After reading this and the associated thread on PCI compliance, I’m a bit confused so maybe someone can clarify.
I use PayPal Payments Pro and PayPal clearly states on their website that Pro users are responsible for their own PCI compliance. So what are the consequences if I don’t become PCI compliant? Who is going to come after me?
I also read somewhere that if you process less than 20,000 transactions a year, the PCI requirements are much less stiff. Is that true? And what are they?
Also, having done more research, I found that Magento seems to be coming up with a good solution for PA-DSS compliance. They are developing what they call Magento Payment Bridge. They are essentially making this Payment Bridge a separate piece of software that can be PA-DSS certified on its own, so that the whole Magento software package doesn’t have to be re-certified every time the software is upgraded.
Seems like this would be a very good route for CS-Cart to take. I realize the cost of PS-DSS certification is very high ($10,000 - $30,000) and paying that every time the software is upgraded isn’t feesible. But developing a payment bridge that would require updating very infrequently might be a possibility.
CS-Cart needs to find some way to become PA-DSS certified or it’s going to lose its customer base. If it has to raise the price of the software to do so, so be it.
[QUOTE]CS-Cart needs to find some way to become PA-DSS certified or it’s going to lose its customer base. If it has to raise the price of the software to do so, so be it.[/QUOTE]
I believe what will happen is that the majority of shopping cart developers will choose to make their carts “Compliant” without actually paying for the actual certification process to become “PCI-DSS Certified” which is where the real cost occurs.
As I recall, CS-Cart already claims to be “PCI-DSS Compliant” (although I am not sure this is actually the case yet after reading several posts of security scans failing the test due to the persistent cookie issue, etc.)
But if financial institutions require new or existing merchants to have PA-DSS certified shopping cart software on their sites, then merchants will be forced to seek out those shopping carts that are certified.
[QUOTE]But if financial institutions require new or existing merchants to have PA-DSS certified shopping cart software on their sites[/QUOTE]
There is currently only a very small handful of carts that are actually “Certified”.
They will require us to be compliant, however, there is a very slim chance they will ever require the entire ecommerce world to have actual “PCI-DSS Certified” carts. Visa/Mastercard intends to continue making money hand over fist, no way they are going to do anything so extravagant as to throw a wrench into their money maker!
OK, I have been doing more digging, and will probably start a new thread that deals specifically with what I have discovered from PayPal with regard to PCI Compliance. Suffice it to say for now, that PayPal does not REQUIRE their merchants to use PA-DSS certified carts. They do, however, require their merchants to be PCI compliant, which means performing the scans (mine are clean now) and submitting the SAQ. I talked on the phone to one of their reps who deals with PCI stuff and she said that they are not aggressively going after the smaller merchants yet to educate them and push them into compliance. They are concentrating on the bigger merchants. But, I guarantee you that if you have a breach, they will come after you with fines and penalties.
We’ve recently integrated CRE Secure payment acceptance service ([url]http://cresecure.com/[/url]) that resolves problems with PCI compilance. It supports PayPal Pro, Authorize.NET and several more payment gateways at this moment. You can download it from the File Area (Updates section) in our Customer’s Help Desk.
Zeke,
Just wondering if your CRE Secure integration is the same one that CRE secure is making. On their site, it still says: Coming Soon. [URL=“http://www.cresecure.com/pages.php?CDpath=5_8”]http://www.cresecure.com/pages.php?CDpath=5_8[/URL]
Thank you,
Bob
[quote name=‘pbannette’]Zeke,
Just wondering if your CRE Secure integration is the same one that CRE secure is making. On their site, it still says: Coming Soon. [URL=“http://www.cresecure.com/pages.php?CDpath=5_8”]http://www.cresecure.com/pages.php?CDpath=5_8[/URL]
Thank you,
Bob[/QUOTE]
Yes, it’s the same. We’ve sent them our integration today, so this page should be updated soon.
Thank you,
Another question. The current integration for CreSecure is for CS-Cart Version 2.0.15.
Will this integration be updated with each new CS-Cart version , for example when 2.1 comes out, the integration with creSecure will be updated as the same time.
Thanks,
Bob
[quote name=‘pbannette’]Thank you,
Another question. The current integration for CreSecure is for CS-Cart Version 2.0.15.
Will this integration be updated with each new CS-Cart version , for example when 2.1 comes out, the integration with creSecure will be updated as the same time.
Thanks,
Bob[/QUOTE]
Sure, 2.1 is integrated with CRE Secure too.
I have been reading this thread and have noted some inaccuracies.
Our comoanies have been delaing with PCI DSS compliance for quite some time now, and here are a few notations that may help.
PayPal, Google Checkout and other payment methods that take you FROM CSCart to their payment screens and then BACK do not affect your compiiacne at all unless they themselves are NOT PCI Compiant.
For example, without doing anything at all, if you are using Authorize.net, and CS Cart configurations allows the ownr of the cart to configure to use AIM OR SIM, then simply set your processing to the SIM method and you do not require and bridge or external software PERIOD!!
You will be compliant and can file as being compliant.
If your cart uses an SSL and you take the proper precautions such as McAfee scanning, personal PCs at work utilize firewalls and virus protection, and you do not use those same machines for anything thatn business, then you are ok.
You can even store CC numbers and expiration date if they are encrypted properly, AND store CV2 Codes as well providing they are stored in a different location, AND are encrypted.
Yeppers, this IS ok by visa and MC rules for PCI compliance providing you take the proper precautions.
there are four levels of PCI compliance, and you can minimize your level of requirements depending on what you do with your processing and protection/prevention. This is also affected by the amount of processing you do per year.
I can take a CS cart, load it on one of our servers, us Auth.Net SIM, us an SSL, the server have a firewall and virus protection, utilize outside scanning (McAfee) and use a desktop dedicated to business and be PCI compliant!!! NOW…
If I use PayPal, I can be compliant now. I can use an outside source such as this cre and be compliant.
It is all pretty simple really and you can learn all about it here:
[url]https://www.pcisecuritystandards.org/index.shtml[/url]
I am also not sure where the 2012 date came from, but from Visas own site, we are currently in Phase iV and the date for compliance was Phase V – July 1, 2010
Read that here: [url]http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf[/url]
Good luck to you all, we are compliant NOW!
Oh, I also forgot to mention I read someone mentioned other carts were creating mods to become PCO DSS Compliant, and they would not have to make their carts compliant since they have updates and huge costs.
This is very true, for example XCart has created XPayments, and this is a bolt on module that can be installed and operate up to 10 stores.
This module will cost approximately $400 on top of your typical license fee, and it is totally PCI DSS Compliant, and will be used as a protective bridge for ALL of their payment processors not matter who it is, and they also do not have to recertify themselves for any other version.
If you convince CS Cart to do something like this, they can have a bolt on that CAN be approved and certified and never have to deal with another cart validation again.
Look for your merchant ‘aquirers’ mandates on compliance. July 1st 2010 was the deadline, but like someone else stated earlier, no one wants to loose on billions of dollars, so your merchant provider will have the EXACT deadline and requirements you need to hear.
Visas was July 1st 2010, maybe your merchant provider will allow another 6 months, may be not, but you need to contact them now.
Failure to comply will result in fines, sometimes huge depending on level of non compliance, and possible permenant banning from ALL processors.
Except PayPal that is, lol. thats real professional…
[quote name=‘Struck’]There is currently only a very small handful of carts that are actually “Certified”.
They will require us to be compliant, however, there is a very slim chance they will ever require the entire ecommerce world to have actual “PCI-DSS Certified” carts. Visa/Mastercard intends to continue making money hand over fist, no way they are going to do anything so extravagant as to throw a wrench into their money maker![/QUOTE]
Actually there are a lot of them. You can find approved carts and payment processors here:
[url]https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html[/url]
Ok, I will shut up, but I found this that may help shed light. There is ZERO mention of 2012 anywhere as a deadline.
VISA MANDATE PHASE DEADLINE
- New PCI Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions – those that store prohibited cardholder data. January 1, 2008
- New PCI Level 4 merchants using third-party payment software must be either PCI DSS-compliant or use PA-DSS validated compliant payment applications. October 1, 2008
- ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010
Everyone reading this in this forum is most likely a SAQ level 4-C or 4-D. If you are not and are processing much more $$$ values per annual, then most likely you are level 3 or above, and have to pay thousands of dollars to become compliant anyhow regardless of this cart platform.
You my friend have nightmares, and rightly so lol.
Also, as a heads up, anyone thinking you are PCI compliant and ok because your scanner like McAfee tells you that your site is PCI compliant your wrong.
There is a difference in PCI compliant and PCI DSS compliance.
PCI compliance means your server meets the self assessment and scanning requirements and this makes you PCI compliant.
However, to gain PCI DSS compliance, there is an entirely different level of security aspects dealing with secure data transmittal and storage that REALLY makes the difference and determines of you are PCI DSS compliant.
Hope all of this info helps everyone out.
[quote name=‘MarkWhoo’]Actually there are a lot of them. You can find approved carts and payment processors here:
[url]https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html[/url][/QUOTE]
Mark, I specifically mentioned “Shopping Carts”, and considering there are perhaps 5 in this list which are even notable (majority of which are Windows based), I would not consider this to be lots to choose from. Sure there are plenty of 3rd party payment processors jumping on the bandwagon looking for an opportunity to make a killing from this fiasco…