Our valued sponsor

Credit Card Data must pass the Visa PA DSS standard by 2010, bad news for small e-com

Spinat

Corporate Services
Mentor Group Gold
Jan 3, 2009
2,335
900
113
On July 1, 2010 all small and medium sized ecommerce business which accept credit cards on their website must comply to the Visa PA DSS regulations of Visa, this is separated from the PCI DSS compliancy)


I found numbers of articles which describe it very well, and hope it is of help for the many's which get involved in it.


PA-DSS and Ecommerce Web Hosting - WHIR Blogs | Web Hosting Blogs featuring Web Hosting Industry Experts.


https://www.pcisecuritystandards.org/
 
This is the result of PCI DSS 1.2 released Oct 2008. This gave all of us 1.5 years to get our act together and use reliable secure and tested software. This date is only for existing merchants. Any new merchant is already required to use PA-DSS certified software.


Here's a few things to think about.. anyone using WHMCS, Plesk Billing, Ubersmith or any other non compliant software must find an alternative before the 2010 deadline. I have spoken with a few software vendors and my results varied. Plesk sent me some official internal documents outlining their plan, WHMCS developer said he is working on it and left it at that and Ubersmith didn't even know what PCI was.


I suggest each and every one of us, call write and pretty much bug our software vendors until they have a date for compliance or are compliant.


Another issue with PA-DSS compliance is we can only use the version that has been tested compliant. Every major release will need to be re-certified and cannot be used until certified. Additionally, anyone using open source solutions will be left out in the cold and PA-DSS certification is expensive.
 
Here's a few things to think about.. anyone using WHMCS, Plesk Billing, Ubersmith or any other non compliant software must find an alternative before the 2010 deadline.
This will hurt many small and medium sized hosting companies and resellers, it sucks big times that the mentioned companies can't get their crap together and make compliant software...... let's see soon it will be 2010, maybe they will change their mind and get professional.
 
Wow, that's pretty bad that Ubersmith doesn't even know about PCI, especially given their pricetag.


"Another issue with PA-DSS compliance is we can only use the version that has been tested compliant. Every major release will need to be re-certified and cannot be used until certified. Additionally, anyone using open source solutions will be left out in the cold and PA-DSS certification is expensive."


Ah yes, this goes to show howmuch the PCI people are disconnected from reality, I mean suppose the new version contains a fix for security, how is it reasonable to delay this for "compliance" purposes? I also like how this leaves out Open Source, which has a better chance at security than a closed source product.


Not knocking you, just showing how PCI seems to be a big can of worms and yes I'm in a department that will deal with PCI extensively.


Best solution still is to pawn off the PCI requirement by sending customers to Paypal / Other payment site to make their payments to you and thus avoid ever touching any creditcard info.
 
Well that does make more sense and it's good to see that exception is there.


I guess that only leaves the question of "what is a release?"


Some of the PCI rules rely on interpretation (by an Acquirer, auditor, committee) and that alone gives me the shivers.