide real-time shipping rates that allow users to
estimate the cost of shipping by methods provided by these companies. Your X-Cart based store has shipping modules that enable it to obtain shipping
rates from the real-time shipping calculators of such companies and provide your customers with an estimation of shipping cost for orders before they
are placed. Integrated shipping modules are provided for UPS, USPS, FedEx, DHL/Airborne, Canada Post and Australia Post. There is also a module
allowing your store to obtain shipping rates for UPS, USPS, FedEx, DHL/Airborne through InterShipper rate service.
Important: Please be aware that to be able to use shipping modules for obtaining real-time shipping rates, your X-Cart based store will need to meet
certain system requirements (See the section Server Requirements in this manual).
To use X-Cart's shipping modules for obtaining real-time shipping rates, you will need an account with each company that you will use to ship products
to your customers (except for Australia Post - for which no account is needed) or an account with InterShipper.
Note. The real-time calculated rate quote is only an estimation and may be different from the actual charges for your shipment.
Here you can find the instructions for enabling your store to use real-time shipping cost calculators provided by:
InterShipper,
USPS,
FedEx,
DHL/Airborne,
Canada Post and
Australia Post.
For information on setting up your store to use UPS real-time shipping calculator, see UPS Developer Kit
14
4.4.1 Video tutorial
4.5 Shipping Charges

X-Cart shopping cart software allows you to define shipping rates for each shipping method and destination zone defined by the administrator of your
store. This is done by setting up shipping rules in the 'Shipping charges' section (In X-Cart versions 4.4.0 and later, this section can be found at Shipping
and Taxes menu -> Shipping charges; in X-Cart versions 4.3.0-4.3.2, this section can be found at Settings menu -> Shipping charges; in earlier
versions, this section can be found at Inventory menu -> Shipping charges). Each rule defines a shipping rate for a specific shipping situation (e.g. the
shipping of an order the weight of which is between 10 and 15 lbs to the country located in zone 2 by UPS Ground should cost that much).
Note: In X-Cart PLATINUM or PRO, shipping charges are defined by each provider individually, in the provider area. See also the chapter Roles in
shipping settings management
Note: You can make any shipping method available for more than one destination zone, or set up different shipping rules for the same method within
one destination zone.
Note: When the 'Enable real-time shipping calculation' option is OFF (General settings/Shipping options), you can set up shipping charges both for
real-time shipping methods and manually defined shipping methods.
Note: Shipping charges must be set up as follows:
For International destination zones and International shipping methods respectively.

For National> destination zones and National shipping methods respectively.
National shipping methods will never be applied to International destination zones, and visa versa. Thus, if you set up shipping charges for National
shipping methods and International destination zones, and visa versa, the shipping charges will never work.
If your shipping policy is complex you may need to define multiple shipping rules to cover all the cases.
In X-Cart GOLD and GOLD PLUS, both shipping methods and shipping charges are defined by the store administrator. If he fails to define shipping
charges for certain shipping methods, such methods will be unavailable to customers.
In X-Cart PLATINUM and PRO, the store administrator defines only shipping methods, shipping charges for these methods are defined by providers. If
providers fail to define shipping charges for some shipping method, the shipping cost for this method will be "0" (zero).
4.5.1 Defining shipping charges
1. Go to the 'Shipping charges' section.
2. Scroll to the 'Add shipping charge values' section of the 'Shipping charges' form.
3. Define the shipping rule, adjust the fields as follows:
Shipping method: The shipping method for which you wish the shipping rule to be used.
Zone: The destination zone for which you wish the shipping rule to be used.
Apply rate to: Select from DST (Discounted subtotal) or ST (Subtotal) to determine whether shipping should be calculated as a percentage
from subtotal with or without discount (if any).
Weight range: The weight range for which you wish the shipping rule to be used. Must be set in units of weight used by the store.
Order subtotal range: The order subtotal range for which you wish the shipping rule to be used. Must be set in units of primary currency used
by the store.
Note: If you do not wish to limit the weight and/or order subtotal ranges, set the respective values to 999999.9.
Flat charge: The fixed amount that you wish to charge per order. Must be set in units of primary currency used by the store.
Percent charge: The amount that you wish to charge based on the order subtotal. Must be set in percent.
Per item charge: The fixed amount that you wish to charge for each item in the shopping cart. Must be set in units of primary currency used by
the store.
Per <unit of weight> charge: The fixed amount that you wish to charge per unit of weight (For example, the amount you wish to charge per
kilogram of total order weight). Must be set in units of primary currency used by the store.
4. Click the Add button.
After shipping charges are defined, the cost of shipping in your store will be calculated according to the formula:
SHIPPING = Rate + TOTAL_WEIGHT*Weight_Rate + ITEMS*Item_Rate + SUM*Percent_Rate/100
where:
SHIPPING is Shipping cost.

Rate is the amount defined by the 'Flat charge' field.
Weight_Rate is the amount defined by the 'Per <unit of weight> charge' field.
Item_Rate is the amount defined by the 'Per item charge' field.
Percent_Rate is the amount defined by the 'Percent charge' field.
TOTAL_WEIGHT is the total weight of the order (sum of weights of all the items in the shopping cart).
ITEMS is the total number of items in the shopping cart.
SUM is the order total amount.
15
4.5.2 Modifying shipping charges
2. Select the group of shipping methods the charges for which you need to modify. Select the destination zone.
When the page is reloaded, only the shipping methods belonging to the specified group will be displayed.
3. Change the values that need to be modified (you can change the shipping method, the destination zone, the weight range or the total order amount
range, the contents of the Flat charge, Percent charge, Per item charge and Per lb. charge fields)
4. Click the Update button.
4.5.3 Deleting shipping charges

2. Select the group of shipping methods to which the shipping charge you need to delete applies. Select the destination zone. When the page is
reloaded, only the shipping methods belonging to the specified group will be displayed.
3. Select the check boxes next to the shipping rule that needs to be deleted. Use the check box next to the shipping method name to select or
unselect all the charges for this shipping method.
4. Click the Delete selected button.
4.5.4 Video tutorial
4.6 Shipping Markups

You can define markups for real-time calculated shipping methods. This can be useful when your shipping expenses exceed the value returned by the
real-time shipping processor (e.g. You have to pay for packing, insurance, etc).
Shipping markups are defined using X-Cart's 'Shipping markups' section (In X-Cart versions 4.4.0 and later, this section can be found at Shipping and
Taxes menu -> Shipping markups; in X-Cart versions 4.3.0-4.3.2, this section can be found at Settings menu -> Shipping markups; in earlier versions,
this section can be found at Inventory menu -> Shipping markups).
Note: The 'Shipping markups' item appears in the Settings menu only after the option 'Enable real-time shipping calculation' is enabled in General
settings/Shipping options.
Shipping markups are defined similar to shipping charges.
After you define markups, the shipping cost in your store will be calculated according to the formula:
SHIPPING = Rate + Markup + TOTAL_WEIGHT*Weight_Markup + ITEMS*Item_Markup + SUM*Percent_Markup/100
Where:
SHIPPING is the shipping cost.

Rate is the shipping rate returned by the real-time calculation service (UPS, FedEx, etc).
Markup is a fixed markup amount applied to the order (the value of the 'Flat charge' field).
Weight_Markup is a shipping markup based on product weight (the value of the 'Per lbs charge' field).
Item_Markup is a shipping markup applied per item ordered (the value of the 'Per Item charge' field).
Percent_Markup is a shipping markup calculated as percent of the total order amount (the value of the 'Percent charge (%)' field)
TOTAL_WEIGHT is the sum of weights of all the items in the shopping cart (variable).
ITEMS is the total number of items in the shopping cart (variable).
SUM is the total order amount (variable).
If a markup needs to be applied only to a certain weight and/or order subtotal range, specify this range using the corresponding fields.
The markups defined here will be added to the value returned by the real-time shipping calculation service.
16
1. For packages that weigh 5.00-10.00 lbs, $1 per each pound will be added to the rate returned by the real-time calculation service.
2. For packages that weigh 10.00-20.00 lbs, a flat charge of $15 will be added to the rate returned by the real-time calculation service, plus $0.50 will be
added per each item in the package.
4.7 Setting up Shipping (manually defined rates)

In this section we will walk you through the process of shipping setup step-by-step. Please note that the shipping rates and methods are given as
samples only. Use your own rates and methods when setting up shipping in your store.
Shipping system in X-Cart is based on the correct setup of the 3 main parameters:
1. Shipping Methods
2. Destination Zones
3. Shipping Charges
First of all, you need to decide, which shipping method (or methods) you will use. You might want to use different shipping methods for certain package
weight ranges, or for certain order subtotals; you might want to charge a flat charge, per item charge, percent charge or a combination of the above. In
our example we will define charges depending on package weight.
Here are the shipping charges we want to set up:
UK:
shipping
weight range, kg shipping charge, GBP
method
Royal Mail 1st
0-1 3.00
Class
Royal Mail 1st
1-2 5.00
Class
2+ 9.00 City Link
EU - EUROPEAN UNION:
weight range, kg shipping charge, GBP shipping method

0-1 5.00 Royal Mail Airmail
1-2 10.00 Parcelforce International
2+ 30.00 Parcelforce International
USA / CANADA / FAR EAST & AUSTRALIA:

1-2 18.00 Royal Mail International Signed For
REST OF WORLD:
17
1-2 18.00 Royal Mail International Signed For
4.7.1 Step 2. Creating shipping methods
Create manually defined shipping methods you are going to use. The ones we need are as follows:
National
1. Royal Mail 1st Class
2. City Link
International
3. Royal Mail Airmail
4. Royal Mail International Signed For
5. Parcelforce International
So there should be 5 manually defined shipping methods set in the 'Shipping Methods' section of the cart's Admin area.
4.7.2 Step 3. Defining destination zones
Now it's necessary to define the destination zones you are going to use. This can be done in the 'Settings' -> 'Destination zones' section. The zones
should be as follows:
1. UK
2. EU (European Union)
3. USA / CANADA / FAR EAST & AUSTRALIA
4. REST OF WORLD
Note: Please be warned that you should not use one and the same country for 2 different destination zones. This will lead to the rates mess up.
4.7.3 Step 4. Setting up shipping rates
Once the shipping methods and destination zones have been defined, you can set up shipping rates using the 'Shipping charges' section. For more
information, refer to the #Shipping Charges section of this manual.
You should get the following rules (sample for UK):
1. Royal Mail 1st Class/UK
2. City Link/UK
18
The rates for all other zones should be configured likewise. Please do note when you use one shipping method for one destination zone, you should
define all rates for this method within one rule.
Once all shipping charges are defined, you should enable shipping for all the products in the cart. To do so check the 'General Settings' -> 'Shipping
options' configuration and choose the options you like.
4.8 Troubleshooting
4.8.1 "There are no shipping methods for your location" error
There are 2 major groups of shipping methods that you can use in your store:
1. Shipping methods with manually defined rates

2. Shipping methods the rates for which are defined via real-time calculation services - real-time shipping methods
The first group includes all methods for which rates can be set up through ?Shipping charges? in the provider zone (the methods added by you + the
methods which are listed in the ?Real-time calculated shipping methods? subsection of the ?Edit shipping methods? form but do not get rates from
real-time calculation services).
The second group includes methods the rates for which are delivered by InterShipper or special integrated modules from real-time shipping services like
UPS, USPS, FedEx, Airborne, etc.
If you are using methods of the first group, the problem is probably caused by the fact that no shipping rates were specified. Use the ?Shipping
charges? section of the provider interface to set up the rates you need.
If you are using methods of the second group, getting the ?no shipping methods? error means the settings of your real-time shipping methods are
incorrect.
4.9 FAQ
4.9.1 How to set up: $4.95 flat rate shipping fee for all orders?
You should define your shipping charges as follows:
1) Create a new shipping method with manually defined rates, set 'Destination' = 'National'.
2) Set up Flat Charge rate of $4.95 for the new shipping method and 'Zone Default'.
3) If you need the same flat rate to apply to all international orders, repeat step 1 ('Destination' = 'International') and step 2 accordingly.
19
4.9.2 How to set up: shipping cost of $2.49 for one item, and then +$1.99 for any additional item?
Flat charge: 0.50 (calculated as $2.49 - $1.99)
Per item charge: 1.99
Note: Both the charges should be specified for the same shipping rule.
In this case the shipping cost will be calculated as follows:
1 item: 0.5 + (1.99 * 1) = 2.49
2 items: 0.5 + (1.99 * 2) = 4.48
3 items: 0.5 + (1.99 * 3) = 6.47
And so on.
4.9.3 How to set up: zero shipping rate for orders above $250, and $6.50 flat rate for all other orders?
1st shipping rule:
Order subtotal range: 0 - 250.00
Flat charge: 6.50
2nd shipping rule:
Order subtotal range: 250.01 - 999999.99
All 'charge' fields: 0.00
4.9.4 How to set up: shipping cost of $3.00 for 1-4 items, and then +$1.10 for any additional item? All the items in the
store have the same weight (1.00 lbs)
1st shipping rule:
Weight range: 1.00-4.00
20
Flat charge: 3.00
2nd shipping rule:
Weight range: 4.01-999999.99
Flat charge: 3.00
Per item charge: 1.10
4.9.5 How to set up: shipping charge of 20% of total price, but not over $600?
1st shipping rule:
Order subtotal range: 0 - 3000.00
Percent charge (%): 20.00
2nd shipping rule:
Order subtotal range: 3000.01 - 999999.99
Flat charge: 600.00
21
5 X-Cart:Real-time Shipping Calculators
Some carrier companies (like UPS, USPS, FedEx, DHL/Airborne, Canada Post and Australia Post) provide real-time shipping rates that allow users to
estimate the cost of shipping by methods provided by these companies. Your X-Cart based store has shipping modules that enable it to obtain shipping
rates from the real-time shipping calculators of such companies and provide your customers with an estimation of shipping cost for orders before they
are placed. Integrated shipping modules are provided for UPS, USPS, FedEx, DHL/Airborne, Canada Post and Australia Post. There is also a module
allowing your store to obtain shipping rates for UPS, USPS, FedEx, DHL/Airborne through InterShipper rate service.
Important: Please be aware that to be able to use shipping modules for obtaining real-time shipping rates, your X-Cart based store will need to meet
certain system requirements (See the section Server Requirements in this manual).
To use X-Cart's shipping modules for obtaining real-time shipping rates, you will need an account with each company that you will use to ship products
to your customers (except for Australia Post - for which no account is needed) or an account with InterShipper.
Note. The real-time calculated rate quote is only an estimation and may be different from the actual charges for your shipment.
Here you can find the instructions for enabling your store to use real-time shipping cost calculators provided by:
InterShipper,
USPS,
FedEx,
DHL/Airborne,
Canada Post and
Australia Post.
For information on setting up your store to use UPS real-time shipping calculator, see UPS Developer Kit
5.1 Video tutorial
22
6 X-Cart:Tax Settings
6.1 Tax settings in X-Cart

X-Cart provides you with AvaTax module for reliable, fast and affordable sales tax automation service by Avalara. There's also a flexible tool for manual
defining the taxes to be used in your store. Simple settings allow you to define virtually any tax and tax rate. For each tax you can define how it needs to
be calculated, to what products it needs to be applied, how information about it needs to be displayed to customers, etc. You can make taxes dependent
on the customer's location (billing or shipping address) and on the customer's membership. Customers coming from a certain location and having a
certain membership will see just the tax rates for their destination zone and membership level, while the other tax rates will be hidden. X-Cart also allows
you to have non-taxable products at your store.
6.2 Roles in tax settings management

You can define taxes (See the chapter Taxes).

You can define taxes options (See the chapter Taxes Options).
You can define tax rates (See the chapter Tax Rates).
You can apply taxes to products (See the chapter Applying Taxes to Products).
You can define taxes (See the chapter Taxes).

You can define taxes options (See the chapter Taxes Options).
You can apply taxes to products (See the chapter Applying Taxes to Products).
You can define tax rates for your products (See the chapter Tax Rates).
You can apply taxes to your products (See the chapter Applying Taxes to Products).
6.3 Video tutorial
6.4 Taxes
6.4.1 Adding taxes
To add a tax:
1. Go to the 'Taxes' section of your store's Admin area. In X-Cart versions 4.4.0 and later, this section can be found at Shipping and Taxes menu -> Tax
system (X-Cart Gold) or Shipping and Taxes menu -> Taxes (X-Cart Pro); in X-Cart versions 4.3.0-4.3.2, this section can be found at Settings menu ->
Tax system; in earlier versions, this section can be found at Management menu -> Tax system.
A dialog box titled 'Taxes' opens:
Before you have created any taxes, the dialog box is empty.
2. In the 'Taxes' dialog box, click the Add new... button. A dialog box 'Tax details' opens.
23
3. Define the details of the desired tax by completing the fields of the 'Tax details' dialog box (The fields marked by a red asterisk sign are mandatory):
Tax service name: Unique name by which X-Cart application will identify this tax. A tax service name may include letters (A-Z, a-z) and digits
(0-9), may not exceed 10 characters in length and must begin with a letter. This value will not appear anywhere in your store's Customer area.
Tax display name: Name of the tax as it will appear to customers. If necessary, you can define a different tax display name for each of the
languages used in your store. To add a tax display name in another language, select the necessary language from the Current language
selector at the top of the page, enter the tax display name in this language into the appropriate field and click the Save button.
Tax registration number: Tax registration number (required for certain types of taxes; appears on the invoice)
Tax priority: Number defining the order in which the tax needs to be applied (relative to the other taxes).
Status: Tax status (Enabled or Disabled).
Apply tax to: Tax base. Use the #Tax Formula Editor to create the formula according to which this tax needs be applied.
Rates depend on: Select if the tax rate should be calculated for Shipping Address or Billing Address.
Included into the product price: This option defines whether the prices of products to which this tax applies are stored in the database with this
tax included or excluded. If you want the product prices to be inclusive of this tax, select this check box. If you leave this check box
unselected, the prices will be tax-exclusive.
Important: The option 'Included into the product price' should only be enabled for taxes whose rate is not supposed to change depending on the
customer's address. If your store has products to which more than one taxes should be applied, you need to make sure that the option 'Included into the
product price' is enabled for no more than one of the taxes applied to any such product.
Display product price including tax: This option defines whether the prices of products to which this tax applies are displayed to customers
with this tax included or excluded. If you want the product prices to be displayed as inclusive of this tax, select this check box. If you leave this
check box unselected, the prices will appear tax-exclusive.
Also display (on the products list, product details and cart pages): This option is used in conjunction with the option 'Display product price
including tax' and defines what needs to be displayed on the named pages of your store besides the price with the included tax (Nothing, Rate
value, Calculated tax cost, Rate value and tax cost).
24
4. Click the Save button. The tax will be created and added to the list of your store's taxes. To view the list of your store's taxes, you can click the Taxes
list link at the top right-hand corner of the 'Tax details' dialog box.
Now that the tax has been created, it is possible to add tax rates for it. See the chapter #Tax Rates.
After the necessary taxes have been defined, be sure to set the options affecting how all taxes in your store are applied and displayed. See the chapter
#Taxes Options.
Also, please be aware that, before the taxes you have created become functional, they will need to be applied to products. See the chapter #Applying
Taxes to Products.
6.4.2 Managing Taxes
The 'Taxes' dialog box in the 'Taxes' section of your store's Admin area shows all the taxes defined in your store. When you have some taxes defined, it
looks similar to this:
The table columns provide the following information about each tax:
TAX - Service tax name.

APPLY TAX TO - Tax base as defined in the 'Apply tax to' field of the 'Tax details'.
PRIORITY - Order in which the tax needs to be applied (relative to the other taxes).
STATUS - Enabled or disabled.
To edit the details of a tax:
1. Click on the name link of the tax that needs to be edited. The 'Tax details' dialog box displaying the details of the selected tax opens.
2. Edit the tax details.
3. Click the Save button at the bottom of the 'Tax details' dialog box to save the changes.
To change the order in which your taxes should be applied:
1. Change the order numbers in the PRIORITY column (The tax with the highest priority needs to have the smallest order number, the tax with
the lowest priority - the greatest order number).
To temporarily disable a tax or to re-enable a disabled tax:
1. Select the appropriate status from the STATUS drop-down box opposite the name of the tax.
To delete a tax:
1. Select the check box next to the name of the tax that needs to be deleted. (You can use the Check all / Uncheck all links to select or unselect
all the taxes on the page.
6.5 Tax Rates
25
6.5.1 Adding tax rates
After the necessary taxes have been defined, you need to define tax rates for each tax.
Important: Before you begin defining tax rates for a certain tax, make sure that all the X-Cart:User Memberships to which the tax needs to be applied are
defined.
To define a tax rate:
If you are an X-Cart GOLD administrator/provider:
1. Go to the 'Taxes' section of your store's Admin area. In X-Cart versions 4.4.0 and later, this section can be found at Shipping and Taxes menu -> Tax
system; in X-Cart versions 4.3.0-4.3.2, this section can be found at Settings menu -> Tax system; in earlier versions, this section can be found at
Management menu -> Tax system.
2. In the dialog box titled 'Taxes', find the tax for which you would like to add rates and click on its name. The 'Tax details' section of your store opens.
Scroll down through the 'Tax details' dialog box. You should see a dialog box titled '<Tax name>: Tax rates' (where '<Tax name>' is the name of the tax
whose details are being displayed).
If you are an X-Cart PRO provider:
1. Go to the 'Tax rates' section (In X-Cart versions 4.4.0 and later, this section can be found at Shipping and Taxes menu -> Tax rates; in earlier X-Cart
versions, this section can be found at Inventory menu -> Tax rates). You should see a dialog box 'Taxes' displaying the names of all taxes defined for
your store by the store administrator (The expression 'N rates defined' displayed in brackets next to each of the tax names shows the number of tax
rates defined by you for these taxes. Before you have defined any rates, this number is 0 (zero)).
2. In the 'Taxes' dialog box, find the tax for which you would like to add rates and click on its name. The 'Tax details' section of your store opens. On the
page, you should see a box titled 'Tax details' displaying the details of the selected tax as defined by the store administrator:
Note: To return to the list of your store's taxes, you can click the Taxes list link at the top right-hand corner of the 'Tax details' box.
Below the 'Tax details' box, you should see a dialog box titled '<Tax name>: Tax rates' (where '<Tax name>' is the name of the tax whose details are
being displayed).
3. Turn to the '<Tax name>: Tax rates' dialog box:
26
4. Define the details of the tax rate by completing the fields of the 'Add tax rate' subsection of the '<Tax name>: Tax rates' dialog box:
Rate value: Tax rate value (Use the drop-down box next to the 'Rate value' field to define whether the tax rate should be an absolute or
percentage value).
Notes:
1. Please keep in mind that if you define an absolute tax value - for example, $3 - that value can happen to be greater than a product price. This may
result in obtaining negative product prices. In this case, customers will be able to see the products but not allowed to buy or even add them to the cart,
getting an error message stating that the product has not been configured properly. The customer will be asked to contact the store administrator with a
buying request.
2. Taxes can be charged separately or included in the product price. When a tax is charged separately, it applies to the product net price. When a tax is
included in the product price, it applies to the gross price.
Zone: Destination zone to which the rate needs to be applied.

Membership: Membership level to which the rate needs to be applied.
Apply tax to: Tax base. This field needs to be completed in the '<Tax name>: Tax rates' dialog box only if the tax base for the different
destination zones and membership levels to which the tax will be applied needs to be different from the value defined by the store
administrator in the 'Apply tax to' field of the 'Tax details' dialog box.
To complete the field, use the #Tax Formula Editor.
5. Click the Add button to save the changes. The new rate will be created and added to the list of tax rates for the tax.
27
After you have added the necessary tax rates for a tax, be sure to apply the tax to all the products to which it needs to be applied.
6.5.2 Managing tax rates
Tax rates can be managed from the '<Tax name>: Tax rates' dialog box. X-Cart allows you to view, edit and delete tax rates.
To change the value of a tax rate:
1. In the 'Taxes' dialog box, find the tax rate that you would like to change and click on its name. The 'Tax details' section opens.
2. In the '<Tax name>: Tax rates' dialog box, find the rate that you wish to change.
3. Change the value of the 'Rate value' field specifying whether the value is absolute or percentage.
To edit the details of a tax rate:
1. In the 'Taxes' dialog box, find the tax rate that you would like to change and click on its name. The 'Tax details' section opens.
2. In the '<Tax name>: Tax rates' dialog box, find the rate whose details you wish to edit.
3. Click either on the membership link (MEMBERSHIP column) or on the tax formula link (APPLY TAX TO column) corresponding to this rate.
The rate details appear in the 'Edit tax rate' subsection of the '<Tax name>: Tax rates' dialog box.
4. Change the necessary tax rate details (rate value, destination zone, membership level, tax base formula).
To delete a tax rate:
28
1. In the 'Taxes' dialog box, click on the name of the tax whose rate you wish to delete. The 'Tax details' section opens.
2. In the '<Tax name>: Tax rates' dialog box, find the rate you wish to delete.
3. Select the check box next to this rate. You can use the Check all / Uncheck all links to select or unselect all the rates displayed on the page.
6.6 Tax Formula Editor

The 'Apply tax to' subsection of the 'Tax details' and '<Tax name>: Tax details' dialog boxes allows you to create and edit a formula defining what the tax
being edited needs to be applied to.
The field at the top of the editor is intended for your tax base formula. The formula field is not manually editable - to enter your formula into this field, you
will need to provide components for the formula using the fields and buttons below. Your formula will be assembled from the components you provide.
It is possible to provide the following components:
mathematical signs (plus, minus, multiplication, division);

variables symbolically representing objects that need to be taxed or should be used for calculating the tax (subtotal amount, discounted
subtotal amount, shipping cost, amount levied in the form of some other tax defined in your store and applied to the purchase);
numbers.
Mathematical signs are used to indicate the operations that need to be performed on the other components of the formula. They can be added to the
formula by clicking the appropriate buttons: [ + ] for addition, [ - ] for subtraction, [ * ] for multiplication, and [ / ] for division.
Variables can be selected from the drop-down box below the row of buttons with mathematical signs. In the list of variables that can be selected, ST
stands for 'Subtotal amount', DST - for 'Discounted subtotal amount', SH - for 'Shipping cost'. Taxes are labeled by their own names. To add a variable,
select it from the drop-down box and click the Add button next to it.
Numbers can be added using the input field located below the drop-down box with the list of available variables. To add a number, simply type it into the
input field and click the Add button on the right-hand side of the field.
For example, if you want your tax to be applied to the sum of discounted order subtotal and shipping cost:
1. Select DST from the drop-down box, click the Add button.
2. Click on [ + ].
3. Select SH from the drop-down box, click the Add button.
You can cancel the latest action using the Undo button, re-apply the change after the cancellation by clicking on Redo, and clear the formula field by
clicking the Clear button.
6.7 Tax Options

After you have created at least one tax, a dialog box titled 'Taxes options' appears below the 'Taxes' dialog box in the 'Taxes' section. This dialog box
provides some options allowing you to choose how you want your taxes to be applied and displayed. The options in this dialog box affect all the taxes in
your store in general.
29
The following options are provided:
Display cart/order totals including tax: This option defines whether tax cost is displayed included in the order totals or not. When this option is
disabled, the order totals on the 'Payment details' page of checkout are displayed like this:
When this option is enabled, the order totals are displayed like this:
Note: please keep in mind that if you select to display order totals including tax, all the discount coupon sums will also be counted as including tax.
Display a tax rate for each product in cart/order: This option defines whether tax rates are displayed for each product being ordered. When
this option is enabled, the information about the products being ordered is displayed like this:
30
When this option is disabled, the column with tax rates for each product is not displayed.
Enable tax exemption for customers: This option defines whether tax exemption feature for customers is enabled at your store or not.When
this option is enabled, a check box 'Tax exemption' is added to the 'Profile details' page for customers.
Note: You can use this check box to specify whether the customer should be taxed or not (A selected check box corresponds to 'This customer is should
not be taxed', an unselected check box - to 'This customer should be taxed').
When this option is disabled, the 'Tax exemption' check box does not appear.
Allow customers to modify their tax number after tax exemption is enabled: This option defines whether customers can modify their tax
number after tax exemption has been enabled in their profile. You may want to keep this option disabled to prevent customers from changing
their tax numbers without your knowing.
Note: This option works only if the field 'Tax number' is enabled for customer user profiles via General settings->User Profiles options and the option
'Enable tax exemption for customers' is enabled.
To adjust the options:
1. Select the check boxes for the options that need to be enabled. Unselect the check boxes for the options that need to be disabled.
2. Click the Update button to apply the changes.
6.8 Applying Taxes to Products

After the necessary taxes have been configured, they need to be applied to products. This step is very important, because taxes will not work until you
tell X-Cart to which products you wish them applied to.
The 'Product details' dialog box (the one you will use to add/modify products - see the section X-Cart:Adding Products further in this manual for details)
contains a field 'Apply tax'. This field is a selectbox providing names of all taxes defined in the store. When creating a new product, you will use the
'Apply tax' field to apply taxes to your products.
To apply one or more taxes to a product:
1. Find the product to which you would like to apply taxes and open it for modification. A dialog box titled 'Product details' opens.
2. In the 'Apply tax' field of the 'Product details' dialog box, highlight the name of the tax that needs to be applied to the product. If you need to
highlight more than one tax, hold down the CTRL key while selecting the desired names of taxes with your mouse.
3. Click the Save button to apply the changes.
31
If the same tax or set of taxes need to be applied to more than one product, you can apply them simultaneously to multiple products by editing them in
batch. Instructions for mass-editing of products are provided in the section Group product editing.
Non-taxable products
If your store is going to sell non-taxable products, you will need to adjust their details in such a way that no taxes will be applied.
For non-taxable products, the tax settings in the 'Product details' need to be adjusted like this:
1. Select Yes from the 'Tax exempt' drop-down box.

2. Select nothing from the 'Apply tax' field.
3. Click the Save button to apply the changes.
6.9 Examples of Configuring Taxes

Example 1.
Suppose, your store is located in Texas, United States, and you need to impose a 8.25% sales tax on all orders delivered within Texas (The sales tax is
not charged on deliveries made outside Texas). The tax needs to be calculated based on the discounted subtotal amount of orders before any shipping
charges are applied.
To configure this tax, follow these steps:
1. Set up a destination zone for Texas (for example, name this zone "Texas"):
Countries: United States

States: United States: Texas
Counties: --
Cities: --
Zip/Postal codes: --
Addresses: --
2. Go to the 'Taxes' section of your store's Admin area and add a new tax:
1. Call it your state name or whatever you want (for example, "Texas" for the tax service name and "Texas sales tax" for the tax
display name).
2. Apply it to DST.
3. Set rates to depend on Shipping address (not Billing, as you only need to tax orders going to Texas addresses; customers buying
products to send out of state as a gift should not be charged sales tax).
4. Click the Save button.
3. Set up the tax rate:
1. Set the rate value to 8.25%.

2. Apply it to the zone "Texas".
3. Set the membership level to All.
4. Click the Add button.
4. If you haven't yet done so, adjust 'Taxes options' for your store as needed.
5. Apply the tax to all the products to which it needs to be applied by highlighting the tax name on the 'Product details' page. Make sure that the 'Tax
exempt' drop-down box for these products is set to No.
Please note that if the cost of shipping for different locations in Texas is not the same, you will have to define several destination zones for Texas (a
separate zone for each Texas location with a different shipping rate) and to apply the tax rate of 8.25% to each of these zones. Technically, this means
that you will have more than one rates defined for Texas sales tax, and each of these tax rates will have the value of 8.25% and will be applied to a
certain destination zone in Texas.
Example 2.
Suppose, your store sells products to your own state and to two neighboring states. You have two categories of customers, retail and wholesale.
Wholesale customers correspond to the membership level "Wholesale", retail customers are just ordinary customers (registered or anonymous) without
a membership level. For example, you need to impose a sales tax on products purchased by retail customers and shipped within your own state. Any
customers who order products to be shipped out of state and wholesale customers in-state do not pay sales tax.
In this situation, the sales tax can be set up as follows:
1. Set up a destination zone for your own state (for example, "Zone 1").
2. Add a tax and name it your state's sales tax.
3. Define two tax rates for this tax:
32
Set the first tax rate equal to the sales tax amount that needs to be applied to in-state retail purchases. Apply this rate to Zone 1 and
All membership levels.
Set the second tax rate to 0%. Apply this rate to Zone 1 and to the Wholesale membership level.
This way everyone in Zone 1 except Wholesale users will pay the sales tax. Wholesale users will see a "0%" tax line appear on their checkout page.
Please note that if the cost of shipping for different locations within your state is not the same, you will have to define several destination zones for your
state (a separate zone for each location with a different shipping rate) and to apply the sales tax rate to each of these zones.
6.10 FAQ
6.10.1 How to set up % tax for a US state?
Example: 5% tax for California. Tax will be applied to subtotal (you can change this). Tax depends on shipping address of the customer.
Steps:
1. Add destination zone "California":

Login to admin area
Click on "Destination zones"
Click "Add new ..."
Enter zone name "California"
Click update
Scroll down to section States
Click on "United States: California"
Scroll down.
Click "Save zone details"
2. Create tax
Click "Taxing system"
Tick "Display cart/order totals including tax", "Display a tax rate for each product in cart/order"
Click "Add new"
Set "Tax service name" to CA
Set "Tax display name" to "California Tax"
Create tax formula (we will apply the tax to subtotal - clear sum of the product prices)
Near "Apply tax to:" select "ST" from the first drop down box, press Add.
If you want to apply the tax to discounted subtotal plus shipping cost, clear the formula (button clear) and select DST, press add,
click on "plus" sign, select SH from the drop down box and press Add.
Select "Rates depend on". We will choose shipping address.
Tick "Display product price including tax"
From "Also display " drop down box select "Rate value and tax cost".
Click "Save".
3. You have created the tax. Now you need to create a tax rate rule.
Scroll down to "CA: Tax rates" section.
Find "Add tax rate"
Set rate to "5".
Set "Zone" to "California"
Set Membership to "All"
Create tax rate rule once again.
Select "Subtotal", press Add.
Click "add" at the bottom of the page.
Tax and tax rate value have been set. Now you should modify your products and set the list of taxes applied to product cost.
Without this information x-cart does not know whether it should apply the tax to product or not.
Note: in X-Cart Pro tax rates are defined by Providers. So you should be logged in as a Provider to create tax rates ('Inventory'
menu -> "Tax rates" section)
4. To assign the tax to all products in the cart you should do the following:
Click on "Modify product"
Tick "Search-and-modify:"
Select empty value for "Search in category"
Tick as "Main category", tick "Additional category".
"Search for pattern" -> empty value and clean up another search criteria.
Click "Search"
Scroll the search results page and tick a checkbox near "Apply taxes".
(!) Press Control button on your keyboard and mark (select) all the taxes mentioned in the select box.
Click Save. Modification to the list of Applied taxes will propagate to all your products.
6.10.2 Why tax rate is not applied to products in catalog?
Probably the tax is not assigned to necessary products. If you want to apply the tax to only certain products go to the product details page and choose
the tax in the 'Apply tax' box.
To assign a tax to all products, you should do the following:
33
1. Click on "Modify product"
2. Tick "Search-and-modify:"
3. Select empty value for "Search in category"
4. Tick as "Main category", tick "Additional category".
5. "Search for pattern" -> empty value and clean up another search criteria.
6. Click "Search"
7. Scroll the search results page and tick a checkbox near "Apply taxes".
8. (!) Press Control button on your keyboard and mark (select) all the taxes mentioned in the select box.
9. Click Save. Modification to the list of Applied taxes will propagate to all your products.
6.11 Troubleshooting
6.11.1 Tax rounding on shipping charges
Problem:
I want to display delivery charges inclusive of tax, but want the tax to be noted on the invoice. This means that the value I must enter into the shipping
charges screen needs to exclude VAT. However, the shipping charge fields will not accept fractions of a penny, which is what I have to do to get the
charge to appear correctly.
Example:
Standard shipping is 4.95 (inc tax); Tax is 20%.
Therefore the value I need to enter into the flat charge field is 4.125.
How do I solve the problem?
Solution: Apply the patches which allow your X-Cart store to accept 3 decimal places for shipping charges.
34
7 X-Cart:Payment Settings
1. REDIRECT X-Cart:Payment Methods
35
8 X-Cart:Modules and Add-ons
8.1 Modules
X-Cart is a highly scalable system. Besides the relatively stable core unit providing basic e-commerce functionality, this system includes a number of
components which can be turned on or off depending on the scope of additional functions needed. These controllable components which can be turned
on and off directly after X-Cart is installed are traditionally referred to as modules. Being part of X-Cart distribution package, modules do not require a
separate installation procedure. They get installed along with the basic store and all you need to do to start using them is to make sure they are enabled
and, if necessary, to configure their settings.
A full list of installed modules is available in the 'Modules' section of the store's Admin area (Administration menu->Modules). Modules that are enabled
have checkmarks in the boxes next to them.
8.1.1 Enabling modules
To enable a module:
1. Find the module name in the list of installed modules in the 'Modules' section.
2. Select the check box next to this name.
3. Click the Update button at the bottom of the section to save the changes.
8.1.2 Configuring modules
Most modules need to be configured before you can use them. You will know a module requires configuration if a Configure link appears next to its
name after the module is enabled.
To configure a module:
1. Make sure the module is enabled.

2. Follow the Configure link provided next to the module name in the 'Modules' section
or
Click General settings in the Settings menu and go to the appropriate subsection of the 'General settings/Modules options' section.
1. Follow the configuration instructions provided in the module's description in this manual (Check out the section Modules).
8.1.3 Disabling modules
Modules which you do not need can be disabled so their elements will not appear in the store interface.
To disable a module:
1. Find the module name in the list of installed modules in the 'Modules' section.
2. Unselect the check box next to this name.
8.1.4 Integration with third party modules
In version 4.4.3, the module initialization routine has been changed and optimized. Unlike in versions 4.4.0-4.4.2, the initialization order now does
matter. Improperly initialized X-Cart 4.4.3 may even break some 3rd party modules. Here is a quick fix to the issue.
8.2 Add-ons
X-Cart 4.3or earlier
In addition to the functionality delivered by X-Cart's internal modules, an extensive set of features which can be implemented in an X-Cart based store is
provided in the form of add-on modules (or, simply, add-ons). These are software components which can be purchased separately, installed in X-Cart
root and linked to the system.
8.2.1 Installing add-ons
The process of installation is similar for all X-Cart add-ons.
To install an add-on:
36
1. Download the add-on module distribution package from the 'Software distributives' section of your personal X-Cart File area (typically, a .TGZ
archive).
2. Uncompress the archive and copy the resulting files to the directory where your X-Cart based store is installed (X-Cart root).
3. Run the add-on module installation wizard: enter your store URL followed by the module installation script name in your web browser's
address line.
4. Follow the installation wizard instructions to complete the installation. After the installation is completed, the name of the installed add-on
module should be added to the list in the 'Modules' section of X-Cart's Admin area (Administration menu->Modules).
Detailed information on installing X-Cart add-ons is provided in the Modules section.
8.2.2 Enabling add-ons
Before you can start using an installed add-on, you need to enable it.
To enable an add-on:
1. Find the name of the add-on in the list of installed modules in the 'Modules' section.
2. Select the check box next to this name.
8.2.3 Configuring add-ons
Most add-ons need to be configured before you can use them. You will know an add-on requires configuration if a Configure link appears next to its
name after the add-on is enabled.
To configure an add-on:
1. Make sure the add-on is enabled.

2. Follow the Configure link provided next to the add-on's name in the 'Modules' section
or
Click General settings in the Settings menu and go to the appropriate subsection of the 'General settings/Modules options' section.
1. Follow the configuration instructions provided in the user manual of the add-on.
8.2.4 Uninstalling add-ons
Add-ons which you do not need can be uninstalled.
To uninstall an add-on:
1. Run the add-on's installation wizard: enter your store URL followed by the module installation script name in your web browser's address line.
2. In the installation wizard, select the 'uninstall' option. The script should remove all add-on related data from the store database, as well as the
add-on's files from the /skin1 directory.
Please note that the add-on's files in the directory /skin1.original will not be removed. If you wish to remove them, you will have to do it manually.
37
9 X-Cart:PCI-DSS
1. REDIRECT X-Cart:PCI DSS
X-Cart 4.0or above

9.1 Contents
1 About PCI DSS
2 Configuring X-Cart to meet PCI DSS (cardholder data is not stored)
2.1 Disable collecting of credit card data at user registration
2.2 Disable storing credit card data in X-Cart database
2.3 Remove historical data
2.4 Disable Subscriptions module
2.5 Secure processing and transmission of cardholder data
3 Configuring X-Cart to meet PCI DSS with X-Payments application
3.1 Why use X-Payments
3.2 Understanding PA-DSS
3.3 Becoming compliant is easy
4 Passing network security scans
5 Submitting a self-assessment questionnaire
6 FAQs
6.1 Does PCI DSS allow to use background payment methods with X-Cart ?
6.2 Is it allowed to store cardholder data (credit card numbers, expiration info, etc) in
X-Cart database ?
7 See also
PCI Compliance is increasingly important to all online store owners, and X-Cart can be implemented to meet this standard. Follow the steps when
implementing X-Cart in a PCI compliant manner.
9.2 About PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit
card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was
designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to
collect, store, transmit and process valuable credit card data as well as the human factor.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Build and Maintain a Secure Network
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management

Requirement 5: Use and regularly update anti-virus software
Program
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need-to-know

Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security
To get familiar with aspects of implementing PCI DSS please study the Braintree PCI DSS compliance Quick Guide
9.3 Configuring X-Cart to meet PCI DSS (cardholder data is not stored)
9.3.1 Disable collecting of credit card data at user registration
If forced, X-Cart can collect customers' credit card details during registration. This is controlled via two check boxes in the section General Settings /
General Options of the Admin area:
38
Do not ask customers to enter CC information while getting registered: Defines if a customer will be asked to provide credit card details
during registration;
Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...: Defines if a
customer will be asked to provide CVV2 during registration.
Asking for credit card data during registration must be disabled as shown in the picture below.
9.3.2 Disable storing credit card data in X-Cart database
If forced, X-Cart can store valuable credit card data in an encrypted database. This is controlled via three variables in the main configuration file
<xcart_dir>/config.php. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in
the X-Cart database then.
# file <xcart_dir>/config.php
$store_cc = false;
$store_cvv2 = false;
Note: It is important to disable storing credit card data. X-Cart is not PA-DSS certified and can not be configured to meet PCI DSS when credit card data
storing is enabled.
9.3.3 Remove historical data
Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed,
is absolutely necessary for PCI DSS compliance. To remove this data, use X-Cart's Remove credit card information tool.
9.3.4 Disable Subscriptions module
When the built-in X-Cart module Subscriptions is enabled, X-Cart keeps credit card data stored in its database. Follow these steps to disable the
module:
1. Log in to the X-Cart Admin area.

2. Go to the section Modules (Administration module -> Modules)
3. Deselect the check box for the entry Subscriptions.
4. Click the Update button at the bottom of the page to save the changes.
9.3.5 Secure processing and transmission of cardholder data
The easiest way to deal with PCI DSS compliance is to use web-based payment gateways to eliminate the need for customers to enter credit card
details on your web-site and thus reduce efforts on meeting PCI DSS compliance requirements. X-Cart is secure and supports quite a number of such
?offsite? payment gateways like Paypal Express Checkout, Google Checkout, Checkout by Amazon, WorldPay, 2Checkout, Authorize.net SIM and
many more.
If your store has a background payment method enabled, customers input their credit card data on the X-Cart side at the final step of checkout. It is
highly recommended to disable background payment methods using the Settings menu -> Payment methods section of the X-Cart admin back-end. In
this case you'll have to fill out the simplest of PCI Self-Assessment Questionnaires (SAQ A).
39
If you want credit card data to be entered on X-Cart side, it's necessary to make sure that your store is implemented in a PCI compliant hosting
environment and your X-Cart is set up in a PCI compliant manner, i.e. you use a PA-DSS certified software to process credit card payments. You'll have
to fill out PCI SAQ C in this case.
9.4 Configuring X-Cart to meet PCI DSS with X-Payments application

X-Cart 4.1.12or above
9.4.1 Why use X-Payments
X-Payments is designed for merchants who accept credit card payments using background payment gateways. Being a PA-DSS certified solution,
X-Payments helps merchants to meet PCI standards. Connecting X-Payments to X-Cart saves merchants time and money when it comes to complying
with PCI DSS.
9.4.2 Understanding PA-DSS
If a software application stores, transmits or processes sensitive cardholder data the application must be PA-DSS compliant.
Requires all payment applications be certified by an approved Payment Application-Qualified Security Assessor (PA-QSA). PA-QSAs are
third-party security auditors, certified by the PCI Security Standards Council (PCI SCC) to verify that payment applications meet specified
security standards
PA-DSS payment applications must be implemented in a PCI DSS compliant environment
9.4.3 Becoming compliant is easy
Qualiteam has helped to make PCI compliance easier for merchants by separating the X-Payments application from the X-Cart platform. There are two
important benefits of this design:
Only the actual payment application has to be certified and compliant - rather than the entire platform
X-Cart can be upgraded and customized without affecting the overall PCI compliance provided by X-Payments
Examine the following pages on how to setup secure X-Cart with X-Payments in a PCI DSS manner:
X-Payments:Introduction
X-Cart:X-Payments Connector
X-Payments:PA-DSS implementation guide
To become compliant SAQ C must be completed.
9.5 Passing network security scans

Once the software is configured properly you (or your service provider / webhosting) must locate an Approved Scanning Vendor (ASV), who will conduct
a network scan to ensure that the safety requirements highlighted above are actually functional and not just placeholders in the self-assessment
questionnaire required for Level 2, 3 and 4 merchants and service providers.
The purpose of the scan is to locate vulnerabilities in the system that can lead to data breaches and diagnose & recommend measures to fix these
problems. The ASV submits a report to the PCI highlighting the potential security holes and the level of vulnerability from 1-5 (but this time, a Level 5 is
the highest point of vulnerability). In case of a level 1 merchant, an on site assessment is also mandated by the PCI, to be conducted by a Qualified
Security Assessors (QSAs).
List of approved QSAs

List of approved ASVs
9.6 Submitting a self-assessment questionnaire

Finally, a self-assessment questionnaire on a prescribed format needs to be submitted to the acquiring bank, which acts as a checklist to ensure that the
12 requirements outlined above have been addressed and met. Consult the instructions on how to complete the SAQ.
9.7 FAQs
9.7.1 Does PCI DSS allow to use background payment methods with X-Cart ?
No, this is not allowed. Since X-Cart is not a PA-DSS certified software you should configure it to avoid transmitting credit card data from your store to
payment gateway by:
40
disabling background payment methods in your store
or #Configuring X-Cart to meet PCI DSS with X-Payments application
9.7.2 Is it allowed to store cardholder data (credit card numbers, expiration info, etc) in X-Cart database ?
As per PCI DSS recommendations, you should avoid storing cardholder data electronically unless there is a legitimate business reason to do it;
moreover sensitive authentication data (for example CVC2/CVV2) MUST NOT be stored at all. When using X-Cart you should disable collecting and
storing of credit card data.
9.8 See also

X-Cart:Store Security
PCI FAQs
PCI Security Standards Council website
Braintree PCI DSS compliance Quick Guide
This article can be downloaded as a PDF file
41
10 blog to your store
10.1 Why need blog

Current e-commerce industry involves not only selling goods, but also creating and maintaining communities around your store. This approach - when
your website provides not only an opportunity to your visitors to buy goods, but also includes sections, where they can learn more about your company,
communicate with other visitors, share their own ideas about the shop and so on - works much better than the traditional one - when your website is
merely a storefront, and nothing else, as it creates a group of people united around your store.
When there is a community, it is easier for the owner of the store to meet buyers' expectations, as the owner is aware of buyers' needs and wishes. On
the other hand, buyers know that sharing their opinion counts, because they know that the owner takes it into consideration. Finally, the bigger a
community is, the faster it grows; that means more customers in the future and, hence, the growth of your sales and profit.
Now, what can you do in order to create a community around your store? The simplest way is to start a blog. This might sound funny, but indeed it might
help you at the first steps.
You can write whatever you find interesting. It can be from occasional posts describing how your company looks inside, including photos, to regular
reports on your achievements, milestones and future plans. The more people know about you, the more they trust you.
This brings us to the idea of creating a blog. Surely, you can create it on blogger.com, www.livejournal.com or whatever else, but why not just build one
up right near your web-shop? Your personal blog near your storefront is a major advantage, as your customers do not leave your website to have a look
at your recent updates; plus, the design of the blog perfectly matches the design of your shop. Basically, your entire website should be that cozy place
where people sharing similar interests meet and communicate; and at the same time, they can buy products recommended by others with just a couple
of mouse clicks.
10.2 Major blog engines on the market

So, now we need to decide, which software to choose for running a blog. Frankly speaking, at this moment, there are three blog-script monsters out
there:
WordPress
Joomla!
Drupal
All of them are free and amazing, but it is necessary to understand the pros and cons of each of them. We are not going to give the full comparison of
these CMS here, only a few notes:
Note: You can easily find the detailed comparison in the web; for instance, at [1]
System Advantages/disadvantages Conclusion
+ Wonderfully easy to install and start blogging in a glance, even for a
newbie. Extremely user-friendly, but quite developer-unfriendly. Great for
Wordpress personal blogs, but for large and medium projects it's better to
- Its architecture keeps developers from its customizing. It is possible, find a replacement.
but still quite hard.
+ Huge great community, tons of modules already done, architecture
allows to customize Drupal as much as you need, very powerful
application. Awesome for large and medium projects, especially if you are
Drupal
going to continuously update or extend them.
- Complicated for end-user. Requires certain programming knowledge
from developer.
+ Great community as well, countless themes, requires average
developer skills, quite flexible for extension.
Fascinating for medium projects which are not going to be hugely
Joomla!
extended.
- Still quite complicated for end-user, but easier than Drupal. Even
though it is flexible, it does not provide Drupal's flexibility.
10.3 Setting up blog with your store

[explain]
42

X-Cart Setting Up Your Store

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

X-Cart Setting Up Your Store

Încărcat de

Drepturi de autor:

Formate disponibile

Table of Contents

5 X-Cart:Real-time Shipping Calculators..........................................................................................................................................................................22

8 X-Cart:Modules and Add-ons.........................................................................................................................................................................................36

10 blog to your store..........................................................................................................................................................................................................42

The purpose of this tutorial is to assist you in understanding:

The importance of X-Cart security

2.2 The importance of X-Cart security

2.3 Hosting X-Cart in a secure environment

2.3.1 Secured Shared Hosting

2.3.2 Dedicated unmanaged server

2.3.3 Dedicated managed server

2.3.4 Server Management Companies

File Type Permission

/var/* folders 777

/var/* files 666

For more details please refer to:

Setting up file permissions in X-Cart

# Force https on the admin section

RewriteCond %{SERVER_PORT} !443

RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/admin/$1 [R=301,L]

# Force https on the provider section

RewriteCond %{SERVER_PORT} !443

RewriteRule ^(.*)$ https://www.your-domain.com/xcart-dir/provider/$1 [R=301,L]

Options +SymlinksIfOwnerMatch -Indexes

RedirectMatch permanent ^.*/.pgp/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/patch..*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/sql/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/schemes/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/skin1_original/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/Smarty.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/upgrade/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

# Block access to sensitive file types

RedirectMatch permanent ^.*.(ini|tpl|sql|log|conf|bak)$ http://www.yourdomain.com/x-cart-path/error_message.php

# Block access to sensitive files

RedirectMatch permanent ^.*/COPYRIGHT http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/INSTALL.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/NEW.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/README http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/UPGRADE.*$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/VERSION http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/include/version.php http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/config.php http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/top.inc.php http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^.*/install.php$ http://www.yourdomain.com/x-cart-path/error_message.php

X-Cart 4.4or above

RedirectMatch permanent ^.*/var/.*$ http://www.yourdomain.com/x-cart-path/error_message.php

with these lines:

Use HTTPS for users' login and registration

function is_https_link($link, $https_scripts) {

and replace it with

function is_https_link($link, $https_scripts) {

$xcart_dir = rtrim(realpath($xcart_dir), XC_DS);

1. In X-Cart Admin area, open the Summary page.

3. Generate .htpasswd file.

htpasswd -c .htpasswd abc123

So, the content of your .htpasswd file will look like:

5. Open admin/.htaccess and paste the following data to it:

6. Open provider/.htaccess and paste the following data to it:

More information: X-Cart:User Access Control

More information: X-Cart:System Fingerprints

Information about the CSRF attacks: http://en.wikipedia.org/wiki/Cross-site_request_forgery

It is possible to forbid calling X-Cart in IFRAME / FRAME tags.

To enable this feature, edit the following line in config.php:

RedirectMatch permanent ^./.pgp/.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./patch..$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./sql/.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./schemes/.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./skin1_original/.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./Smarty.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./upgrade/.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./var/.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./INSTALL.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./NEW.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./UPGRADE.$ http://www.yourdomain.com/x-cart-path/error_message.php

RedirectMatch permanent ^./var/.$ http://www.yourdomain.com/x-cart-path/error_message.php

SHIPPING = Rate + TOTAL_WEIGHTWeight_Rate + ITEMSItem_Rate + SUM*Percent_Rate/100

SHIPPING = Rate + Markup + TOTAL_WEIGHTWeight_Markup + ITEMSItem_Markup + SUM*Percent_Markup/100