FinestShops Newsletter @ September 17, 2010
Recently, we have received many questions regarding PCI and PA-DSS compliance requirements and how they are related to your Internet store. There is a lot of confusion around that, so I have collected the information below for your review.
If your business is based in the USA or Canada, as of July 1, 2010 (it’s 2012 for European businesses) you cannot accept credit cards using a system which is not PCI and PA-DSS compliant. The truth is, many shopping cart systems available today are not PA-DSS compliant and many are not even considering becoming compliant because of the high expenses involved.
Difference between PCI and PA-DSS
PCI stands for Payment Card Industry. The official name is the PCI Security Standards Council (or PCI SSC, but most people usually just say PCI). It is an organization founded by five major credit card companies—American Express, Discover, JCB, MasterCard, and Visa—in order to create a uniform set of security standards for companies to follow when processing credit card transactions.
PA-DSS stands for Payment Application Data Security Standards (a separate but related set of standards from PCI DSS above), which apply specifically to companies that develop or operate payment applications that online merchants use to process transactions (example: shopping carts). PA-DSS are in place so that your shopping cart’s payment application software processes your customers’ credit cards using the proper security specifications, to protect against vulnerabilities.
In a few words, PCI is certification of your company and your hosting environment and PA-DSS is certification of the software you are using to process credit cards. As of July 1, 2010 you need to have both certifications in place. Your merchant account provider is not going to shut you down right away if you aren’t compliant, but you need to address this issue as soon as possible.
How to become PCI compliant
There are two steps in becoming PCI compliant:
- Fill out a self-assessment questionnaire
- Pass a PCI scan by one of several PCI Certification Services
After using several PCI scanning services, in my opinion the easiest and most intuitive to use is McAfee Secure ( http://www.mcafeesecure.com ).
If your site does not pass PCI certification after the first scan, simply send your domain name to support@finestshops.com with “Need PCI certification” in the subject line and we’ll make the necessary adjustments for you. (Note: this service is available only to our hosted clients. If you are not hosting with us, please contact your support.)
How to become PA-DSS compliant
There are three different payment scenarios for PA-DSS compliance, each having a different solution.
Scenario 1 (easy way out)
A customer adds items to their shopping cart on your Internet store. After the customer clicks “Checkout” he/she is redirected outside your site to an off‐site payment processor such as Google Checkout or Paypal Standard. Below is a list of several popular off-site payment methods:
- PayPal Standard and Express Checkout (http://www.PayPal.com)
- Google Checkout (http://checkout.google.com)
- PayFlow Link (http://www.PayPal.com)
- 2Checkout (http://2Checkout.com)
- Authorize.net SIM (not AIM) (http://www.authorize.net)
- CyberSource Hosted Order Page (http://www.CyberSource.com/)
At no point does a customer enter credit card information while on your website. In this scenario you would need to pass SAQ “A,” which can be downloaded at this URL:
SAQ “A”: https://www.pcisecuritystandards.org/saq/docs/aoc_saq_a.doc
If your Internet store/website ever passes, stores, or transmits credit card data you are not in this category and should read the next section.
Solution: PA-DSS certification is not required.
Scenario 2 (getting more complicated)
A customer adds items to the shopping cart on your site. When the customer clicks “Checkout” he/she remains on your site and fills in the personal information including credit card number. When that customer clicks “Submit,” the credit card information is sent to a payment processor (such as Authorize.net), which returns a unique token id for you to reference. At no point do you ever store the credit card (encrypted or not) or the CVV2 value. Note that “at no point” means never, not for a millisecond, not for 10 minutes until you can process it manually … never. You may store a masked PAN (4xxxxxxxxxxxxxxx1111), which is fine. Examples of the popular payment gateways that are affected by the new standards are:
- PayPal Website Payments Pro
- Authorize.net AIM
- CyberSource (SOAP Toolkit API)
- PayPal PayFlow Pro
In this scenario you would need to use a PA-DSS compliant system and pass SAQ “C”:
SAQ “C”: https://www.pcisecuritystandards.org/saq/docs/aoc_saq_c.doc
Solution: If you want to continue to accept credit cards in your store (to keep customers on your domain and be able to control design of the payment page, for example), you need to use PA-DSS compliant software in your checkout steps that involve entering credit card data.
You achieve PA-DSS compliance by using a compliant shopping cart like Pinnacle Cart, which we currently offer in our ecommerce package, or by using a compliant module which works as a connector between your shopping cart and payment processing company. For example, if you are using X-Cart shopping cart, you need to install a module called X-Payments, a new interface into which customers enter their credit card information. This add-on is PA-DSS certified, and by using it you will comply with this new standard. The same applies to Magento and their Secure Payment Bridge module.
Scenario 3 (you may not want to do this)
A customer adds items to the shopping cart on your site. When the customer clicks “Checkout” he/she remains on your site and fills in the personal information including credit card number. When that customer clicks “Submit,” the system encrypts the credit card number and saves it in the database. You may keep it until someone manually processes it using a terminal or passes the encrypted card data to a system at your office to be processed. Either way, simply by inserting it into a database you instantly fall under SAQ “D,” which is the most complicated certification:
SAQ “D”: https://www.pcisecuritystandards.org/saq/docs/aoc_saq_d_merchants.doc
Solution: You have to use a PA-DSS compliant shopping cart or X-Payments as described in Scenario 2, with the addition of these two requirements:
- The PA-DSS compliant shopping cart or X-Payments module has to be installed on the server separate from the server with non-compliant online systems because, in this case, the PA-DSS compliant application cannot be on the same server as a non-compliant application (X-Cart, WordPress, etc.).
- Your database has to be located on the server separate from the main store and X-Payments module, and must be protected by the firewall.
Basically, if you have to save the credit card numbers into the database, you will need two or three servers: the main server with your storefront, X-Payments server (if applicable), and database server. The cost of such a system can be somewhat lowered by using our virtual private servers instead of several dedicated servers but, in any case, this is the most expensive setup and you may want to consider changing your business process so credit card information is not being saved into the database.
Conclusion
A. The easiest and fastest way to become fully PCI and PA-DSS compliant is to switch to an off-site payment method as described in Scenario 1.
B. If you want to keep using your payment processor and have a greater control over the design of the payment page, you have to use a PA-DSS compliant shopping cart or payment module like X-Payments.
C. If you have to save credit card numbers into the database, be prepared to increase your hosting and site management cost.
There is an option through which you can ignore all this PCI PA DSS mumbo-jumbo and continue your business as before. If you do this, you risk losing your merchant account; you will not be able to process credit card orders in your online store and must pay heavy fines for non-compliance (from $10,000 to $200,000). PCI compliance is your responsibility as a merchant, and we will assist you in this matter as much as possible.
To your success,
Anton Pachkine
Your e-Commerce Outsourcing Company
P.S. A disclaimer: I’m not a QSA (Qualified Security Assessor, an approved PCI auditor); your company business processes can be different, so the above information should be confirmed with your QSA. If you want to suggest any corrections to the above information, please feel free to contact me directly.
More information: https://www.pcisecuritystandards.org/index.shtml
Next issue: New ways to drive targeted traffic to your store
Please do them a favor – forward this article to them.