PCI Compliance and the New PA-DSS: Information for Online Storeowners

[mylove4life]

Thought it would be a good read for everyone.

 

 

Confusion Runs Rampant

Many folks in the e-commerce industry have found themselves scratching their heads in confusion over the new PCI PA-DSS (Payment Card Industry, Payment Application – Data Security Standard) rules and guidelines. PCI Compliance has never been an easy topic to wrap one’s head around and the new DSS is starting to cause panic among some involved in businesses that operate online. The July 1, 2010 compliance deadline is looming and many payment applications are still not DSS certified.

 

This is not good news for anyone involved in the e-commerce sector. There is no set punishment established for non-compliance with the new PA-DSS. If an online storeowner is found to be non-compliant then they will likely be charged increased merchant fees and penalties, face hefty fines and in some cases have their merchant account or even their entire website terminated.

 

Most of the confusion and controversy revolves around who exactly needs to comply with the new DSS. The answer to this is somewhat complex but the primary rule of thumb is that if your store processes credit cards online then you need to use a shopping cart that is PA-DSS certified in order to be PCI Compliant.

 

As an e-commerce merchant, vendor or retailer (those operating a business online), it is your duty to ensure you are utilizing fully PCI Compliant Hosting and that your shopping cart application is PA-DSS certified. If either your host or cart is not compliant with the PCI than your site is in trouble. Many carts and other merchant service providers are still shuffling to get scanned and added to the list of compliant applications before the July deadline.

 

If you are in the market for new shopping cart software than you do not want to use a program that is non-compliant with the PCI or PA-DSS. It is not worth losing money or possibly your business over something so simple to remedy. The responsibility falls on you – the storeowner – to find a host and cart that are compliant with the PCI and to fulfill the required network scans and questionnaires.

 

 

PCI Compliance vs PA-DSS – what’s the difference?

The PA-DSS (Payment Application – Data Security Standard) applies to products that are distributed as applications that people can purchase and then do whatever they wish. For example, this applies to shopping cart programs and e-commerce solutions. The DSS started as the PABP (Payment Application Best Practices) by Visa before becoming affiliated with the PCI Security Council, which represents all five major credit card companies. In order to be PCI Compliant you must be on a DSS certified application. In other words, your cart must be compliant.

 

PCI Compliance is a broader set of rules and guidelines. The PCI Compliance rules are the standards for the way in which credit card transactions and other confidential information is processed online.

 

As of July 2010, both PCI and PA-DSS Compliance are necessary for a site that accepts credit card payments. The PCI applies to all e-commerce businesses, web hosts, shopping carts, payment gateways and merchant account providers. When a company becomes DSS certified they are then added to Visa’s list of compliant companies. The PCI Compliance rules are the standards for the way in which credit card transactions and other confidential information is processed online.

 

In order to be fully PCI compliant with the new PA-DSS, level 4 merchants must be running compliant applications on their site (such as their shopping cart). Their web hosts must also be PCI compliant by using properly encrypted networks, regularly updating their anti-virus software and performing regular system scans.

 

There are a number of PCI scanning companies approved by Visa and MasterCard that will help small merchants pass PCI audits and complete the PCI questionnaire in order to show PCI compliance. Being fully PCI and DSS compliant is like having an insurance policy in the event of a security breech.

 

For the list of requirements that QSAs will be checking for in your scan check out:

https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml

[Jhayes]

Hi:

 

I have a question, where does Reseller Hosting fall into these requirements? My site is on a shared server so it is not likely to pass a PCI Scan. I have tried and it has failed.

 

Paypal does the payment processing.

 

I have kept a VPS ecommerce cart online in the past, and it was PCI secure.

 

jhayes

[openmind]

Reseller hosting falls under the reponsibility of the host and the reseller. The host needs to ensure the server is PCI compliant and this is possible on shared servers. The reseller needs to ensure that their sites are PCI compliant.

 

If payments are being processed off site by using PayPal standard and credit card information is not processed on the site then this reduces the PCI exposure to a questionnaire only, no scan required.

 

However, and this is the big one. WHMCS IS NOT PA-DSS COMPLIANT!

 

If you take credit card payments using a direct method where the card details are entered directly on your site then it doesn't matter if the hosting platform is PCI compliant, you still fail in the eyes of the merchant account.

 

This issue has been mentioned multiple times in the past and has still not been addressed.

[Jay]

However, and this is the big one. WHMCS IS NOT PA-DSS COMPLIANT!

What issues are you referring to? As WHMCS is a self hosted application, surely it is down to the end user to ensure their servers are PCI compliant.

[brianr]

What issues are you referring to? As WHMCS is a self hosted application, surely it is down to the end user to ensure their servers are PCI compliant.

 

(Emphasis Added)

 

The server must be compliant as well as the software used to process/store CC information - hence the problem with WHMCS not being compliant. Because the code is not available, as end users, we cannot have it audited for compliance.

[losvre]

I think that is really serious.

 

To resume in one important factor: Does the cart have to be PA-DSS even if we just use PAypal or a third party gateway?

 

Thanks for the heads up and lets see what can be done.

 

Have a good day

[malfunction]

Does the cart have to be PA-DSS even if we just use PAypal or a third party gateway?

The practical application of this is the software has to be PA/DSS compliant if your third party payment processor says it does. Some do, some don't. If you use PayPal Standard it wouldn't be a requirement.

 

You can understand why WHMCS don't want to do it, it's a difficult and costly process, but if they are trying to be a professional payment application they need to get it done even if the requirement it is still somewhat patchy across processors.

 

Unfortunately WHMCS appear to care little about the issue of security, this has been shown again and again, instead choosing to try to dodge the issue since 2008 as you can see here for example http://forum.whmcs.com/showthread.php?16269-PA-DSS-Certification

[openmind]

What issues are you referring to? As WHMCS is a self hosted application, surely it is down to the end user to ensure their servers are PCI compliant.

This is the most common misconception sadly and as explained by other posters, PCI compliance and PA-DSS are two completely different animals.

[openmind]

**deliberate daily bump**

[openmind]

Daily bump...

 

This needs to be addresses by WHMCS...

[Jay]

This is the most common misconception sadly and as explained by other posters, PCI compliance and PA-DSS are two completely different animals.

 

My bad, you learn something every day!

 

Have you tried asking them directly?

[openmind]

Yep. I put a ticket through asking WHMCS to comment on this thread but so far nada...

[Infopro]

Yep. I put a ticket through asking WHMCS to comment on this thread but so far nada...

 

I'll find out more about this for you ASAP. In the meantime, no more post bumping.

 

Thanks.

[openmind]

Just to update, I have got a response from WHMCS on this issue but they would like to add their own thoughts rather than me posting what the result of the conversation was.

[brianr]

Did they happen to give any idea on the timeframe for that?

[openmind]

You know I did say I would wait but it's plain that they may have forgotten to follow through. Basically they are looking at selecting an ASV at the moment and expect to start PA-DSS evaluation during Q1/Q2 this year.

 

So when it gets round to June we can nag again

[brianr]

Thanks Phil... That's basically what I figured... So we'll get IPv6 support in cPanel first then.

[openmind]

Probably as that's way more important than the ability to take payments after all

[WHMCS Aaron]

Greetings,

 

I wanted to provide a quick update on this as I am leading this Project. Roughly 60 days ago WHMCS, Limited selected a ASV to work with on the PA-DSS project. About 30 days ago we started the project which includes the development of a PA-DSS Implementation guide, sending the vendor images of WHMCS installation, and going through a pretty extensive checklist.

 

The entire process from start to finish takes roughly 16 weeks once we submit our first round of documentation. The goal for this project is to have the first draft of the PA-DSS Implementation guide submitted by June 30th, 2013.

 

WHMCS has made a significant investment in time and resources to make this happen and when completed we will be one of the only billing software companies to achieve PA-DSS compliance.

 

On a side note, IPv6 within cPanel & WHM will likely beat us to the finish line. We just demo'ed this at HostingCon 2013 and it will be an exciting race, but both are features and requests we are focused and committed to delivering.

 

As the process for PA-DSS gains traction, I will provide updates to this thread and I would be happy to answer any questions along the way.

[RFEHosting]

Very nice to hear this Aironz, thanks for the update!