PA-DSS and PCI Compliance

[AlpineWeb]

What are WHMCS plans for addressing PCI Compliance and PA-DSS in particular?

 

 

Thank you,

Uwe Schneider

AlpineWeb Design

http://alpineweb.com/

[rslyon]

We have passed PCI compliance with whmcs. The application if fine. It is you and your site that needs to pass.

They require a network scan and to answer some questions on how the data is stored and who has access to it.

[AlpineWeb]

We have passed PCI compliance with whmcs. The application if fine. It is you and your site that needs to pass.

They require a network scan and to answer some questions on how the data is stored and who has access to it.

 

Passing a PCI scan is only the tip of the iceberg. Keep in mind that there other requirements such as PA-DSS to meet. In the end it may be the merchant or bank that sets what software it will accept.

 

This is paraphrased from the https://www.pcisecuritystandards.org/ website:

 

When 7/1/2010 rolls around:

 

Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications, which means that:

 

As of 7/1/2010, you must use PA-DSS certified e-commerce software on your web site.

 

As I stated above, there is a lot more to this issue than meets the eye.

[Matt]

Hi,

 

There's a number of threads that already exist regarding PCI Compliance, but as we've stated previously in those, we would certainly like to be PA-DSS Certified, and are actively working towards it. However there is a significant cost in becoming certified and ongoing costs in re-certification of new releases which means certification will be done nearer the required date. In the meantime, our aim is be PA-DSS compliant (which we are for the mostpart) and PCI compliant so that WHMCS doesn't hinder you in achieving compliance.

 

Matt

[leon_nerd]

If we are using any gateway that processes CC details in the backgroud (like PayPal Pro), then WHMCS stores the CC information in the database. So this means, we need to be PCI Compliant to do this kind of processing. Am I right?

 

Can someone here who has got PCI Compliance throw some light how did you get it?

 

Thanks.

[EWH1]

You really need two servers as well to meet the requirements, with the 2nd server as the DB server with no direct net access to it.

[uhhosting]

If we are using any gateway that processes CC details in the backgroud (like PayPal Pro), then WHMCS stores the CC information in the database. So this means, we need to be PCI Compliant to do this kind of processing. Am I right?

 

Can someone here who has got PCI Compliance throw some light how did you get it?

 

Thanks.

 

For Website Payments Pro (PayPal UK) you only need a PCI-DSS vulnerability scan. I know because I've just done it.

 

A PCI-DSS scan has nothing to do with WHMCS. It will scan your server IP, cycling through a big long list of known vulnerabilities and server weaknesses. If you have any security warnings over a score of 4.0 then you will not be compliant.

 

I used instantssl.com for the scan service, whereby they produce a certificate once you're compliant, £165 odd.

[jgross]

These two articles might be helpful to you, AlpineWeb - how to become PCI DSS compliant and PA-DSS Implementation. The July 1 deadline is fast approaching. As of that date, if merchants don't use a software application that is PA-DSS compliant or that is out of scope for PA-DSS compliance (there are solutions for software providers to do this), they will risk losing the ability to accept credit cards from their customers entirely as well as fines.

[AlpineWeb]

These two articles might be helpful to you, AlpineWeb - how to become PCI DSS compliant and PA-DSS Implementation. The July 1 deadline is fast approaching. As of that date, if merchants don't use a software application that is PA-DSS compliant or that is out of scope for PA-DSS compliance (there are solutions for software providers to do this), they will risk losing the ability to accept credit cards from their customers entirely as well as fines.

 

Thanks jgross, these and the accompanying articles are a great overview re PCI Compliance. All of the posters to this thread should read them. It will answer many questions.

 

Cheers,

Uwe Schneider

[skycomp]

Any update on this? July 1st was the dealine.

[openmind]

Bumpity bump. I am now in the situation where I need evidence that WHMCS is validated according to PABP/PA-DSS...

[rodeoXtreme]

We have become PCI Compliant including the supporting PCI Policy Sets D using WHMCS. We have a separate database that handles the credit card information and we do not utilize any hash to view the full credit card.

 

As a Level 3 Merchant we made the scan and passed and then generated the Policies. We hired 3rd Party PCI Auditor and again passed it. Our auditor said that most people fail an audit even with a simple scan if they do not have an active, up to date PCI Policy Manual in place with the proper checklists and signatures.

 

In addition, we stopped taking payments over the phone and direct the client to the Client Portal to complete the payments; but we still had to have our Departments secured with access cards and we installed cameras as a secondary measure.

 

As for WHMCS being secured, I assume that since we are compliant without WHMCS being certified we would be okay in the even of a real PCI audit.

 

My 2 cents worth.

[openmind]

Becoming PCI compliant has nothing to do with PA-DSS I'm afraid. The PA-DSS standard is for software applications that handle sensitive credit card data (as WHMCS does) and ensures the application is secure enough.

 

It is a complex and sometimes expensive standard to achieve and unfortunately WHMCS needs to become verified sooner rather than later as Visa will be clamping down very hard on merchants who aren't fully compliant.

[openmind]

Another bump, could Matt or a member of WHMCS comment on this?