Practical Ecommerce

Not PCI Compliant? No Problem

By Practical eCommerce’s count, there are nearly 600 English-language shopping carts. These include hosted carts, licensed software carts and open-source carts. There are small ones with just a few clients, and large ones with tens of thousands of clients.

But, as of July 14, only 40 of them were either PCI compliant (hosted solutions) or PA-DSS validated (licensed shopping carts). That date is important because the PCI Security Standards Council has long held that shopping carts, which are either “Payment Applications” or “Validated Service Providers” as defined by that organization, must affirmatively pass compliance standards by July 1, 2010. And it’s easy to determine the carts that have been approved because there are two separate lists that contain them.

Approved Shopping Carts

First, for licensed carts, the list is maintained by the PCI Security Standards Council itself. The list contains all types of software that retailers, online and not, use to process credit cards. This includes point of sale terminals, various payment gateway applications, and online shopping carts. As of July 14, 18 licensed online shopping carts appeared on the list.

Second, for approved hosted shopping carts, Visa maintains the list. Visa groups hosted shopping carts with other “Validated Service Providers,” and that list includes payment gateways, facilitators and other non-licensed-software payment providers, including hosted carts. The list is a 57 page PDF document and, by Practical eCommerce’s count, it contains 22 hosted shopping carts.

With 40 out of roughly 600 carts appearing on one of the two lists, and with the July 1 date firmly behind us, we asked a spokesman for the PCI Security Standards Council what, exactly, happens now. “Visa is responsible for enforcement,” said the spokesman, and not the PCI Security Standards Council.

Merchant Account Providers Are Responsible

In fact, the July 1, 2010 date imposed by Visa, closely read, applies to merchant account providers, and not the shopping cart providers. It’s the merchant account providers (also known as acquirers, independent sales organizations or ISOs, and merchant banks) who must ensure that merchants use only PCI-compliant carts by July 1, says Visa.

That leaves merchant account providers with the unenviable task of relying on the revenue from their ecommerce clients, and simultaneously demanding that those clients change or upgrade to shopping carts that are PCI-approved. Personnel from many of those approved carts, in conversations with Practical eCommerce staff, have told us that they have spent upwards of $20,000 and more to obtain compliance. Other, smaller cart providers have told us that they simply don’t have the money to hire programmers and alter code to meet the standards.

There are many questions, of course, having to do with merchants who use older, non-compliant versions of shopping carts whose latest versions are compliant. Must those merchants upgrade to the newest version? And what about the cart providers who have spent the money to gain compliance, but now see no tangible benefit to it all?

Interview with Visa Executive

For all of this, we corresponded with Jennifer Fischer, head of U.S. payment system risk for Visa Inc. According to Fischer, “Payment System Risk focuses on executing Visa acquirer and issuer risk programs and data security initiatives geared toward reducing risk throughout the payment system. This includes advancement of compliance with industry security standards, such as the PCI Data Security Standard, and fraud and chargeback reduction programs.”

Fischer is a Certified Information Systems Security Professional, or CISSP, and has been focused on payment system security since 2001, when Visa launched its Cardholder Information Security Program.

Our email interview with her follows below.

Practical eCommerce: Only a small portion of online shopping carts are PCI-approved. What happens to them after July 1?

Jennifer Fischer

Jennifer Fischer

Jennifer Fischer: “Many online shopping carts are often offered to merchants as software-as-a-service (SaaS). These solutions are customized, hosted, and managed by third parties and as such are reviewed against the PCI DSS. A number of commonly used shopping cart vendors can be found on Visa’s Global List of PCI DSS Validated Service Providers. Software vendors that sell their shopping carts as ‘off-the-shelf’ products should have their products validated against the PA-DSS and demonstrate this validation by getting listed on the PCI SSC’s List of Validated Payment Application.”

PEC: What happens to ecommerce merchants after July 1 that are using non-compliant shopping carts?

Fischer: “Merchant banks should be working with their ecommerce merchants to determine whether they are using compliant shopping cart applications. If not, the bank should be working with the merchant to determine a migration path and Visa will work with the merchant banks to monitor the progress of their merchants. Payment applications used by merchants often introduce vulnerabilities that can lead to payment card data compromises if not properly secured so it is important for merchants to ensure that they are using PA-DSS compliance applications and that they are PCI DSS complaint.”

PEC: What is Visa’s role in all of this?

Fischer: “Visa established the Payment Application Security mandates to eliminate the use of vulnerable applications from the payment systems and promote use of applications that support PCI DSS compliance. Visa has taken a leadership role in promoting data security by developing industry standards and related compliance mandates based on common vulnerabilities and risks impacting the payment card industry. Visa works with merchant banks to support compliance with these mandates and to monitor progress among merchants.”

PEC: The PCI Security Council tells us that it has no role in determining punishment, fines and enforcement for the PA-DSS standards. They said all of that comes from Visa. Is this true?

Fischer: “The PCI Security Standards Council is responsible for maintaining the data security standards (PCI DSS, PA-DSS, and PTS). The card brands (Visa, MasterCard, American Express, Discover and JCB) are responsible for maintaining compliance programs as well as enforcement of the compliance programs. Visa addresses any compliance issues with the Visa Payment Application Security Mandates with the merchant banks to ensure they are working with their merchants to migrate toward use of PA-DSS compliant applications.”

PEC: What role do merchant account providers play in all of this?

Fischer: “By providing payment processing services, merchant banks and independent sales organizations (ISOs) maintain contractual relationships with their merchants. As part of this relationship, acquirers are responsible for ensuring merchants that store, process or transmit Visa payment cardholder data comply with the PCI DSS and use PA-DSS compliant applications.”

PEC: Who determines whether an ecommerce merchant is using a non-compliant shopping cart?

Fischer: “Merchant banks are responsible for the overall risk of their merchants through their underwriting and approval process when boarding new merchants. As a part of this contractual relationship with the merchant, the merchant banks and ISOs are responsible for identifying the merchant’s payment application and determine whether or not it is PA-DSS compliant.”

PEC: What are the ramifications to an ecommerce merchant who is otherwise PCI compliant but stills uses a non-PA-DSS cart?

Fischer: “All merchants that store, process, or transmit Visa payment card data must comply with the PCI DSS. The PA-DSS requirements are aimed at software providers and are a subset of requirements from the PCI DSS. A merchant that has validated full PCI DSS compliance with their merchant bank fulfills the Visa Payment Application Security Mandates.”

PEC: Anything else our readers (ecommerce merchants) should know about the upcoming PA-DSS certification deadline?

Fischer: “In regards to the Visa Payment Application Security mandates, if a payment application has validated to Visa’s old Payment Application Best Practices (PABP) standard, it still meets Phase 5 of the Payment Application Security Mandates. Please review the November 6, 2009 FAQs posted at www.visa.com/cisp under ‘Payment Applications.'”

Kerry Murdock

Kerry Murdock

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

  1. mjruser July 14, 2010 Reply

    Not PCI Compliant? ***No Problem***. What?

    I see nothing in this article which indicates that mishandling credit card data by not following the rules is ‘No Problem’. All articles published to date on PE are in opposition to this one?

    Just because it’s the merchant account providers responsibility to police this doesn’t mean it’s no problem for the merchant.

    I totally don’t get the ‘no problem’ in this articles title, it’s quite misleading and could give merchants a false sense of security.

    Please explain how it’s no problem?

  2. Kerry Murdock July 14, 2010 Reply

    @mjruser

    To date, there’s been no enforcement by merchant account providers, the PCI Security Council or Visa. Failure to adhere to the PCI standards has not resulted in any sort of penalty to merchants.

    Thus, it’s "no problem." So far.

    Kerry M.

  3. mjruser July 14, 2010 Reply

    @Kerry

    The title is totally misleading and should be changed. There isn’t a single bit of data in the article itself which indicates it’s no problem. The facts are quite clear, that Visa will start hitting the merchant account providers with BIG fines…then that will roll down hill to the merchants. That’s a problem.

    Wells Fargo has sent out statements to merchants that they will be fined monthly for not using a PCI certified solution. It’s very difficult for a new merchant to get an account unless they are using a certified solution. Both are problems.

    I think you’re doing your readers a disservice with this articles title. Just because you’ve not been caught speeding it doesn’t mean it’s no problem to do 100 mph in a 35 zone. It’s a problem if you’re putting your customers card holder data at risk by flying in the face of the rules!

  4. mjruser July 14, 2010 Reply

    @Kerry

    Effective July 1st Visa has put the liability* fully on the merchants shoulders should they have a breach, IF they are not following the rules. There are also a number of state laws that were basically authored by the CC companies that say the same thing.

    These breaches are very costly and I’d expect Visa to do anything they can to pass these costs onto non-compliant merchants.

    * Investigative costs, card holder reimbursement, etc.

  5. NPerez July 14, 2010 Reply

    I’ve been looking for a good PA-DSS article. Thank you. Up until now, there has been absolutely no authoritative information available on the deadline & what it all means.

    So I have come to the conclusion that the PCI SSC are just as confused as I am, and that’s why they’re being so confusing.

    It seems like Fischer is saying that the PCI-DSS is all that’s needed to fulfill the Visa Payment Application Security Mandates. She also says that acquirers will work to migrate merchants to PA-DSS carts. If I’m already fulfilling the mandate by being PCI compliant, I’m not migrating, yet it seems like the acquirers are required to require me to go beyond the requirements of the mandate. *whew*

    I now understand that the point of PA-DSS is to make it easier to achieve PCI compliance, but if that’s the case, they shouldn’t be adding it to any merchant mandates (and yes, it is technically mandatory that acquirers hassle merchants about the PA-DSS). It’s like they forgot that PCI compliance is possible without PA-DSS compliance.

  6. pcidude July 14, 2010 Reply

    I diagree that there has been no enforcement around the PCI DSS. I am aware of level 1 and 2 merchants that have been fined by their Acquiring Banks for non-compliance. Also, I’ve heard of a siutation where a card brand has pulled the right to accept their cards from an organization due to a breach.

  7. mbruno July 14, 2010 Reply

    The "no problem" and "Merchant Account Providers are responsible" statements are very misleading. The fact is if a business is breached and are found to be non-compliant with the PCI DSS requirements, the card brands (like Visa(r) and MasterCard(r)) fine the merchant services provider, who then fines the offending business.

    The major card brands require all businesses in the United States accepting their cards validate compliance with PCI DSS. While it’s the merchant services provider (or merchant account providers) responsibility to enforce the regulations for small / medium sized businesses (aka level 4 businesses) – it is the business owner’s responsibility become and maintain PCI DSS compliance. The fact that merchant account providers need to enforce the regulations does NOT remove the business owner’s responsibility or, more importantly, liability. Since part of being PCI DSS compliant means using PA DSS approved equipment – PA DSS is indeed something all business owners need to be aware of.

    What’s the “problem”? To start, fines, fees and the cost. Groups like the Ponemon Institute (http://www.ponemon.org/news-2/23) and others have estimated a data security breach to cost ~$204 per record. Using that logic, if a business processes 500 transactions in a month each month costs an estimated $100,000. Many breaches are discovered for 3 months or more.

    The long story short – business owners need to use PA-DSS compliant equipment (including shopping carts) and need to be managing their own PCI DSS compliance. While the merchant services provider should help, not all volunteer it. As a business owner, ask your provider for help, work with your IT department (if you have one), get answers and do research. If your merchant services provider isn’t helping you become compliant, find one that will.

    While you may think PA DSS is "not a problem" now, you’ll sing a different tune when you suffer a data breach and receive fines of hundreds of thousands of dollars.

    My company posts a website that has some helpful information about the topic – http://www.paymentlogistics.com/pci-dss-compliance.

  8. NPerez July 14, 2010 Reply

    @mbruno, you are mistaken when you say that "Part of being PCI DSS compliant means using PA DSS approved equipment". PCI-DSS compliance is possible without PA-DSS compliance.

    This is a quote taken directly from the PCI-DSS specification available on pcisecuritystandards.org:
    "Note: It is not a PCI DSS requirement to use PA-DSS validated applications. Please consult with each payment brand individually to understand their PA-DSS compliance requirements."

    I think a lot of e-commerce professionals do not understand this, which is a big problem.

  9. singlemalt July 14, 2010 Reply

    Complete and utter boondoggle.

    Another way to bilk merchants. This is such a load of crap. Remember 2005, what happened to PCI then? I thought there were going to be fines back in 2006 if you weren’t PCI?! I thought that deadline was "it"…

    I’m all for security and I think PCI is a nice "starting point". But we ALL KNOW that if Visa started pelting merchants with heavy fines, they’d be looking at deep revenue losses. Why? Most of the merchants are doing far less than 100,000 transactions per month. In fact, 99% of their business comes from merchants doing less than 3,000 transactions a month.

    The fines for most merchants are worth just paying and ignoring the whole process. I’ve had some customers report back to me that they are "not compliant", and they got fined $30 bucks per month. Ok, Not great. But then they went and checked out what it would take to get their cart scanned and get them into compliancy? Most of the customers said, "hell, I’ll pay the $30 a month… its the cost of doing business. Scanning is expensive and slows down my shopping cart…"

    How many merchants will just pay this fine and what does it do? It lines the coffers of the merchant bank — thats it… no teeth, nothing.

    Its like paying a parking ticket vs. a parking garage fee. If the law of diminishing returns falls into place, you pay the ticket.

    Then there’s the technical aspect of all this.

    The SaaS carts that she mentions? I ask this:

    How can PCI be "approved" on SaaS if your customers data is being saved in a database with other merchants and their customers? I read that spec. like a fine tooth comb. It clearly states, "Separate database, private network, and no combining of multiple merchants data…" Pretty clear to me.

    Also, and this is common sense. If that SaaS vendor has a breach, isn’t this worse than a merchant who has their own shopping cart hosted on a single server that was breached? How do you chase down multiple merchants customers who were breached vs. ONE merchant…

    Nobody wants to address that. Why? Because the SaaS vendors are throwing money the PCI "approval services" — who makes money on that? Visa…

    This whole process is nothing more than Y2K all over again.

    The only good this does is puts more money into consulting and vendors who focus on PCI as a revenue stream.

    It doesn’t solve the security issue at all, it just is ONE companies suggestion. What about American Express? Discover, MasterCard, etc? They are all different banks and processors, I don’t see them agreeing on this PCI (Visa) spec… What happens when AMEX comes out and says… "well, this is the way it should be." and it contradicts everything that Visa states!?

    None of them have come together and said, "this is the way it should be."

    Its more likely that each company will have their own standard, why? They want to ensure the dollars flow to them when their merchants aren’t compliant with THEIR standard.

    Bottom line, you want to keep cards from being stolen?

    Simple.

    Turn on authorization and capture tokens in your shopping cart and be done with the whole thing. If you get hacked, the only information the hacker can possible get is billing and shipping addresses, and even that can be protected fairly decently with some good encryption. MOST GOOD SHOPPING CARTS HAVE THIS…

    Scanning is pointless, expensive and has more false positives than it does truths. I’ve wasted more time updating boxes because McAfee told me a version of some software was "vulnerable" only to find out that the version they recommend is the latest "beta". Great….

    Again, I don’t trust any body or company that has their revenue directly tied to the customer they are "fining" with a specification they are proposing to that customer. How about an independent body run by the government that is a non-profit? The council thats pushing for all this is basically Visa behind the scenes…

  10. mjruser July 14, 2010 Reply

    @Singlemalt

    "The fines for most merchants are worth just paying and ignoring the whole process. I’ve had some customers report back to me that they are "not compliant", and they got fined $30 bucks per month. Ok, Not great. But then they went and checked out what it would take to get their cart scanned and get them into compliancy? Most of the customers said, "hell, I’ll pay the $30 a month… its the cost of doing business. Scanning is expensive and slows down my shopping cart…" "

    Anyone currently being fined is likely to be stopped from accepting credit cards when the 1 year deadline of phase 4 comes up in October.

    "VNPs and agents must decertify all vulnerable payment applications"

    Clearly if you’re being fined, you’re one step away from decertification.

  11. mjruser July 14, 2010 Reply

    @Jennifer Fischer

    Did you indicate to Kerry (possibly) outside of the quotes in this article that Visa is NOT going to be going after non-compliant merchants (via the merchant account providers)?

    Since Kerry is being lead to believe (by someone?) Visa is doing nothing to enforce the rules should we all just stop spending money on SSL certificatates, firewalls, security testing, application certification, etc?

    After all it’s a terrible waste of money, when we could be spending the money on Google Adwords or that trip to Disneyland we’ve been putting off.

  12. mjruser July 15, 2010 Reply

    @Singlemalt

    ‘How about an independent body run by the government that is a non-profit?’

    Perhaps our government has more important thing to do, like delaying another solution to the oil spill.

    Please name one thing that our government can do better than private industry… Besides weapons of mass destruction and public funded abortion.

  13. singlemalt July 15, 2010 Reply

    @mjruser,

    I’ll bite. But people like you probably think they should get everything for free and shouldn’t pay taxes… The oil spill is not the governments problem. Remember, the prior admin pulled all the "teeth" associated with regulating these oil companies. You can’t have things both ways, you can’t have "free market" and no regulation… Should the current administration have reacted faster, maybe. But would could they have done, send in the military? Hahaha. Yeah, thats great. Let’s get the army involved in something they know nothing about. On top of that, lets FINE THE HELL out of BP and make sure they get something done. The problem with that? You fine the hell out of them and they go bankrupt and get nothing done. This is not as easy as people like you make it out to seem. Could things be better? Things COULD ALWAYS be better.

    The real issue isn’t what we can do now, its what we can do moving forward so things like this don’t happen again.

    Here goes….

    Things that the government does better than the private industry.

    Public education,
    Medicare
    Postal Service
    Police & Fire
    Local Services (such as snow removal and trash removal, road work)

    The government gets a bad rap. People are completely down on the postal service in this country. Talk to people in Europe, especially the easter block countries about mail service. I thin paying under 50 cents to mail a letter is incredibly cheap — and get this, it gets to where it going!

    We can sit here and argue about the quality or the cost of these services, but if things were private (for example Police and Fire) we’d have a situation where we’d be paying DOUBLE the costs and far less the quality we have now.

    A good example of that is the postal service, why do you think people in the e-commerce space are moving more towards USPS vs. UPS? The cost is killing merchants to ship packages under 5 lbs. USPS for all its bumps and warts is a very efficient and good system and its very inexpensive.

    If you believe otherwise, show me a service thats cheaper and operates as good as USPS?

  14. singlemalt July 15, 2010 Reply

    @mjruser

    On your comments about merchants losing their accounts? That’s crap. Look at the numbers, about 90% of the merchants are doing transactions on line that are under 3,000 transactions per month. You start pulling the plug on that demographic, you’ll have some angry shareholders.

    What is more likely to happen is that they’ll simply fine them (as I stated) and the amount will be under $100 a month. Enough to hurt, not enough to go out of business.

  15. Louis Camassa July 15, 2010 Reply

    Great article Kerry! It’s good to see a different viewpoint on this scenario; which has been highlighted so frequently the last year or so.

    I agree with singlemalt: PCI compliance is a nice "starting point". However, it is not a silver bullet which will guarantee payment account safety and security. It is only a means of "enhancing payment account data security."

    Please don’t assume that since you have a PCI compliant solution that you are protected from every exploit or breach. It simply helps to establish more safeguards to protect your data. It is not a guaranteed, ironclad solution.

    On pcisecuritystandards.org, they make it clear that PCI won’t make you secure:

    Myth 4 – PCI will make us secure
    Successful completion of a system scan or assesssment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder
    data.

    https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf

    The Visa executive carefully side-stepped the question that was asked twice, "What happens to ecommerce merchants after July 1 that are using non-compliant shopping carts?". So, what happens?

  16. Pamela Hazelton July 16, 2010 Reply

    @NPerez

    That quote is misleading. Essentially, if you transmit payment data to/from your store, then you need to be using PA-DSS validated software.

    If, however, you use a third-party that only writes completed orders back (like PayPal) then it’s not required.

  17. Massimo Arrigoni July 17, 2010 Reply

    Kerry’s article was not misleading. It’s meant to be provocative, and Kerry is absolutely right in his assessment.

    Many players in this industry could do a much, much better job making things more clear for both merchants and consumers.

    Here is a quick example: why aren’t payment gateways clearly pointing out which shopping carts are PA-DSS validated and which are not? Or which hosted e-commerce solutions are PCI compliant and which are not?

    For example, look at the list of supported shopping carts on the [Authorize.Net](http://www.authorize.net/solutions/merchantsolutions/merchantservices/certifiedsolutiondirectory/) or [PayPal](https://cms.paypal.com/us/cgi-bin/?&cmd=_render-content&content_ID=developer/solutions_carts_wp_pro) Web site, just to name two of many.

    Where is information for merchants about PCI-DSS on those Web sites? Authorize.Net has a disclaimer in really small font, light gray, on the left side of the page (as of July 2010), which you can’t even see. Come on!

    Wouldn’t that be a natural place to indicate what solutions have been officially validated and which have not? Wouldn’t that help a merchant make a better decision on which solution to adopt, in terms of compliance with the PCI standards?

    The need for secure online stores is very real. The PCI Data Security Standards are there. The problem is that there is an aura of confusion that many players in the industry should help remove.

    Hopefully provocative articles like Kerry’s will help shake things up a bit.

  18. tmspay July 19, 2010 Reply

    The "no problem" really doesn’t seem to make a lot of sense. What was carefully stated by the VISA rep was that the Acquirer (credit card processor, ISO or Bank) that issues the merchant account is untimely responsible to the Card Associations for the compliance of Merchants they board. The way VISA works is that it will fine the Acquirer for any breaches, hacks or misuses of data by the merchant due to the merchant’s failure to comply with the 12 requirements of PCI.

    Now, if the Acquirer is fined, the Acquirer will undoubtedly pass those fines down to the merchant. There in-lies the risk to the Acquirer. That is why Acquirer’s are becoming increasingly more concerned about the compliant status of the vendors or their merchants. It means something to be complaint. The achieve the recognition of being listed on VISA’s website for meeting the 12 requirements of Level One PCI compliance is a daunting task and the merchants that appreciate this type responsible data handeling will most likely be treated with more respect from their processors, stay in the “safe harbor” in regards to being exposed to fines and will into less risk of being terminated.

    Now, if the Acquirer is fined, the Acquirer will undoubtedly pass those fines down to the merchant. There in-lies the risk to the Acquirer. That is why Acquirer’s are becoming increasingly more concerned about.

    Michael Brooks
    Principal -[TransGrade CRM](http://www.transgrade.com)

  19. Bill July 20, 2010 Reply

    What impact does the PCI-DSS have to countries other than the U.S.? Is it a world wide enforceable standard? In Australia – there’s talk of it, mainly because of information taken off U.S. websites, but I’ve seen no guidelines given to merchants or threat to enforce compliance through fines, etc.

  20. Michelle July 20, 2010 Reply

    My website invested a great deal of time and money into becoming PCI DSS compliant and for what exactly? So much for these huge fines people we’re supposed to be getting for not adhering to it!

    For small businesses this is and can be a big expense and the scare tactics used to push this "initiative" are unethical.

    I am based in the UK and none of my competitors have bothered to take it on board. Consumers have no idea what it is anyway.

  21. Steve @Erraticblog July 20, 2010 Reply

    Great article Kerry. And I do not think the title is misleading.
    The issue is not a problem now simply because it is not being widely enforced. There’s still a haze covering the whole topic.
    With that being said though, the issue should be a problem for anyone selling online. The time is coming when there will be widespread enforcement, and penalties for non-compliance. Anyone selling online should have long been on top of this issue for their store. There’s been plenty of time and warning. For those who are using non-compliant carts you should get busy now updating your carts and security.

  22. JackBaxter July 24, 2010 Reply

    On 7/21/10, Paymentech/Orbital shut off the link to my unapproved hosted cart. My merchant account is still alive, but they’re making me switch carts.