PCI Compliance: Three Important Questions to Ask About Your Shopping Cart

There are a number of matters an ecommerce business must address to become PCI compliant. For one, an online merchant’s shopping cart must be certified via the PCI’s PA-DSS process. A merchant’s web hosting environment and payment gateway have to be secure. And a merchant’s own internal payment data handling practices must adhere to the requirements of the PCI Security Standards Council. In this “eCommerce Know-How,” I will focus solely on shopping carts and, more specifically, I will give you three important questions you need to answer about your shopping cart. Answering these questions will bring you one step closer to operating a PCI compliant business.

1. Does my shopping cart need to be PA-DSS certified?

For the vast majority of merchants, the answer to this question is “yes.” The goal of PA-DSS (payment application data security standard) certification, according to the PCI Security Standards Council website, is “to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data.” The PCI Security Standards Council makes it clear that all payment applications must be PA-DSS certified.

A small number of businesses use an outsourced payment process like Google Checkout, PayPal, or PayPal Express. In such cases, the merchant’s shopping cart is not considered a payment application because it is neither storing nor passing payment information. As a result, the shopping cart in such instances does not need to be PA-DSS certified.

The payment application security mandates state that credit-card acquirers must ensure their merchants, VisaNet Processors (VPNs) and agents use only PA-DSS compliant applications by July 1, 2010.

2. How do I know if my shopping cart is compliant?

Shopping cart developers voluntary submit their carts for testing by the PCI Security Standards Council. The carts are vetted to make sure they are not improperly storing personal data. The PCI Security Standards Council maintains a list of licensed shopping carts which have been PA-DSS certified.

Hosted shopping cart developers (versus licensed carts) have to prove their compliance through an assessment with a Council-trained Qualified Security Assessor. Payment associations keep track of hosted shopping carts that have been certified as PCI compliant. Visa, for example, publishes a list of these approved carts.

3. What do I do if my cart is not compliant?

If your shopping cart does not appear on either list, ask the developer directly if he or she has applied for certification. The application process is time-consuming and expensive. Your cart may be currently undergoing evaluation.

It is also possible your shopping cart developer may have opted to avoid the certification process because of the inherit expense. There are more than 350 shopping carts available, by Practical eCommerce’s count, to merchants but most of them do not appear on either validated list.

If you, as an online merchant, get the sense that your shopping cart developer does not intend to comply with the PA-DSS mandate, it’s time to consider other options. A small business can face serious repercussions if it is not PCI compliant. For example, acquiring banks or processors can fine the merchants and rescind credit card accepting privileges.

Summing Up

A PA-DSS validated shopping cart is just one component of PCI compliance, but it is vital. If you are a merchant who either stores or passes payment information, you need to determine whether your shopping cart has been validated. If your cart has not been certified or is currently undergoing certification, there are options available to you.

Later this week, in Practical eCommerce’s continuing series on PCI compliance, we’ll describe options for ecommerce merchants currently using a shopping cart that is not PA-DSS validated.

Kevin Patrick Allen
Bio   •   RSS Feed