So we're in the middle our of PA-DSS audits and I've learned a ton I think that is worth sharing for the impact this will have on the ecommerce webhosting industry.
A little backstory, previously Visa has a set of requirements known as PA-BP (Payment Application Best Practices) that were a set of rules shopping cart companies (like ours) or any application that accepted or handled credit cards were supposed to follow. Recently Visa handed over the reigns of PA-BP to the PCI Security Council and they've stated that PA-BP is no longer optional for Payment Application vendors (like shopping carts) and all of these applications will have to be what is now known as PA-DSS (this stands for Payment Application - Digital Security Standard) Certified (formerly PA-BP) prior to July 1, 2010.
So first of all what is PA-DSS in practical terms? PA-DSS is a set of standards about both what a Payment Application does and does not do (such as not storing CVV codes or the full content of the magnetic stripe from a card) as well as how the application provider does these things in the first place. So much of being PA-DSS certified is having proper policy, proceedures, training and standards in place to ensure that development that impacts the usage and acceptance of credit cards is secure development and not prone to security issues.
In simple terms that means all commercial shopping carts, order management software or anything that accepts or handles credit cards has to be audited by an approved auditor and become PA-DSS certified prior to July 1, 2010 or these applications will no longer be allowed to interface with merchant accounts and payment gateways, thus preventing them from accepting credit cards.
What about home grown and open source shopping cart solutions? What happens to them on July 1st, 2010. I asked this question to our auditor and his answer was telling, he said that "essentially if an application can't be PA-DSS certified because it's not developed by a single entity for example, then the service provider of that entity will need to become PCI Level 1 certified in order to keep offering that and be in compliance".
Ultimately this will play out in a very interesting way, the vast majority of web hosting companies do not have enough transaction volume to warrant them having to become PCI Level 1 Certified (which is certainly a relief to them!) and as long as they offer a PA-DSS certified shopping cart for their ecommerce webhosting that will continue to be the case.
For webhosts who build their ecommerce hosting around an open source platform however they'll be required to undertake all of the auditing and more that us commercial providers are doing to make sure they're offering is compliant with the rules of Visa and the PCI Security Council.
Til next time,
Rick
Comment anonymously or log into your WHIR account
Logging in allows enhanced commenting features (such as external linking) in news, features, blogs and more.
Comment by Art Zemon on Tuesday, June 02, 2009
What you write is all too true. Because so many merchants are wondering what software will still be OK to use on July 1, 2010, I have pulled together a concise list of popular e-commerce software packages, along with PCI PA-DSS certification status, at http://www.hens-teeth.net/blog/pci-pa-dss-certification-summary/