Practical Ecommerce

Quick Query: Shopping Cart Developer on PCI Compliance

Editor’s note: Payment Card Industry compliance is a requirement for ecommerce merchants. In an email to Practical eCommerce, PCI Security Standards Council General Manager Bob Russo stated, “All businesses that accept credit card data must be compliant with the DSS (Data Security Standard.)” Acquiring banks and processors are responsible for enforcement. And VISA makes it clear on the company website that as of July 1st, 2010, “Acquirers must ensure their merchants, VNPs (VisaNet Processors) and agents use only PA-DSS compliant applications.”

With that in mind, Practical eCommerce will begin publishing a series of articles aimed at answering merchants’ questions on the topic. If you have a PCI compliance question, email Kevin Patrick Allen, contributing editor, at and we’ll attempt to address it.

Payment Card Industry (PCI) compliance is a complex issue and it’s an issue that’s difficult for many ecommerce merchants to understand. It’s also a complex issue for vendors, but it can’t be ignored. Massimo Arrigoni is the co-owner of Early Impact, Inc., developer of ProductCart, a licensed shopping cart . He has studied the PCI compliance issue thoroughly. In this “Quick Query” we get his insights.

Practical eCommerce: Merchants understand that a breach of their customers’ information could lead to fines, lawsuits, and certainly a loss of trust. Yet it’s not always clear what they need to do to become PCI compliant. Is PCI compliance equally confusing for a developer and for a vendor?

Massimo Arrigoni

Massimo Arrigoni

Massimo Arrigoni: “Yeah, it is. It’s a very confusing topic. As vendors we need to make sure that the software that we code meets PCI compliance requirements. So, the PCI Security Standards Council came up with the program called PA-DSS (Payment Application Data Security Standard). By ‘payment application,’ they mean any application that is used to transfer sensitive data.”

PeC: With a licensed cart, it would seem to be difficult to control the safety of the information anyway because there are other parties involved, such as a third party hosting company. Can you explain that part of it?

Arrigoni: “When you ask yourself, ‘Am I PCI compliant?’ the way to answer that is through the questionnaires that the Security Council has made available. There are about 12 sections. For example, one of those sections asks you questions about the payment application that you’re using. So, if you are using a licensed cart, the only way you can really answer those questions that pertain to the payment application is if the payment application, the shopping cart, has passed the PA-DSS program and has been validated. So, the council has said, ‘Yes, we looked at this application through one of the vendors that performed those security tests and the application meets our requirements.’ The fact that the application has the stamp of approval of the council, simply addresses one of the many areas that you need to look into.”

PeC: You mentioned the PA-DSS list for licensed (versus hosted) shopping carts that appears on the PCI Security Standards website. We went to that site and, relatively speaking, very few shopping carts appear on that list.

Arrigoni: “It is a time-consuming process. In our case, to go through the PA-DSS program took a few months. Some of the ecommerce applications out there might be going through the process as we speak. They might be getting through the validation process and they might be listed in the next couple of months. So, that’s one possibility. The second possibility is that the vendor decided that they don’t want to do it. Financially, it requires a commitment (typically between $10,000 and $20,000). The third scenario is maybe they tried to become validated and they failed because the application wasn’t coded correctly.”

PeC: What happens if a shopping cart vendor doesn’t get certified?

Arrigoni: “If you don’t get certified, you are not allowing your merchant to answer the questions that pertain to the payment application because they have no means. The only way for a merchant to answer these questions is to either hire a Qualified Security Assessor or to use a PA-DSS validated payment application [i.e. a PCI-certified shopping cart]. If you don’t have that stamp of approval, really, they cannot finish the self-assessment questionnaire. The questionnaire is a requirement. For example, MasterCard requires that Level 4 merchants (small businesses) perform the self assessment yearly.”

PeC: Does it improve your business substantially to have that certification, beyond the fact that you should have it?

Arrigoni: “Really the reason to do it is because it is the right thing to do. In terms of marketing, it may or may not pay off and I say that because there’s so much confusion out there when it comes to small businesses and PCI compliance. It’s hard to say whether merchants that are looking for an application really use this as a way to decide what they should do. Over time, I believe that, marketing-wise, this will pay off because people will understand what it means and more and more of us as vendors will try to let people understand what this program means and why it is important.”

PeC: Most of our readers are small ecommerce merchants. Anything else that you would like to share with them regarding PCI compliance?

Arrigoni: “The bank that you got your merchant account with could, at any time, ask you for your compliance status and, theoretically, you might not be allowed to accept credit cards if you can’t prove that you are compliant. If there is a security breach for any reason and you are sued and there are damages, your PCI compliant status would basically limit your liability for those damages.”

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Alex Mulin November 16, 2009 Reply

    A very easy and cost-effective way to avoid all hassles with getting yourself certified is to use a payment method that does not require your customers to enter their payment details (i.e. credit card details) on your web-site pages. E.g. 2Checkout, WorldPay, Paypal, Avangate and many others work as follows:
    1) a visitor comes to your web-site, likes your products and decided to place an order with you
    2) at the moment when he/she is supposed to pay he gets redirected from your web-site shopping cart to secure payment form at a payment processing company web-site.
    3) the customer pays at the payment processing company web-site and get redirected back to your web-site, to "thank you for order" page with orders details, etc.

    Thus you as a on-line merchant don’t have to pass tons of requirements related to situations when you collect credit card details and pass them to a payment processor. That saves lots of time, efforts and money.

    Of course you need to use a PCI certified payment gateway/processor, but it’s their headache now how to maintain their PCI-compatible status, not yours ;)

  2. Barney Stone November 17, 2009 Reply

    At Stone Edge Technologies, we have come to the conclusion that the need for storing credit card account numbers at all is quickly coming to an end. All but one of the payment gateways that we integrate with offer the ability to use "tokens" in place of account numbers if you have to issue a credit or place an additional charge against an account. The account number is only used for the initial charge or authorization. After that, everything can be done with the token (or whatever your gateway calls it). No account numbers are stored, and tokens should be useless if they fall into the wrong hands.

    And yes, I repeat, the tokens CAN be used for additional charges in the future. Typically there is a 6 to 12 month limit on how long they can be used. After that, you would have to contact your custom and get the account number again so you can be issued a new token.

    Some of the gateways (, JetPay) charge a few cents per transaction for the use of their tokens. Most others (ECHO, PayPal, Payflow Pro, QuickBooks Merchant Services, USAePay, etc.) do not charge extra for them.

    Using tokens should dramatically reduce the risks involved with credit card processing, and make both PA-DSS (for software developers) and PCI (for merchants) much easier to achieve and maintain. Our tentative plan as we move forward with the Stone Edge Order Manager is to only support combinations of shopping carts and gateways that will work that way.

  3. Rick Wilson November 17, 2009 Reply

    For very small merchants using an off site payment gateway like mentioned above can be acceptable but we find that a) our merchants really don’t like that process (losing control of the customers) and b) it can have a very negative impact on overall conversions if it’s not done well.

    We’re in the final stages of getting our PA-DSS approval, we’ve decided to do a major release along with our PA-DSS so that has slowed us down a little bit, but will be coming out very soon.

    Barney is right, tokenization is the future from a storage stand point, however since at least on a shopping cart application since we do possess the card number on the initial transaction it won’t allow us to avoid becoming PA-DSS compliant.

    PA-DSS will likely "shake the tree" and clear out many smaller shopping cart vendors, or at least limit them to the offsite gateways mentioned in the post above, however for those carts who continue on and get certified, it should lead to superior coding and release processes industry wide.

  4. Massimo Arrigoni November 17, 2009 Reply

    @Barney: even if the shopping cart is using tokens, in most cases it is still passing payment information to the payment gateway (as Kevin pointed out), so the shopping cart is still considered a payment application and PA-DSS validation applies even if there is no storage of credit card information at all.

    @Alex: even if a business only uses an outsourced checkout process (so the shopping cart is not considered a payment application), they still have to fill out SAQ-A (i.e. version A of the Self Assessment Questionnaire), which allows them to "officially" indicate that they are running their e-commerce business in that manner.

  5. Barney Stone November 18, 2009 Reply

    Massimo – Yes, the shopping carts will still need PA-DSS certification. So will software like our Order Manager, which will also have to accept credit card numbers for new transactions, even though it will no longer store them. My point is that if a system does not store account numbers, achieving certification should be substantially easier. Also, there is still some risk of a security breach even with certified software. If account numbers are not stored at all, the risk of a large breach is virtually eliminated. The only remaining risk is something that would grab account numbers one at a time as they are entered or passed to the gateway.

  6. Alex Mulin November 20, 2009 Reply

    @Massimo: yes, that’s true, but following SAQ-A is much simpler after all