PA-DSS Certification

[easyhosting]

It isn't. It's long, painful, very expensive and likely to require a lot of changes in the application Still like to hear they are doing something about it though.

 

its not that bad. i got a comodo Instant SSL cert that comes with PCI compliance ($38 a year) so after installing and run the PCI scan it tells you what you need to do on your site if anything to be fully complaint. Do these and then re run the PCI scan and all will be fine

[ffeingol]

From conversations I've been in with other cart vendors PA-DSS is nothing like the 'PCI scan' and it is very long and complicaed. It goes way beyond the requirements listed by NetLink and gets much more into the actual development process, change control procedures etc.

[NetLink]

The PCI vulnerability scan is only a tiny fraction of PCI compliance, and IMO the easiest hurdle to cross.

 

WHMCS obviously have some kind of development process, change control procedures, etc. As long as these procedures are in line with PA-DSS, I'm not sure if the applications actually have to be formally validated. According to VISA:

 

While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.

 

However, the points I mentioned relate directly to the SAQ that merchants need to fill out if they are transmitting credit card data through their systems. They are fairly simple to implement, except maybe the two-factor authentication, which might require some more thought and work, but without these implementations, I just don't understand how any merchant using WHMCS can become PCI compliant, unless they only accept CC data over the phone.

[disgruntled]

In an ideal world we would all be pci compliant with or without credit card processing. Personally, i dont even offer credit card payments, i use the 3rd party gateways. so pci compliance while recommended and preferred is not a requirement and as far as i am aware, never will be for none card processing systems.

 

PCI is after all directly related to credit card processing of the big 3, to coin the phrase.

 

Personally i feel the better solution is simply dont accept them onsite, or if you do, then use the mastercard system of an embedded frame. they have their own systems in place ofcourse and there are requirements to pass before use.

 

By the way, this is a very old thread, 2008.

 

although, i am unaware of any progress on the matter within whmcs so i guess a refresher was needed to check in for an update

[NetLink]

Thanks for your feedback. My merchant account allows me to accept debit cards that most gateways like PayPal don't support. I only pay 50 cents per transaction on these debit cards, and almost everyone uses them here, so it's very important for me that I'm able to offer this type of payment. However, I'm currently paying a monthly non-compliance fee to my acquirer, so while it's an old thread, this is a current issue for me, and I thought it made more sense to post here than to open a new thread.

 

I would find it very interesting to know how other WHMCS get around the issue, but it would also be great if WHMCS could give an update. By now, Phase 5 is in effect, so all merchants should now be required to be PCI-DSS compliant, and fines are very hefty.

[easyhosting]

i use the 3rd party gateways. so pci compliance while recommended and preferred is not a requirement and as far as i am aware, never will be for none card processing systems.

 

Well we only use 3rd party payment gateways and have used voicepay (now cashflows) for many years for CC payments and we had to become PCI compliant to continue to use their services from May 2012

[disgruntled]

Well we only use 3rd party payment gateways and have used voicepay (now cashflows) for many years for CC payments and we had to become PCI compliant to continue to use their services from May 2012

 

That is down to cashflows though isnt it? i mean, its their choice to require it. they manage the card payments we dont send them any card details, infact if they operate the same as several of the other gateways, we dont even have to send them any client data, just the product related data, so for that i cant see a need for pci compliance, none the less, it would be preferable in any case.

[rodeoXtreme]

PCI doesn't only relate to credit card numbers; it is Card Holder Data; name, address, telephone, etc. There are three parts to PCI Compliant: 1-Quarterly passing scan by a ASV (Authorized Scanning Vendor), 2-An Attestation by an officer or owner of the company (SAQ-A, SAQ-B, SAQ-C, SAQ-C VT, SAQ-D), 3-Policy Set is required for any of the SAQ's.

 

Cheers,

[easyhosting]

That is down to cashflows though isnt it?

 

no its all merchants

 

Reminder: Becoming PCI DSS Compliant

Dear ******,

 

To improve security and cut fraud the card schemes created a set of Payment Card Industry Data Security Standards (PCI DSS) informing merchants and the payment industry how to securely store, process or transmit card data.

 

As a merchant you are required to adhere to the PCI DSS. Non compliance will result in you being responsible for any losses through fraud, and be subject to considerable fines from the card schemes.

 

To become compliant to the PCI DSS each of your business' profiles must obtain a certificate of compliance from a Qualified Security Assessor (QSA). If you cannot provide a certificate of compliance by 1st May 2012 we will automatically enrol you in the CashFlows Compliance Programme and you will be expected to attain compliance within 30-90 days.

 

If you have any further queries regarding these changes, please feel free to contact customer services by emailing us at support@cashflows.com or calling +44 (0)1223 550920.

Our office opening hours are: Monday to Friday: 09:00 to 17:00 (UK)

 

Yours sincerely,

Customer Support

CashFlows

http://www.cashflows.com/support

[malfunction]

Guys, this thread is not about PCI compliance at all, so can we please concentrate on the real issue which is the PA-DSS payment application standard and if/when we can expect the developers to have WHMCS certified compliant with it.

[easyhosting]

Guys, this thread is not about PCI compliance at all, so can we please concentrate on the real issue which is the PA-DSS payment application standard and if/when we can expect the developers to have WHMCS certified compliant with it.

 

this thread is also 5 years old but PCI and PCI-DSS should be discussed together. if you read the whole thread it was WHMCS that brought up PCI on the 2nd post

[NetLink]

On the 12-1208, Matt@WHMCS posted:

 

"For PA-DSS which you raise, it is our responsibility as the software provider to create an application that does not prevent you from achieving PCI DSS compliance."

 

From what I can tell, WHMCS currently does prevent me from achieving PCI compliance. To be fair, there could be other things that currently prevent me from achieving it, but right now, I'm trying to determine whether it's even worth my while trying, or if I need to cancel my merchant agreement and take credit card payments over the phone only. To be honest, I'm not interested in switching to a different billing system. I spent way too much time, money and effort trying to find a solution that works. So, it would be great to have this issue resolved.

 

With regards to PA-DSS, it's my understand that the software needs to be compliant, but to verify compliance, there are different methods. Basically, even if WHMCS is PA-DSS compliant, it doesn't necessarily have to be included on the list of verified applications.

 

For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following 14 protections:

 

1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data. (done)

2. Protect stored cardholder data. (mostly done, I would say)

3. Provide secure authentication features. (not done)

4. Log payment application activity. (done, I think)

5. Develop secure payment applications. (this seems to depend on all other steps?)

6. Protect wireless transmissions. (not applicable, I think)

7. Test payment applications to address vulnerabilities. (done)

8. Facilitate secure network implementation. (not sure)

9. Cardholder data must never be stored on a server connected to the internet. (I'd say this is achievable, but is mostly up to the WHMCS user, I'm guessing WHMCS could simply add an alert to the dashboard to say that database must be on a remote server, if it detects that CC payments has been activated)

10. Facilitate secure remote software updates. (done)

11. Facilitate secure remote access to payment application. (done)

12. Encrypt sensitive traffic over public networks. (done, I think)

13. Encrypt all non-console administrative access. (force SSL?)

14. Maintain instructional documentation and training programs for customers, resellers, and integrators. (done or partially done)