PCI Compliance Round 2
A few weeks ago I blogged about the PA-DSS regulations which are going to be taking effect over the next year.
PA-DSS (Payment Application Data Security Standard) is an additional security policy that addresses applications that store or transmit credit card data. The current regulation is ambiguous enough that many ecommerce shopping carts fall under the PA-DSS envelope. If you use an API method of integrating with your payment gateway, your shopping cart may need to be PA-DSS certified.
The current timeline for PA-DSS adoption is as follows:
- New PCI Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions – those that store prohibited cardholder data. January 1, 2008
- New PCI Level 4 merchants using third-party payment software must be either PCI DSS-compliant or use PA-DSS validated compliant payment applications. October 1, 2008
- ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010
Here's the problem:
There is currently only one shopping cart that is PA-DSS certified: PDG Commerce. Additionally, Magento Enterprise, Miva Merchant, and X Cart are scheduled to become PA-DSS certified. Other than that, no other carts have announced that they will be, or are planning on becoming PA-DSS certified before the deadline of July 2010. There's still time to get certified, but 4 of the thousands of shopping cart providers is not a promising number.
Who's OK and who's not:
If you use an open source ecommerce platform like Oscommerce, Zen Cart, Magento Community, etc... then you will most likely be OK by getting PCI-DSS certified. Right now this is already a requirement, so hopefully most businesses that fall under the this have nothing more to do.
If you use a hosted ecommerce system, or paid ecommerce software and you do not have rights or ability to modify the code, then you would most likely fall under the PA-DSS certification. Ideally the company that created your cart will get the software PA-DSS compliant. They may end up being liable for this anyway, since they are the ones who distributed and made money from it. On the other hand it can be extremely expensive to get an application compliant, so they may just tell you no. You may be able to get PA-DSS compliant yourself, although I highly recommend against the option due to the cost, and complexity of PA-DSS certification. This would take a huge knowledge of the system you are using, more than most website owners or even their IT departments would have.
Should have been paying attention:
PA-DSS is nothing new. It was introduced in 2007, but judging by the complete lack of progress towards it, ecommerce sites may be in for a bumpy ride. It's also unclear how hard-line of a stance the card companies are going to take on non PA-DSS or PCI compliant websites. If they go the full mile, they could shut down any website's credit card processing that isn't compliant. They could also hand down some major fines for non-compliance. Time will tell these answers, but it certain that software companies have some major work to do in the next year.
DSS in the PCI or PA form isn't going away. Congress already doesn't think it is enough even though retailers think it is too much. If you aren't PCI compliant or you don't know what this is and you accept credit cards, it's time to get moving on it. My bet is with Congress on this one.
This post is filed under Tools, Tips and Suggestions and has the following keyword tags: PCI, merchant account, ecommerce, credit card processing, security.
6 Comments
Marshall England says:
Great points Jamie, as the deadline dates get closer and closer I think there will be an increase to find 'simple & quick' solutions to the impending consequences of not being compliant or continue down the path of disbelief that something must be done. However, to your point in the "Should have been paying attention" section, time has been on the side of many merchants, service providers and software companies to educate and make themselves aware. If all of them are waiting for the deadline to take action I think they'll find themselves in a long line to get their application systems assessed; sticker shocked and not done by the deadline.
I think there will be an increase in interest for solutions that can address segments of PCI or PA-DSS to help reduce the overall scope of their DSS needs such as tokenization.
treed says:
I have a client who is a level 3 merchant and wants to be able to store card data (but doesn't currently). So SAQ D would apply but fortunately no annual on-site audit.
They are not PCI compliant (far from it not even having a firewall) and are wondering when/if they will ever be forced to become compliant. I cannot find any deadlines or anything published about when their ability to take credit cards will be affected. There seems to be little incentive to become compliant. I am trying to scare them with the liability thing but not being computer security guys they don't really appreciate their risk level. Do you have any idea when/if such deadlines exist?
Even for PA-DSS what do these deadlines really mean? Will merchant accounts be turned off on that date if they are not compliant? If not what good do such deadlines do?
They wrote their own payment application so it would seem PA-DSS does not apply here.
ddapplicance says:
Pinnacle Cart has announced their intention to be PA-DSS certified. In fact they have been posting about their certification plans on the site for quite awhile now.
Jamie Estep says:
Even for PA-DSS what do these deadlines really mean? Will merchant accounts be turned off on that date if they are not compliant? If not what good do such deadlines do?
I think that's the real question that we should all be asking.
Visa/MC took a half-a**ed approach at enforcing PCI (Except Level 1), which has led to the questionable PCI fee BS that we are currently seeing.
If they continue on their weak enforcement of PCI, then I would expect the overall reaction to be much of the same as it currently is. Whatever the case, I find it unlikely that Visa/MC will start performing audits. Like PCI, they'll most likely pass the burden down to the acquirers, who have no ability to understand let alone enforce PCI to a responsible level.
joanna says:
I would like to stress that the PCI DSS compliance regulations that are taking place which will especially affect merchants level 4. Most merchants that store, processes or transmit cardholder data must be compliant by now. However, as mentioned in an earlier post, by July 2010 any merchant that is not PCI compliant, including Level 4 merchants,will be de-certified and must stop accepting cards.Level 4 Merchants are defined as those with fewer than 20,000 Visa transactions per year. Most small vendors will fall into this category.
I understand it in a way that as of July 2010 if you are level 4 merchant you either are PCI compliant or you will no longer able to accept payments.
PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS will be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.
treed says:
Joanna: I posted above back in June. My client (level 3) is closer to being PCI compliant but still far from it. And they have heard absolutely nothing from their payment processor about becoming compliant. Most merchants that store, process, or transmit cardholder data surely are NOT yet compliant. It seems very unlikely that non-compliant merchants will refused payment processing services, even by July 2010.
