In a previous post I touched on the new PA DSS standards set by the (PCI SSC) PCI Security Standards Council affecting our decision for the 3.7 release. I now want to take a few minutes of your time to talk in depth about what PA DSS is and how it affects our industry and your business.
The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In July of 2010 standards will no longer be option, but required by any payment application dealing with card holder data. Simply put, if a merchant is not running a PA DSS-validated application after the deadline, they will automatically fail their PCI assessment.
In July of next year, new merchants that apply to get a merchant account will have to show the bank, as one of the steps to getting the account, that they are using a PA DSS certified shopping cart. Currently, the only place that will have the verified list is the Visa website. If the cart they are using isn’t certified, the store owner will not be able to get a merchant account. Increasingly, merchants are getting letters about compliance and it will ultimately lead much higher fees for those on an uncertified platform and, we believe, ultimately to the cancellation of services if an approved platform isn’t adopted.
We are in the final stages of being certified and our 3.7 release will be our first PA DSS certified release. We are trying to be on the leading edge of the education process for our industry and it is very clear there are a lack of understanding and a ton of misinformation out there. I have personally been sending in requests to cart companies asking about PA DSS certification. My question is simply – are you currently, or in the process of becoming PA DSS certified for your shopping cart? Here are a couple responses.
“It does not need to be. The server is the portion that needs the certification as the cart does not handle the CC information but hands it off to a payment gateway.”
Here’s another – “PA DSS software vendor – I am 99% sure this is for your quarterly network scans which need to take place. We use MacAfee which are qualified.
I have more but all of them are patently false answers. Unless you are only using a payment product like PayPal standard where the card holder data isn’t touched by the application, you should be using a PA-DSS certified application. We are seeing an increase in this type of offering from the gateway companies but these pages aren’t on the client’s website and that simple change guarantees a decrease in sale conversions. I will write a separate post on this topic in the coming weeks.
It’s important to understand that at the time of this posting, no open source or “free” application has announced any intent of certifying their applications PA-DSS. In fact, Magento has clearly stated on their site they WILL NOT be certifying their community application and are encouraging customer to move up to their $10,000 enterprise level application to reach certification. This, of course puts many merchants in a bad situation. We are in the process of working with a number of vendors who will assist clients in moving from these non-compliant applications into PinnacleCart.
Undoubtedly, the changes in our industry will create considerable consolidation. By and large the shopping cart industry has been considered a cottage industry made up of hundreds of companies with just 2-3 people. The tens of thousands of dollars that must be invested and the changes to the software product will be too much for many to withstand.
As part of our effort to educate the industry, we will have a booth at the Hosting Con Tradeshow in Washington D.C., next month and I will be part of a panel speaking on this topic. Hope to see some of you at the convention or at our booth #343.
Feel free to give me a call or drop me an email to discuss further.
Mike Auger