Design & Development

Not PCI Compliant? No Problem

By Practical eCommerce’s count, there are nearly 600 English-language shopping carts. These include hosted carts, licensed software carts and open-source carts. There are small ones with just a few clients, and large ones with tens of thousands of clients.

But, as of July 14, only 40 of them were either PCI compliant (hosted solutions) or PA-DSS validated (licensed shopping carts). That date is important because the PCI Security Standards Council has long held that shopping carts, which are either “Payment Applications” or “Validated Service Providers” as defined by that organization, must affirmatively pass compliance standards by July 1, 2010. And it’s easy to determine the carts that have been approved because there are two separate lists that contain them.

Approved Shopping Carts

First, for licensed carts, the list is maintained by the PCI Security Standards Council itself. The list contains all types of software that retailers, online and not, use to process credit cards. This includes point of sale terminals, various payment gateway applications, and online shopping carts. As of July 14, 18 licensed online shopping carts appeared on the list.

Second, for approved hosted shopping carts, Visa maintains the list. Visa groups hosted shopping carts with other “Validated Service Providers,” and that list includes payment gateways, facilitators and other non-licensed-software payment providers, including hosted carts. The list is a 57 page PDF document and, by Practical eCommerce’s count, it contains 22 hosted shopping carts.

With 40 out of roughly 600 carts appearing on one of the two lists, and with the July 1 date firmly behind us, we asked a spokesman for the PCI Security Standards Council what, exactly, happens now. “Visa is responsible for enforcement,” said the spokesman, and not the PCI Security Standards Council.

Merchant Account Providers Are Responsible

In fact, the July 1, 2010 date imposed by Visa, closely read, applies to merchant account providers, and not the shopping cart providers. It’s the merchant account providers (also known as acquirers, independent sales organizations or ISOs, and merchant banks) who must ensure that merchants use only PCI-compliant carts by July 1, says Visa.

That leaves merchant account providers with the unenviable task of relying on the revenue from their ecommerce clients, and simultaneously demanding that those clients change or upgrade to shopping carts that are PCI-approved. Personnel from many of those approved carts, in conversations with Practical eCommerce staff, have told us that they have spent upwards of $20,000 and more to obtain compliance. Other, smaller cart providers have told us that they simply don’t have the money to hire programmers and alter code to meet the standards.

There are many questions, of course, having to do with merchants who use older, non-compliant versions of shopping carts whose latest versions are compliant. Must those merchants upgrade to the newest version? And what about the cart providers who have spent the money to gain compliance, but now see no tangible benefit to it all?

Interview with Visa Executive

For all of this, we corresponded with Jennifer Fischer, head of U.S. payment system risk for Visa Inc. According to Fischer, “Payment System Risk focuses on executing Visa acquirer and issuer risk programs and data security initiatives geared toward reducing risk throughout the payment system. This includes advancement of compliance with industry security standards, such as the PCI Data Security Standard, and fraud and chargeback reduction programs.”

Fischer is a Certified Information Systems Security Professional, or CISSP, and has been focused on payment system security since 2001, when Visa launched its Cardholder Information Security Program.

Our email interview with her follows below.

Practical eCommerce: Only a small portion of online shopping carts are PCI-approved. What happens to them after July 1?

Jennifer Fischer

Jennifer Fischer

Jennifer Fischer: “Many online shopping carts are often offered to merchants as software-as-a-service (SaaS). These solutions are customized, hosted, and managed by third parties and as such are reviewed against the PCI DSS. A number of commonly used shopping cart vendors can be found on Visa’s Global List of PCI DSS Validated Service Providers. Software vendors that sell their shopping carts as ‘off-the-shelf’ products should have their products validated against the PA-DSS and demonstrate this validation by getting listed on the PCI SSC’s List of Validated Payment Application.”

PEC: What happens to ecommerce merchants after July 1 that are using non-compliant shopping carts?

Fischer: “Merchant banks should be working with their ecommerce merchants to determine whether they are using compliant shopping cart applications. If not, the bank should be working with the merchant to determine a migration path and Visa will work with the merchant banks to monitor the progress of their merchants. Payment applications used by merchants often introduce vulnerabilities that can lead to payment card data compromises if not properly secured so it is important for merchants to ensure that they are using PA-DSS compliance applications and that they are PCI DSS complaint.”

PEC: What is Visa’s role in all of this?

Fischer: “Visa established the Payment Application Security mandates to eliminate the use of vulnerable applications from the payment systems and promote use of applications that support PCI DSS compliance. Visa has taken a leadership role in promoting data security by developing industry standards and related compliance mandates based on common vulnerabilities and risks impacting the payment card industry. Visa works with merchant banks to support compliance with these mandates and to monitor progress among merchants.”

PEC: The PCI Security Council tells us that it has no role in determining punishment, fines and enforcement for the PA-DSS standards. They said all of that comes from Visa. Is this true?

Fischer: “The PCI Security Standards Council is responsible for maintaining the data security standards (PCI DSS, PA-DSS, and PTS). The card brands (Visa, MasterCard, American Express, Discover and JCB) are responsible for maintaining compliance programs as well as enforcement of the compliance programs. Visa addresses any compliance issues with the Visa Payment Application Security Mandates with the merchant banks to ensure they are working with their merchants to migrate toward use of PA-DSS compliant applications.”

PEC: What role do merchant account providers play in all of this?

Fischer: “By providing payment processing services, merchant banks and independent sales organizations (ISOs) maintain contractual relationships with their merchants. As part of this relationship, acquirers are responsible for ensuring merchants that store, process or transmit Visa payment cardholder data comply with the PCI DSS and use PA-DSS compliant applications.”

PEC: Who determines whether an ecommerce merchant is using a non-compliant shopping cart?

Fischer: “Merchant banks are responsible for the overall risk of their merchants through their underwriting and approval process when boarding new merchants. As a part of this contractual relationship with the merchant, the merchant banks and ISOs are responsible for identifying the merchant’s payment application and determine whether or not it is PA-DSS compliant.”

PEC: What are the ramifications to an ecommerce merchant who is otherwise PCI compliant but stills uses a non-PA-DSS cart?

Fischer: “All merchants that store, process, or transmit Visa payment card data must comply with the PCI DSS. The PA-DSS requirements are aimed at software providers and are a subset of requirements from the PCI DSS. A merchant that has validated full PCI DSS compliance with their merchant bank fulfills the Visa Payment Application Security Mandates.”

PEC: Anything else our readers (ecommerce merchants) should know about the upcoming PA-DSS certification deadline?

Fischer: “In regards to the Visa Payment Application Security mandates, if a payment application has validated to Visa’s old Payment Application Best Practices (PABP) standard, it still meets Phase 5 of the Payment Application Security Mandates. Please review the November 6, 2009 FAQs posted at under ‘Payment Applications.'”

Kerry Murdock
Kerry Murdock
Bio   •   RSS Feed