PA-DSS Certification

[peterz]

As you are probably aware starting October 1, 2008 any business attempting to acquire a new merchant account who plans on accepting credit cards online is required to have a PA-DSS certified software application. All others who already have an existing merchant account have until 2010. Any merchant who does not have certified software will not be able to process credit cards.

 

Does WHMCS have a plan for getting it's software PA-DSS certified? If so when, if not why?

[Matt]

Hi,

 

PCI Compliance consists of 12 basic requirements, only 2 of which apply directly to the software and the others are more server/network/procedure related. The ones that apply to software, WHMCS does adhere to.

 

For PA-DSS which you raise, it is our responsibility as the software provider to create an application that does not prevent you from achieving PCI DSS compliance. However, the software itself cannot give you PCI DSS compliance. There are 14 rules for PA-DSS which WHMCS does largely meet and we are currently reviewing each rule in detail in preparation for certification.

 

Matt

[peterz]

Matt,

 

Thank you but I am fully aware of what PCI is. Can you please answer my specific question. When do you plan on having your software certified by an ASV.

[Zorro67]

Peter in an effort to better infrom the community, can you also post some relevant links that can help us all?

[peterz]

Peter in an effort to better infrom the community, can you also post some relevant links that can help us all?

 

 

Here are some important links.

 

1. PA-DSS, what WHMCS has to do. https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml

 

2. PCI-DSS, what you as a merchant have to do https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

 

3. A good PCI resource http://www.zendzign.com

 

4. A good PCI resource http://pcianswers.com

[merlinpa1969]

Correct me if im wrong

 

whmcs tracks all movement through the admin

whmcs stores all cc data encrypted requiring an encrypted code to extract if needed.

 

whmcs does not store the cvv

 

please tell me what it is the awhmcs doesnt do that you are concerned about.

[peterz]

Correct me if im wrong

 

whmcs tracks all movement through the admin

whmcs stores all cc data encrypted requiring an encrypted code to extract if needed.

 

whmcs does not store the cvv

 

please tell me what it is the awhmcs doesnt do that you are concerned about.

 

It does not matter what the software does as long as it is not PA-DSS certified. If it is not PA-DSS certified it is not allowed to be used for handling credit cards based on the original timescale I mentioned in my previous post. This list https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html has all current PA-DSS certified applications listed.

[Zorro67]

Thanks peterz. Those links gave me something to think about.

The implications about "How does this affect my business in its current form, and where i might want to take it in the future?" are the questions that I can now consider, as related to PA-DSS certified

 

@merlin, if this needs discussion or debate, can we route that part of the larger question to the lounge?

[lostinspace]

Umm, reading through some of their site this seems more related to merchant gateways rather than billing software like WHMCS.

[peterz]

Umm, reading through some of their site this seems more related to merchant gateways rather than billing software like WHMCS.

 

Not sure where you are reading but there are several areas dealing with PCI. The one that directly relates to you as an end user who has customers paying with credit cards is PCI-DSS while the software vendors must adhere to PA-DSS by getting their software certified by an ASV.

 

PCI-DSS - Payment Card Industry Data Security Standard

PA-DSS - Payment Application Data Security Standard

 

PCI-DSS deals with the standards for any organization who stores, processes or transmits credit card holder data. This means if you accept credit card payments directly on the internet through your web site or online application software, you are required to adhere to PCI-DSS which includes having PA-DSS certified software.

[lostinspace]

In the case of manually accepting credit cards using WHMCS I can see how WHMCS fits the PCI-DSS model. However, when utilizing a CC merchant gateway, I believe it changes the scenario - wouldn't you think?

[peterz]

In the case of manually accepting credit cards using WHMCS I can see how WHMCS fits the PCI-DSS model. However, when utilizing a CC merchant gateway, I believe it changes the scenario - wouldn't you think?

 

It's not what I think, it is quite clear in the standard.

 

If at any time you store, process or transmit any cardholder data on a computer, server, network, etc that you own, rent, lease, etc that is internet connected you must be PCI compliant. Of course if all you use is Paypal then it does not matter since you don't do those things. If you are using a merchant gateway like authorize.net or linkpoint, etc you will be required by your merchant acquirer to be PCI compliant even if you do not actually store, process or transmit cardholder data.

 

Should your organization have a data breach that compromises cardholder data, the fines are no joke and in the $500,000 range.

 

I suggest reserve your questions until you have read the PCI-DSS entirely. Links in my previous posts.

[efisher]

In the case of manually accepting credit cards using WHMCS I can see how WHMCS fits the PCI-DSS model. However, when utilizing a CC merchant gateway, I believe it changes the scenario - wouldn't you think?

 

Not completely correct. If a CC ever passes through WHMCS, then PCI-DSS is involved. The only way to not care about PCI-DSS or PA-DSS is to use PayPal, Google Checkout, Mail-In payments, or take the CC # over the phone. Fitting the model is unfortunately not good enough for us that need/want to be PCI-DSS under the new rules.

 

So, back to the original question... Matt, can your provide us an estimated timeframe as to when you believe WHMCS will be on the PA-DSS list? Now that it is a requirement for us to be PCI-DSS certified, we'll need to have it done some time in 2009. Sooner would be better than later.

 

Thanks.

[Matt]

Hi,

 

No, it's not something I can provide a date for as it's not something we do ourselves. We have to have a certified PA-DSS assessor test and give the certification and there are a number of options for that. It will also affect future updates and releases as each change we make following the certification has to be re-verified at furthur cost. However, it's being looked at and we'll certainly have it taken care of well within the required timeframe.

 

Matt

[twhiting9275]

we'll certainly have it taken care of well within the required timeframe.

this almost makes me laugh, given the date has already passed!

starting October 1, 2008

It is now December 13th, which is AFTER October 1, no? So, why was this stalled out here? Obviously Matt and everyone knew about this beforehand!

 

I'm not so fond of PCI requirements, as the only player in THAT game is a ridiculously snobbish, overpriced, company that doesn't even BELONG in the game there, but from a software perspective, this is something that needs to be completed BEFORE any updates or future releases are put out.

[peterz]

this almost makes me laugh, given the date has already passed!

 

It is now December 13th, which is AFTER October 1, no? So, why was this stalled out here? Obviously Matt and everyone knew about this beforehand!

 

I'm not so fond of PCI requirements, as the only player in THAT game is a ridiculously snobbish, overpriced, company that doesn't even BELONG in the game there, but from a software perspective, this is something that needs to be completed BEFORE any updates or future releases are put out.

 

Many did not know about this, All merchants have been required to be PCI compliant for several years but it is just now getting any real attention. Is your network compliant? Regarding Matt getting WHMCS certified before any updates, I am quite sure there are updates that will be required to get certified. That and once certified, no large updates can be done without getting re-certified. Considering the ASV's often charge in excess of $7000 for a PA-DSS certification, it is no small matter.

[twhiting9275]

If this was a one off thing, hey, I'd say no problem, let it go, but it's not.

 

The point here is that this kind of stuff can't just be brushed off, forgotten about, or ignored. Yeah, it's a costly thing to get certified here, but this should definitely not be coming up after the fact! This should be done before it is a requirement, not afterward.

 

Security needs to be given a MUCH higher priority, rather than brushing off requests like they're nothing.

[merlinpa1969]

If your so unhappy,

why are you wasting your time here complaining rather than off searching for a program that better suites your needs.....

 

 

and for the record not ALL merchants are requiring PCI Compliance as of yet,

authorize.net is recommending it but not requiring it yet,

[twhiting9275]

If your so unhappy,

Who says I'm unhappy? I certainly didn't. Just because I criticise something that has been poorly handled doesn't mean I'm unhappy. It means that that very poorly handled situation needs to change, and we've seen absolutely no indication that it is.

 

why are you wasting your time here complaining rather than off searching for a program that better suites your needs.....

Honestly, because WHMCS is great for what I need. Sure, it's not certified yet, sure it's got a few problems here and there, but for the most part it's great. The only problem is with the incredibly poor security standards here. I've spent a good 2 years embedding applications into WHMCS, from internal monitoring scripts to administrative work areas to client work areas, turning into a complete client and administrative management solution.

 

 

 

and for the record not ALL merchants are requiring PCI Compliance as of yet,

This isn't about PCI compliance , this is about something far more important, CODE verification and certification.

 

These are two completely and totally separate issues and points.

 

For new merchant accounts, the deadline for this is past, it's gone. So, before any new merchant accounts get opened up, using WHMCS, WHMCS must be certified. This isn't optional, this has nothing to do with PCI Compliance, but everything to do with software compliance.

 

PCI compliance isn't forced on everyone, YET, but it will be shortly. This specific compliance IS forced on every new merchant. Just because existing merchants have a bit more time to get their stuff together doesn't make ignoring this issue till the last minute excusable, not at all.

[merlinpa1969]

I guess that sounded like I smart @$$ reply and it wasnt intended to tick any one off.

 

 

and the PCI Compliance statement I made was to the other person that you were conversing with, sorry for the misundersanding.

[twhiting9275]

You asked some very good questions, which were answered, no worries there.

 

I have to deal with those questions on a day to day basis.

[peterz]

I guess that sounded like I smart @$$ reply and it wasnt intended to tick any one off.

 

 

and the PCI Compliance statement I made was to the other person that you were conversing with, sorry for the misundersanding.

 

I am hoping he does not mean me. Anyway regarding your PCI statement. Authorize.net is not a merchant bank or acquirer, they are a gateway and have nothing to do with requesting or requiring your PCI compliance. As a merchant who accepts credit cards, you are personally responsible for your PCI compliance. PCI is an industry regulation created by the big 3 credit card companies which will be shortly followed by government regulations. Resistance to this is a futile effort.

 

Now regarding being off searching for a program, that is exactly what I am doing and if WHMCS is not certified what you will soon be doing. However, only 1 other of the big 5 billing systems has a "plan" for getting certification, and just like WHMCS, none are certified currently.

[alyanm]

Hi, I'm just getting myself set up with WHMCS and have no experience with it at all. I do have some experiences with PCI Compliance (one of my clients is a level 3 Merchant and required to adhere to PCI_DSS) and I would like to set myself up to sail through that if it ever becomes an issue.

 

I don't see any posts on this thread since Dec 13th -- can anybody in the know give me an update on where things are at? Has a plan been put into place to get WHMCS PA-DSS certified so my life can be easier?

 

Thanks,

Alan

[Blueberry3.14]

I'd be interested in any updates on this, also.

 

As an aside, I'm amazed at the hoops *I* need to jump through the be PCI Compliant, secure, etc....and yet still have vendors who will request I fax them my driver's license, credit card number, etc. And still others (*cough* eNom) who charge a fee for using a credit card.

 

With all these new regulations, there's never been (that I can find) to report non-compliance to regulations from a consumer's perspective. Please don't suggest I call Mastercard/Visa...I tried. 30 minutes of my life I'll never get back, and for nothing.

[w3designstudios]

I too would like some updates if available.