The Rules of PCI Compliance and the new PA-DSS

April 26, 2010 by Forrest Yingling

The PA-DSS (Payment Application Data Security Standard) was initially created by Visa in 2005 and known as the PABP (Payment Applications Best Practices). The PABP and the PA-DSS were fashioned as a method to maintain a safe and secure online environment for e-commerce and to prevent credit card fraud and identity theft. Visa has since partnered with the other four major credit card companies in order to form the PCI Security Council. The mission of the PCI is to require all websites that use and/or store credit card numbers and other confidential information to be compliant by adhering to their standards. Therefore, owners of e-commerce websites must ensure their site is utilizing PCI Compliant Hosting.

PCI vs. PA-DSS: What’s the Difference?

The PA-DSS applies to products distributed as applications that people can download and use however they went. For e-commerce operators, this refers to their shopping cart and shopping cart hosting solutions. By July 1st 2010, all shopping carts must be compliant with the new PA-DSS. If your website uses a cart or host that is non-compliant with PCI Security regulations then your store risks being charged higher fees and penalties for transactions, fines and even the possible cancellation of your merchant account. If your merchant account were to be cancelled then your business could no longer accept credit cards, which could very well put you out of business.

Becoming compliant with the PA-DSS is a very costly process for developers and distributors of shopping cart software. Many of the open-source shopping carts on the market will not be able to afford audits performed by the PCI’s Qualified Security Assessors (QSAs) and therefore will not be compliant be the deadline. As an e-commerce merchant, it is your responsibility to ensure that your cart is PA-DSS certified. If your cart is not compliant with the DSS then your site is not PCI Compliant and you will need to switch to a compliant cart in order to remedy this.

If you are opening a new store then you must make sure that you are signing up with a compliant cart and a PCI web host. By the July deadline, all level 4 merchants must be hosted on DSS certified applications regardless of whether or not they store credit card data. There are some exceptions to this rule. For example, if you strictly use a third-party service such as PayPal, Google Checkout or Amazon Payments and credit card numbers never touch your server then you might not have to prove compliance.

PCI Compliance covers a broader spectrum than the DSS and involves the host of your website rather than only your shopping cart and applications. Managed e-commerce hosting providers are responsible for following the guidelines laid out by the PCI Security Council in order to be fully PCI Compliant. Web hosts must follow the rules of the PCI by making sure their anti-virus is up to date and the proper firewalls are in place. As an e-commerce business operator, you must ensure that your host is PCI Compliant or you cannot legally process credit card transactions on your site.

Why Does the PCI Exist?

The biggest reason that the PCI was created is to protect banks from having to reissue credit cards, which is extremely costly. When something costs banks money, it trickles down to their clients and the consumers in the form of increased fees. One security breech can compromise hundreds or even thousands of credit cards. One compromised card costs a bank approximately $100. This can easily add up to millions and millions of dollars in replaced credit cards alone, not even taking into account stolen merchandise and the refunding of fraudulently spent money.

How Do I Prove Compliance?

First, you need to understand the different merchant levels. Online stores are rated from level 1 to 4 and your merchant level determines the rules that you must follow in order to be compliant. Level 1 is the highest and applies to stores that process 6 million or more transactions per year. Level 4 applies to companies that handle less than 20,000 transactions per year. Most small online businesses will fall into the Level 4 category.

Level 4 merchants must complete a quarterly network scan and questionnaire (there are companies like ControlScan and McAfee that will help with these steps). Merchants must also follow all other PCI compliance guidelines including the regular updating of anti-virus software and having strong firewalls in place. If the merchant stores credit card information then it must be on a separate server that is not web accessible and can only be reached by certain certified members of the company. They must also ensure that they have a PA-DSS compliant cart or any other applications. Higher level merchants may even be required to have someone on staff to handle PCI Compliance issues.

As previously mentioned, if your website strictly uses a third party payment processor then you might not need to prove that you are compliant and can host all of your store on a single server. However, not everyone has a PayPal or Google account and in order for your online business to be taken seriously, you should probably be able to process credit cards. If you can accept credit cards then you will not limit your sales and will be able to operate a truly successful e-commerce business.

The PCI questionnaires fall into two categories: SAQ-A (for those that do not store credit card data) or SAQ-D (those who do store credit card data). Obviously, the SAQ-D is more work and if a credit card number touches your server then you will need to complete this questionnaire.

Ensure Compliance Now!

Since July 1st is rapidly approaching then it is in the best interest of all e-commerce storeowners to ensure PCI Security Compliance for their website(s). It is not worth jeopardizing your business and livelihood over non-compliance. The risks are simply too great.