Jump to content

PA-DSS and PCI Compliance


AlpineWeb

Recommended Posts

We have passed PCI compliance with whmcs. The application if fine. It is you and your site that needs to pass.

They require a network scan and to answer some questions on how the data is stored and who has access to it.

 

Passing a PCI scan is only the tip of the iceberg. Keep in mind that there other requirements such as PA-DSS to meet. In the end it may be the merchant or bank that sets what software it will accept.

 

This is paraphrased from the https://www.pcisecuritystandards.org/ website:

 

When 7/1/2010 rolls around:

 

Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications, which means that:

 

As of 7/1/2010, you must use PA-DSS certified e-commerce software on your web site.

 

As I stated above, there is a lot more to this issue than meets the eye.

Link to comment
Share on other sites

  • WHMCS CEO

Hi,

 

There's a number of threads that already exist regarding PCI Compliance, but as we've stated previously in those, we would certainly like to be PA-DSS Certified, and are actively working towards it. However there is a significant cost in becoming certified and ongoing costs in re-certification of new releases which means certification will be done nearer the required date. In the meantime, our aim is be PA-DSS compliant (which we are for the mostpart) and PCI compliant so that WHMCS doesn't hinder you in achieving compliance.

 

Matt

Link to comment
Share on other sites

  • 2 weeks later...

If we are using any gateway that processes CC details in the backgroud (like PayPal Pro), then WHMCS stores the CC information in the database. So this means, we need to be PCI Compliant to do this kind of processing. Am I right?

 

Can someone here who has got PCI Compliance throw some light how did you get it?

 

Thanks.

Link to comment
Share on other sites

If we are using any gateway that processes CC details in the backgroud (like PayPal Pro), then WHMCS stores the CC information in the database. So this means, we need to be PCI Compliant to do this kind of processing. Am I right?

 

Can someone here who has got PCI Compliance throw some light how did you get it?

 

Thanks.

 

For Website Payments Pro (PayPal UK) you only need a PCI-DSS vulnerability scan. I know because I've just done it.

 

A PCI-DSS scan has nothing to do with WHMCS. It will scan your server IP, cycling through a big long list of known vulnerabilities and server weaknesses. If you have any security warnings over a score of 4.0 then you will not be compliant.

 

I used instantssl.com for the scan service, whereby they produce a certificate once you're compliant, £165 odd.

Link to comment
Share on other sites

  • 4 months later...

These two articles might be helpful to you, AlpineWeb - how to become PCI DSS compliant and PA-DSS Implementation. The July 1 deadline is fast approaching. As of that date, if merchants don't use a software application that is PA-DSS compliant or that is out of scope for PA-DSS compliance (there are solutions for software providers to do this), they will risk losing the ability to accept credit cards from their customers entirely as well as fines.

Link to comment
Share on other sites

These two articles might be helpful to you, AlpineWeb - how to become PCI DSS compliant and PA-DSS Implementation. The July 1 deadline is fast approaching. As of that date, if merchants don't use a software application that is PA-DSS compliant or that is out of scope for PA-DSS compliance (there are solutions for software providers to do this), they will risk losing the ability to accept credit cards from their customers entirely as well as fines.

 

Thanks jgross, these and the accompanying articles are a great overview re PCI Compliance. All of the posters to this thread should read them. It will answer many questions.

 

Cheers,

Uwe Schneider

Link to comment
Share on other sites

  • 4 months later...
  • 1 year later...

We have become PCI Compliant including the supporting PCI Policy Sets D using WHMCS. We have a separate database that handles the credit card information and we do not utilize any hash to view the full credit card.

 

As a Level 3 Merchant we made the scan and passed and then generated the Policies. We hired 3rd Party PCI Auditor and again passed it. Our auditor said that most people fail an audit even with a simple scan if they do not have an active, up to date PCI Policy Manual in place with the proper checklists and signatures.

 

In addition, we stopped taking payments over the phone and direct the client to the Client Portal to complete the payments; but we still had to have our Departments secured with access cards and we installed cameras as a secondary measure.

 

As for WHMCS being secured, I assume that since we are compliant without WHMCS being certified we would be okay in the even of a real PCI audit.

 

My 2 cents worth.

Link to comment
Share on other sites

Becoming PCI compliant has nothing to do with PA-DSS I'm afraid. The PA-DSS standard is for software applications that handle sensitive credit card data (as WHMCS does) and ensures the application is secure enough.

 

It is a complex and sometimes expensive standard to achieve and unfortunately WHMCS needs to become verified sooner rather than later as Visa will be clamping down very hard on merchants who aren't fully compliant.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated