July 19, 2010
Confusion Runs Rampant
Many folks in the e-commerce industry have found themselves scratching their heads in confusion over the new PCI PA-DSS (Payment Card Industry, Payment Application – Data Security Standard) rules and guidelines. PCI Compliance has never been an easy topic to wrap one’s head around and the new DSS is starting to cause panic among some involved in businesses that operate online. The July 1, 2010 compliance deadline is looming and many payment applications are still not DSS certified.
This is not good news for anyone involved in the e-commerce sector. There is no set punishment established for non-compliance with the new PA-DSS. If an online storeowner is found to be non-compliant then they will likely be charged increased merchant fees and penalties, face hefty fines and in some cases have their merchant account or even their entire website terminated.
Most of the confusion and controversy revolves around who exactly needs to comply with the new DSS. The answer to this is somewhat complex but the primary rule of thumb is that if your store processes credit cards online then you need to use a shopping cart that is PA-DSS certified in order to be PCI Compliant.
As an e-commerce merchant, vendor or retailer (those operating a business online), it is your duty to ensure you are utilizing fully PCI Compliant Hosting and that your shopping cart application is PA-DSS certified. If either your host or cart is not compliant with the PCI than your site is in trouble. Many carts and other merchant service providers are still shuffling to get scanned and added to the list of compliant applications before the July deadline.
If you are in the market for new shopping cart software than you do not want to use a program that is non-compliant with the PCI or PA-DSS. It is not worth losing money or possibly your business over something so simple to remedy. The responsibility falls on you – the storeowner – to find a host and cart that are compliant with the PCI and to fulfill the required network scans and questionnaires.
PCI Compliance vs PA-DSS – what’s the difference?
The PA-DSS (Payment Application – Data Security Standard) applies to products that are distributed as applications that people can purchase and then do whatever they wish. For example, this applies to shopping cart programs and e-commerce solutions. The DSS started as the PABP (Payment Application Best Practices) by Visa before becoming affiliated with the PCI Security Council, which represents all five major credit card companies. In order to be PCI Compliant you must be on a DSS certified application. In other words, your cart must be compliant.
PCI Compliance is a broader set of rules and guidelines. The PCI Compliance rules are the standards for the way in which credit card transactions and other confidential information is processed online.
As of July 2010, both PCI and PA-DSS Compliance are necessary for a site that accepts credit card payments. The PCI applies to all e-commerce businesses, web hosts, shopping carts, payment gateways and merchant account providers. When a company becomes DSS certified they are then added to Visa’s list of compliant companies. The PCI Compliance rules are the standards for the way in which credit card transactions and other confidential information is processed online.
In order to be fully PCI compliant with the new PA-DSS, level 4 merchants must be running compliant applications on their site (such as their shopping cart). Their web hosts must also be PCI compliant by using properly encrypted networks, regularly updating their anti-virus software and performing regular system scans.
There are a number of PCI scanning companies approved by Visa and MasterCard that will help small merchants pass PCI audits and complete the PCI questionnaire in order to show PCI compliance. Being fully PCI and DSS compliant is like having an insurance policy in the event of a security breech.
For the list of requirements that QSAs will be checking for in your scan check out:
Forrest Yingling is the Marketing Director for WebNet Hosting, Premier Partner Miva Hosts since 2004. WebNet Hosting provides PCI Compliant Miva Web Hosting and e-commerce solutions.