When a Shopping Cart is Not PCI Compliant: Three Options for Merchants

Earlier this week, Practical eCommerce shared three important questions to ask about your shopping cart. Today, as part of our ongoing PCI compliance series, I’ll take a look at options for ecommerce merchants currently using a shopping cart that is not PA-DSS (payment application data security standard) validated. More specifically, I’ll share the insights of hosting director Matt Whitted of Cybrhost, a web hosting provider specializing in ecommerce.

Matt Whitted

Matt Whitted

Cybrhost has alerted its subscriber base to the July 1, 2010 deadline for shopping carts to become PA-DSS compliant and Whitted has fielded numerous inquiries from merchants regarding the mandate.

Whitted says he recognizes that many of the more than 350 shopping carts, by Practical eCommerce’s count, available to merchants have not been PA-DSS certified. “I do think this [the mandate] is going to push some of those smaller carts out. It’s a major investment to get your application certified. And then it’s a recurring process,” he says.

Three Options for Users of Non-compliant Shopping Carts

If an ecommerce merchant’s shopping cart provider is not PA-DSS compliant or in the process of becoming certified, Whitted says there are three options.

  1. Outsource to an alternative payment solution.

    Alternative payment solutions such as Google Checkout and PayPal Express Checkout allow merchants to outsource the checkout process. Payment information is not handled by the merchant. As a result, the merchant’s shopping cart is not considered a payment application and doesn’t fall under the PA-DSS mandate.

    Whitted notes, however, that there are several downsides to this option: Outsourcing is generally a more expensive proposition, there are occasional technical glitches involved with the handoff between the shopping cart and the alternative payment system, and you’re giving some control of your business’ information to “Paypal or Checkout by Amazon or whoever you choose.”

  2. Switch to a different shopping cart provider.

    There are a variety of shopping carts that have applied for and received certification.

    “Some of the ecommerce applications that are ahead of the curve and are going through the certification process proactively are going to benefit from people who make this decision (to switch),” Whitted says.

  3. Do nothing and see if PA-DSS compliance is enforced.

    Acquiring banks or processors are responsible for enforcement of PCI compliance. “Who knows how Visa or MasterCard will handle it?” questions Whitted. “They may be understanding or more extreme.” He notes however, “ Most businesses are not going to want to live by the seat of their pants.”

Summing Up

As I mentioned earlier this week, the PCI Security Standards Council maintains a list of licensed shopping carts which have been PA-DSS certified. Payment associations keep track of hosted (as opposed to licensed) shopping carts that have been certified as PCI compliant. Visa, for example, publishes a list of these approved hosted carts.

Visa makes it clear on the company website that as of July 1st, 2010, “Acquirers must ensure their merchants, VNPs (VisaNet Processor) and agents use only PA-DSS compliant applications.” Many shopping cart providers are neither compliant nor seeking compliance at this time. The merchant using those applications bears responsibility. They can select an alternative payment application, switch to a new shopping cart provider, or take a wait-and-see approach to industry-wide enforcement.

Kevin Patrick Allen
Bio   •   RSS Feed