PA DSS Compliant?

[CCSupport]

Hello all,

 

We have just been notified that WHMCS is NOT PA DSS Compliant which in essence means it's not secure enough to store credit card data... Along with allowing transactions within the software and all transactions should be forwarded to an external party....

 

I'm REALLY hoping this information is incorrect!

 

Can anyone confirm please? It would seem a bit weird that WHMCS has the facility to store transaction data internally but would never be allowed.

 

Just to note, I know this seems to have had LOTS of threads and posts about it, however I cannot find one that actually says why WHMCS is NOT on the PA-DSS Certified list. It's pretty worrying if that is the case.

 

The main thread I have been looking through is here. However that was started in 2008, last post 2012 and no mention of WHMCS being PA DSS Certified.

Edited December 19, 2014 by CCSupport

[CCSupport]

I have received a response from WHMCS (John) from a ticket I created asking the same question above. He kindly gave a straightforward answer. For anyone else who has the same question as me, here's the information received and also my response for completeness:

 

John -

Thanks for contacting technical support. I can advise that WHMCS is not PCI-DDS certified at this time, although this is something we are working towards.

However it is designed with PCI specifications in mind, so should not obstruct you from achieving PCI certification status yourself.

 

If you are concerned about storing credit card data on your server, then may I suggest a tokanisation gateway, which has all the benefits of storing the card details locally but stores them on your payment gateway's servers instead: http://docs.whmcs.com/Payment_Gateways

 

My response and request -

Thank you for the reply John.

 

Unfortunately the statement regarding WHMCS not obstructing PCI Compliance seems to be partly untrue and only true in a small number of cases.

 

I say this simply as if I tick the box to store credit card data locally and do not use a 'tokanisation' gateway then it immediately blocks us from becoming PCI Compliant.

 

I really do think the WHMCS documentation needs to be far clearer regarding the use of the tick box and the related compliance issue. I actually feel that the tick box to allow local storage should be completely removed and only shown when a 'tokanisation' gateway is being used. Obviously it is down to your clients to become PCI Compliant, however WHMCS do have a moral obligation to reduce potential breaches or at least limit the amount of harm if a breach occurs within the software.

 

It is really disappointing to find this issue. After all of the work we have put in to configuring and using WHMCS including a site upgrade relying on WHMCS I feel our path now must change.

 

As mentioned, I think the WHMCS documentation should be made clearer for others and also the removal of the option to store credit card details locally should be implemented if a chosen payment gateway does not allow the details to be stored on their servers.

 

For completeness I will copy my response and add it to the thread I have created asking the same question within the forum. At least that way others may find it useful and hopefully make it clear the potential compliance nightmare they would have.

 

As mentioned in my response, I am disappointed...and mortified in all honesty that a simple tick box can be allowed without any real documentation (that I found anyway). The mere option of storing credit card data locally when not certified is breaking compliance rules and therefore should not be an option.

 

I understand that John and WHMCS are not governed (I guess) by the PCI Compliance for their clients, however I would guess that if WHMCS payment system allows the storage of client credit card details then they MUST use a 'tokanisation' gateway as they couldn't possibly store the data and be PCI Compliant for their own payments. If they themselves know they cannot store it locally then I would have though far more information could have been made available. if the information is somewhere then that information needs to be linked right next to the tick box option to store the data.

 

I will now have to consult with our payment provider and hope that we can workaround this issue without having to go through a huge change both with a payment provider and/or our CMS system (WHMCS).

[suhailc]

Hi,

 

Thanks for sharing your communication with WHMCS.

 

Yes WHMCS is not an approved 3rd party shopping cart provider, and hence the oweness is on clients to secure their infrastructure according to PCI DSS requirements.

 

I'm glad they are candid about this as nothing is being hidden.

 

So implementing what is necessary to lock down access to this data is what will make you PCI compliant, not just having a web application which ticks the boxes. In fact anything open to all and sundry on the web is liable to getting hacked.

 

So allowing customers to "tick the store credit card info" is the risk we take, and if a sufficient number of us get hacked and data compromised, we would look for alternatives to WHMCS and that would damage WHMCS, hence it's in their interest to get PCI certified as a trusted shopping cart solution, particularly as they are now owned by Cpanel, and Cpanel would not like anything suggesting their like PCI complaince worthiness.