PA-DSS Certification

[sven30]

I'd be interested in any updates on this, also.

 

As an aside, I'm amazed at the hoops *I* need to jump through the be PCI Compliant, secure, etc....and yet still have vendors who will request I fax them my driver's license, credit card number, etc. And still others (*cough* eNom) who charge a fee for using a credit card.

 

With all these new regulations, there's never been (that I can find) to report non-compliance to regulations from a consumer's perspective. Please don't suggest I call Mastercard/Visa...I tried. 30 minutes of my life I'll never get back, and for nothing.

 

Yeah, what exactly happens if you're not PCI compliant, or if the software program is not PA-DSS compliant? I mean, do they come after you and file a lawsuit or try to shut you down? Has this happened yet to anyone or is it all just a big bluff by the PCI guys?

[openmind]

The PCI certification issues do not stem from WHMCS, they stem from the actual server itself.

 

We've just passed compliance and the only whmcs changes I had t make were where the log forms were on non-whmcs pages and should be submitted through a SSL connection.

 

Don't blame the software for PCI failures, it doesn't fail anywhere that I'm aware of, blame the server it sits on...

[ericgrigsby]

Here is a new wrinkle.

 

I was speaking to my Merchant Account. PCI Compliance. I have been following this thread so I kind of understand the issues related to the software. However, what blew me away is that because I provide hosting, that I would be required to be compliant as as a level 2 merchant.

 

Copy of email:

 

Eric,

 

Yes, you would be considered a Level 4 for PCI DSS Compliance however; you would be considered a Level 2 as a Third Party Agent/service provider since you offer hosting services that support your customer’s payment application.

 

I hope this makes sense

 

Can anyone shed light on this?

[peterz]

Here is a new wrinkle.

 

I was speaking to my Merchant Account. PCI Compliance. I have been following this thread so I kind of understand the issues related to the software. However, what blew me away is that because I provide hosting, that I would be required to be compliant as as a level 2 merchant.

 

Yes, this makes perfect sense but you have to validate as a level 2 service provider, not as a level 2 merchant. If you look at the Visa CISP service provider page, there are more details. Not all of the banks truly understand what it is you need to do. It is best if you find a PCI QSA and get advice from them in the same way you would hire a lawyer for legal advice.

 

PCI requires any merchant to verify the compliance of their service provider and this is the main mechanism for doing it. There are only 2 service provider levels, 1 and 2 so it's easy to determine where you fit. Take a look at this thread at webhostingtalk, it covers some of what you are discussing.

 

The main difference between a Level 4 merchant and a Level 2 service provider is the scope of what is required to be compliant. With a merchant, it is only your cardholder environment you are concerned with. As a service provider, you are concerned with your entire infrastructure. The SAQ form is almost exactly the same with a few added items and a title change for service providers. If you have all your marbles in one bag, the compliance part should not be too difficult.

 

So, if your service provider cannot prove PCI compliance as a service provider, then it will make your compliance even more difficult. By getting your Level 2 compliance done you will make your customers lives much easier and have a competitive advantage over hosts who do not have their compliance done.

[peterz]

The PCI certification issues do not stem from WHMCS, they stem from the actual server itself.

 

There is much more involved than the server and PA-DSS certified software is only 1 aspect of the 200+ line items on the SAQ-D.

 

We've just passed compliance and the only whmcs changes I had t make were where the log forms were on non-whmcs pages and should be submitted through a SSL connection.

 

I am guessing you had your merchant account before October 1, 2008. If so, you still have until 2010 to start using PA-DSS certified software. Any merchant who applies for a merchant account after October 1, 2008 is required to prove compliance before a merchant account will be activated, including using only PA-DSS certified software. I have several customers who are dealing with just this issue. One is in the middle of activating a second merchant account and even though he has his older legacy one, is required to comply with the newer PCI-DSS 1.2 and have PA-DSS certified software.

[peterz]

Yeah, what exactly happens if you're not PCI compliant, or if the software program is not PA-DSS compliant? I mean, do they come after you and file a lawsuit or try to shut you down? Has this happened yet to anyone or is it all just a big bluff by the PCI guys?

 

In all likelihood, not a whole lot until your next SAQ. If you take a look at the SAQ in it's current state, you must write in your payment application software. New merchants must already ensure that it is PA-DSS certified before the merchant account will be activated. Now next year when all merchants are required to have PA-DSS certified software, I am quite sure there will be a few banks who turn off some merchants and some who have no clue but in the end it is a personal responsibility to ensure compliance. Of course you can lie on your SAQ all day long to save a few $$ but you are risking huge $$ in the event of a breach. PCI has what is called safe harbor for compliant merchants who have a breach but if you are not compliant, the cost of a breach when non-compliant can exceed $2MM. I am not sure about you but I don't have that much cash lying around.

 

Something important to note, merchant banks are now being held accountable for their merchants who encounter a breach and they will be getting more stringent with your compliance. It is entirely possible that banks will start disabling merchant accounts found non-compliant.

[ericgrigsby]

ok,

 

So to clarify, I host with SPRY.com - I should contact them and see if they are compliant. It is still my responsibility but it helps if they have gone through this. IF not I am screwed. And so are all these other hosting/resellers who have merchants accounts. Once their merchants finds out they are providing hosting, they are going to have my problem.

 

I have one client that uses a CC for hosting. So I can move him to use paypal only for my hosting, and use CC for the other part of my business where I am just doing ecommerce, and doing 1 shot sales process. Then my only requirement would PCI level 4.

 

I still have a problem with the software WHMCS unless they get on the approval list.

 

So, my shopping cart solution, can not be xcart, or zencart, or OS Commerce - because none of those solutions are going to be on PCI-DSS list.

 

And popular solutions like, !shoppingcart.com, clickbank, etc will all have to do PCI-DSS

But these solutions are acceptable for me because they transaction happens completely on their domains. And once again my only responsibility will be would my PCI Level 4 compliance.

 

Do I have this straight in my head?

[panacheweb]

so if you use paypal only you dont need to worry about this, or do you? because I'm a little confused here, and is this international or USA only?

[Exoware]

At what point does a merchant conractually bind themselves to be fined if they leak cardholder data?

[jennyp]

Can we get an update from WHMCS on the status of this? Is there a plan to get this software validated? The last post was on 12/12/08 saying that you don't have a date yet. This is a vital piece to our business & will be the deciding factor for what software we use.

[jennyp]

Sorry for this question, but i am new to this. I looked over the pa-dss requirements and found the list of items that need to be met. So my question is: Does WHMCS meet all of the following requirements?

 

1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data.

2. Protect stored cardholder data.

3. Provide secure authentication features.

4. Log payment application activity.

5. Develop secure payment applications.

6. Protect wireless transmissions.

7. Test payment applications to address vulnerabilities.

8. Facilitate secure network implementation.

9. Cardholder data must never be stored on a server connected to the internet.

10. Facilitate secure remote software updates.

11. Facilitate secure remote access to payment application.

12. Encrypt sensitive traffic over public networks.

13. Encrypt all non-console administrative access.

14. Maintain instructional documentation and training programs for customers, resellers, and integrators

[merlinpa1969]

Some of this stuff WHMCS has NO control over

but here are some of the answers I know

1 No Whmcs does not retail FULL strip data

2 Yes the data is encrypted

3 Yes there is a key that must be entered to access cc details ( minus cvv )

4 Yes payment aplication activity is logged

9 is actually up to the End Users ( for example our database has NO Direct access to the internet )and is setup to ONLY allow traffic from a SINGLE private network source )

[peterz]

More details on PA-DSS requirements at WHT.

 

http://www.webhostingtalk.com/showthread.php?t=870097

 

There is still time but software vendors must get on the bandwagon...

[jennyp]

Thanks for the link, but my main concerns on this is the pa-dss compliance for whmcs. Is there a plan to get this compliant? We are considering switching to this app, but don't want to have to switch again in a year when the compliance is completely in effect.

[peterz]

Thanks for the link, but my main concerns on this is the pa-dss compliance for whmcs. Is there a plan to get this compliant? We are considering switching to this app, but don't want to have to switch again in a year when the compliance is completely in effect.

 

You're not the only one. Of course this is nothing compared to what our government has in store.

[Lawrence]

More details on PA-DSS requirements at WHT.

 

http://www.webhostingtalk.com/showthread.php?t=870097

 

There is still time but software vendors must get on the bandwagon...

 

some time? there is a full year Nobody needs to be certified until July 2010.

[peterz]

some time? there is a full year Nobody needs to be certified until July 2010.

 

As I am sure you are well aware, software development takes time. A full year can be gone before you know it.

 

Additionally, there are many merchants who require PA-DSS certified software now. As of Oct 1, 2008, any new merchant is required to have PA-DSS certified software. Only those of us fortunate enough to have a pre-existing merchant account are grandfathered in.

[panacheweb]

https://www.paypal.com/pcicompliance

 

PayPal adheres to international PCI (payment card industry) compliance standards for data security.† With Website Payments Standard, Email Payments, and Payflow Link*, PayPal handles the payment card information for you. So you don’t have to worry about your buyers’ payment card security or about compliance with PCI DSS for your business.††

 

† Our PCI Compliance can be validated at http://www.visa.com/cisp

* PayPal is not responsible for PCI Compliance if you store, transmit, or process payment card information.

†† All card data must be stored, transmitted, and processed by PayPal and not by the merchant.

 

now that that covers us people that use paypal. would temporarily removing local saving of info them solve the current issues with pci compliance?

[turtlepirate]

This is a very important issue. Is there an ETA on when WHMCS will be PA-DSS compliant? If WHMCS can't get its certification by the required date then it's pretty much out of business as merchants will no longer be able to use it.

[turtlepirate]

Actually, I did some more googling on this and came onto a Parallels thread. As of July 2, 2009 this comment was made:

 

"WHMCS is not officially certified for PA-DSS compliance yet. As once this is done it affects the changes we can make and incurs additional costs for re-certification of every release, we will be waiting until the very last possible time before the requirements start being enforced next year before we obtain certification."

 

Though I'm glad WHMCS is considering compliance, I'm not too glad that they're gambling on this. Waiting until the last possible moment is only gambling with the businesses that use WHMCS. I take it that the application process is long and anything could happen to stall it. Or am I just panicked about this?

[Lawrence]

Actually, I did some more googling on this and came onto a Parallels thread. As of July 2, 2009 this comment was made:

 

"WHMCS is not officially certified for PA-DSS compliance yet. As once this is done it affects the changes we can make and incurs additional costs for re-certification of every release, we will be waiting until the very last possible time before the requirements start being enforced next year before we obtain certification."

 

Though I'm glad WHMCS is considering compliance, I'm not too glad that they're gambling on this. Waiting until the last possible moment is only gambling with the businesses that use WHMCS. I take it that the application process is long and anything could happen to stall it. Or am I just panicked about this?

 

If it's anything like the process to get PCI Compliant, it is fairly quick and straightforward if you know what you are doing.

[WebHostingCanada]

Did anything ever end up coming of this? As far as I know WHMCS are still not officially certified PCI compliant.

[openmind]

Nope I've still heard nothing from WHMCS about this...

[malfunction]

If it's anything like the process to get PCI Compliant, it is fairly quick and straightforward if you know what you are doing.

It isn't. It's long, painful, very expensive and likely to require a lot of changes in the application Still like to hear they are doing something about it though.

[NetLink]

From what I can tell, WHMCS is not PCI compliant out of the box. One example is non-consumer users' passwords. PCI compliance, from what I understand, requires payment applications to adhere to following items:

 

- Non-consumer user and administrator (admin) passwords must be strong nad contain a mixture of alphanumeric characters

- Admin passwords must expire every 90 days

- Admin passwords cannot be the same as the 4 previously used passwords on the same account

- Admin passwords must be changed

- Two-factor authentication requires that two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication

- First-time and reset passwords must be changed immediately after the first use

- Minimum password length of at least seven characters required

- Repeated access attempts limited by locking out the user ID after no more than six attempts

- Once a user account is locked out, the lockout duration is set to a minimum of 30 minutes or until administrator enables the user ID

- If a session has been idle for more than 15 minutes, users are required to re-authenticate

 

Unless I'm overlooking something, WHMCS doesn't seem to handle the above, so I'm wondering where that leaves merchants using WHMCS to process card transactions. These are all required even if no card data is stored in WHMCS, as far as I know. It is part of the SAQ-D. How do the other WHMCS owners handle these issues?