Quick Query: Shopping Cart Developer on PCI Compliance

Editor’s note: Payment Card Industry compliance is a requirement for ecommerce merchants. In an email to Practical eCommerce, PCI Security Standards Council General Manager Bob Russo stated, “All businesses that accept credit card data must be compliant with the DSS (Data Security Standard.)” Acquiring banks and processors are responsible for enforcement. And VISA makes it clear on the company website that as of July 1st, 2010, “Acquirers must ensure their merchants, VNPs (VisaNet Processors) and agents use only PA-DSS compliant applications.”

With that in mind, Practical eCommerce will begin publishing a series of articles aimed at answering merchants’ questions on the topic. If you have a PCI compliance question, email Kevin Patrick Allen, contributing editor, at and we’ll attempt to address it.

Payment Card Industry (PCI) compliance is a complex issue and it’s an issue that’s difficult for many ecommerce merchants to understand. It’s also a complex issue for vendors, but it can’t be ignored. Massimo Arrigoni is the co-owner of Early Impact, Inc., developer of ProductCart, a licensed shopping cart . He has studied the PCI compliance issue thoroughly. In this “Quick Query” we get his insights.

Practical eCommerce: Merchants understand that a breach of their customers’ information could lead to fines, lawsuits, and certainly a loss of trust. Yet it’s not always clear what they need to do to become PCI compliant. Is PCI compliance equally confusing for a developer and for a vendor?

Massimo Arrigoni: “Yeah, it is. It’s a very confusing topic. As vendors we need to make sure that the software that we code meets PCI compliance requirements. So, the PCI Security Standards Council came up with the program called PA-DSS (Payment Application Data Security Standard). By ‘payment application,’ they mean any application that is used to transfer sensitive data.”

PeC: With a licensed cart, it would seem to be difficult to control the safety of the information anyway because there are other parties involved, such as a third party hosting company. Can you explain that part of it?

Arrigoni: “When you ask yourself, ‘Am I PCI compliant?’ the way to answer that is through the questionnaires that the Security Council has made available. There are about 12 sections. For example, one of those sections asks you questions about the payment application that you’re using. So, if you are using a licensed cart, the only way you can really answer those questions that pertain to the payment application is if the payment application, the shopping cart, has passed the PA-DSS program and has been validated. So, the council has said, ‘Yes, we looked at this application through one of the vendors that performed those security tests and the application meets our requirements.’ The fact that the application has the stamp of approval of the council, simply addresses one of the many areas that you need to look into.”

PeC: You mentioned the PA-DSS list for licensed (versus hosted) shopping carts that appears on the PCI Security Standards website. We went to that site and, relatively speaking, very few shopping carts appear on that list.

Arrigoni: “It is a time-consuming process. In our case, to go through the PA-DSS program took a few months. Some of the ecommerce applications out there might be going through the process as we speak. They might be getting through the validation process and they might be listed in the next couple of months. So, that’s one possibility. The second possibility is that the vendor decided that they don’t want to do it. Financially, it requires a commitment (typically between $10,000 and $20,000). The third scenario is maybe they tried to become validated and they failed because the application wasn’t coded correctly.”

PeC: What happens if a shopping cart vendor doesn’t get certified?

Arrigoni: “If you don’t get certified, you are not allowing your merchant to answer the questions that pertain to the payment application because they have no means. The only way for a merchant to answer these questions is to either hire a Qualified Security Assessor or to use a PA-DSS validated payment application [i.e. a PCI-certified shopping cart]. If you don’t have that stamp of approval, really, they cannot finish the self-assessment questionnaire. The questionnaire is a requirement. For example, MasterCard requires that Level 4 merchants (small businesses) perform the self assessment yearly.”

PeC: Does it improve your business substantially to have that certification, beyond the fact that you should have it?

Arrigoni: “Really the reason to do it is because it is the right thing to do. In terms of marketing, it may or may not pay off and I say that because there’s so much confusion out there when it comes to small businesses and PCI compliance. It’s hard to say whether merchants that are looking for an application really use this as a way to decide what they should do. Over time, I believe that, marketing-wise, this will pay off because people will understand what it means and more and more of us as vendors will try to let people understand what this program means and why it is important.”

PeC: Most of our readers are small ecommerce merchants. Anything else that you would like to share with them regarding PCI compliance?

Arrigoni: “The bank that you got your merchant account with could, at any time, ask you for your compliance status and, theoretically, you might not be allowed to accept credit cards if you can’t prove that you are compliant. If there is a security breach for any reason and you are sued and there are damages, your PCI compliant status would basically limit your liability for those damages.”

PEC Staff
PEC Staff
Bio   •   RSS Feed