Hello,
I am currently considering CS-Cart. From Cs-Cart’s page, [url]https://www.cs-cart.com/pci-compliance.html[/url], it indicates CS-Cart is PCI compliant.
Does anyone knows if CS-Cart actually received the official PA-DSS validation from the PCI Security Standards Council? I believe, not positive, that all merchants are required to use e-commerce SW that has PA-DSS validation by July 2010. So I rather be set up with one that is validated if I have that option so I don’t have to go through hoopla before July 2010 again.
Thanks in advance for any help you can offer.
As far as any of us know, NO, they are not officially PA-DSS validated and they don’t appear to think it’s important for them to do, either. I’m not sure why they aren’t concerned as it has been brought up to them numerous times and they don’t seem to understand that July 2010 is an important date and what is required of CS-Cart software at that time.
Regards,
Stephanie
[quote name=‘scase’]As far as any of us know, NO, they are not officially PA-DSS validated and they don’t appear to think it’s important for them to do, either. I’m not sure why they aren’t concerned as it has been brought up to them numerous times and they don’t seem to understand that July 2010 is an important date and what is required of CS-Cart software at that time.
Regards,
Stephanie[/quote]
Hi Steph,
Can you quote where PA-DSS is important?
I havn’t personally looked much into it however noticing that you’ve quoted dates I’m a little concerned.
It looks like more rules are coming. Here is the site that I found of “validated” sites so far…
[url]https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html[/url]
I’m not for sure which ones are actuall shopping carts or not. I briefly looked through it but did not recognize anything but Intuit (Quickbooks).
So this sounds like a good question.
Im glad someone brought this up because its slipped my mind but it was a hot topic for me a few months back when I was shopping for shopping carts :0
CS-Cart at the time wasnt my first choice, it was Sunshop and there had been no mention of whether or not they were going to become PCI compliant under the new PA-DSS standards that are coming this year. When I asked they seemed to think it wasnt a big deal and I began looking for another cart. Since then they have said its a priority for them.
The scenario is simple, if you intend to process credit cards on your site (i.e. the user doesnt leave your site when making a payment) then you will be required to meet the new PCI standards. Part of this requirement is that the shopping cart you use becomes PCI compliant and the sad part is that its not a cheap process. CS-Cart is going to have to spend a lot of $ to get their PCI compliancy.
Then there is the part that you as a user are required to do. Your site and host are going to have to pass certain PCI compliant checks and you will be required to follow certain PCI compliant processes for ensuring that you stay compliant.
If your credit card processing is done through someone like paypal or google checkout then you do not need to worry about this. If you accept orders but process them manually via the stored credit card data then you are going to be in for a rough ride as there are new rules regarding the storing of credit card data, restricted access to stored data and more.
On a side note, some of the carts that you see who claim to be PCI compliant (i.e. creloaded) arent. Instead they are taking the easy way out by integrating their own payment gateway into your cart so that the user thinks they are checking out on your site but in fact they are checking out through creloaded’s gateway.
This really is going to be a big deal and possibly a big nightmare.
Here’s a link to the VISA bulletin which talks to each of the phases being put into place at their specific dates.
[url]http://usa.visa.com/download/merchants/payment_application_security_mandates.pdf[/url]
I’m not sure if MasterCard has the same information - I haven’t looked yet.
Here’s a handy site that has lots of information about PCI Compliance and the requirements.
[url]http://www.pcicomplianceguide.org/[/url]
Keep in mind none of this is LAW but the credit card companies and/or merchants may be able to fine and/or deny you the ability to process cards in your store. These requirements are also ONLY required if you are not using a third party to process your cards so if you are using PayPal or another processor to send the customer’s information (and the customer leaves your site to do it) then that processor must comply and they should provide a document to you indicating they comply with the requirements.
Tirade did an excellent job of explaining it - better that I ever could! 
Thanks for that! And, I agree that we all need to be aware of these requirements and be prepared to answer questions from our merchants/credit card processors as July 2010 comes closer.
Regards,
Stephanie
Thanks for the links Stephanie, I was looking up more information too and according to the link you provided here are some important things to note for e-commerce users.
[url]http://www.pcicomplianceguide.org/pcifaqs.php#1[/url]
Q: What constitutes a payment application?
A: What constitutes a payment application as it relates to PCI Compliance? The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale System (e.g., Verifone swipe terminals, ALOHA terminals, etc.) in a restaurant to a Website e-commerce shopping cart (e.g., CreLoaded, osCommerce, etc) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.
Q: How is IP-based POS environment defined?
A: The point of sale (POS) environment refers to a transaction that takes place at a merchant location (i.e. retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP) -based POS is when transactions are stored, processed, or transmitted on IP-based systems or systems communicating via TCP/IP.
Q: Do I need vulnerability scanning to validate compliance?
A: If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.
Q: What is a network security scan?
A: A network security scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
Note, typically only merchants with external facing IP address are required to have passing quarterly scans to validate PCI compliance. This is usually merchants completing the SAQ C or D version.
Q: How often do I have to scan?
A: Every 90 days/once per quarter you are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). ControlScan is a PCI Approved Scanning Vendor.
Q: What if a merchant refuses to cooperate?
A: PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.
For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
Also to note, I use paypal web payments pro for my on site transactions and paypal standard for those who prefer to be transferred to paypal for the checkout. Here is what paypal has to say about those who use their service for on site transactions.
[url]https://www.paypal.com/pcicompliance[/url]
What is PCI compliance?
Payment Card Industry Data Security Standards (PCI DSS) are network security and business practice guidelines adopted by Visa, MasterCard, American Express, Discover Card, and JCB to establish a “minimum security standard†to protect customer’s payment card information. It’s a requirement for all merchants that store, transmit, or process payment card information.
How does my business become PCI compliant?
You can either use PayPal Website Payments Standard, Email Payments, or Payflow Link.* Or if you are storing, transmitting, or processing payment card information, you must:
* Build and maintain a secure network to protect payment card information
* Maintain a vulnerability management program
* Implement strong access control measures
* Regularly monitor and test networks
* Pass quarterly remove vulnerability scans
* And more …
PayPal helps
PayPal has partnered with ScanAlert, a Visa and MasterCard-certified PCI vendor, to help our customers comply at no cost for the first year. Enroll online with ScanAlert at: [url]https://www.scanalert.com/SignUp.sa?oc=9673[/url].
So as you can see, there is going to be an additional quarterly cost if you wish to continue accepting credit cards on your site. As cs-cart users we either choose to process cards on our site (assuming cs-cart becomes compliant) and pay the fees/costs to maintain or certification or move to 3rd party gateways for all transactions and there will be NO storing of credit card data allowed.
As mentioned by some, it is NOT a “law”. Likewise there seems to be various ways to interpret these “compliance” request. The PCI scan also depends on the amount of sales you do. We must do enough as Wells Fargo told us (in wiriting) that do our volume of sales we were just supposed to “self evaluate” our system.
Here is where Authorize.net sent me when I asked if they were “compliant”.
[url]404 | Authorize.net
The bottom line for now is you need to do everything you can to protect both you from attacks and your customers from fraud.
Here are a couple of the simple things we do:
- Zap credit card information off your server ASAP. As soon as we “print” an order the cc info is erased. Since we print orders twice a day any info is zapped pretty fast. We tried to zap it as fast as the customer placed the order, but the CS system (1.3.5 sp4) won’t even process an order if you choose to “Remove CC info” (which is in the order statuses) too early. If or when we get hacked (heaven forbid we do), the hacker won’t find much cc info…if any.
- Make sure you use a SSL. I still see websites all the time taking credit cards without having a secure method to do so.
I’m sure there are many other things, is there anything that other people do to secure their site and or customers sensitive info?
The other thing that would be good is for CS-Cart to take the leap and become PCI “Compliant” or registered as so. Of course, this may mean yet another “upgrade” but if they want to stay in the game, they will probably have to. They actually may already be compliant, but they just need to become registered.
[quote name=‘clips’]
The other thing that would be good is for CS-Cart to take the leap and become PCI “Compliant” or registered as so. Of course, this may mean yet another “upgrade” but if they want to stay in the game, they will probably have to. They actually may already be compliant, but they just need to become registered.[/QUOTE]
I can almost guarantee that the way they are currently storing credit card data is not compliant. Just a few weeks ago they released a patch that allowed the customer to store their entire credit card number in their account details.
Either way, the accreditation process is indeed whats important for CS-Cart and as I understand it its very very very expensive and takes quite a while to do because of all the other people already waiting in line.
[quote name=‘Tirade’]I can almost guarantee that the way they are currently storing credit card data is not compliant. Just a few weeks ago they released a patch that allowed the customer to store their entire credit card number in their account details.[/QUOTE]
Storing cc #s online is very risky business. I am guessing they did it for reacurring bills? I did not see this patch because I am still using the old version.
I would agree that it would probably be better for CS to get compliant for security reasons and that each of us do our part to keep customers cc info safe too. There are multiple levels that can help everything work together.
I really don’t know what to say about more and more request from the credit card companies. While I do everything I can to keep cc info safe, sometimes they just go over board. They already charge me, as a merchant, an arm and a leg with crazy fees that would make a crook smile. Then they charge consumers high interest rates and wrongly take advantage of many others. The banks and cc companies are making out like a bandit and then demanding more of us in the process. Maybe what the banks and cc companies should start doing is stop sucking so much money out of the pockets of small businesses. We don’t have the luck of Wally World to negotiate low rates, etc.
----wow, sorry about that rampage. I can’t talk about credit cards too long before I get reminded how much they gouge the small business and the consumer and then slap us all over the place like we don’t matter.
We all do need to do out parts in keeping a customers info safe.
Not to derail the thread but I agree with you 110%
In fact, I just ended up switching from my processor (merchant warehouse) and gateway (authorize.net) over to paypal pro because of the very reasons you mention. So many hidden and sneaky fees people dont realize when trying to compare apples to apples.
On paper you might think paypal pro is more expensive, but its so much cheaper (in my case). The rates you pay are a flat%, my merchant was offering 2.19% and I thought it was a great deal, then I found out that was pretty much only for debit cards or standard visa/mc. If they used a reward or miles card my rate went up, if I didnt batch out within 24 hours the rate went up, if it was an amex or discover card the rate went up (in addition to the monthly extra fees that amex charges just to accept their cards). I sold a $900 leather chaise a few weeks ago and the customer used an amex card, I ended up paying almost 5% of the transaction to Amex.
Now I pay 2.2% to paypal and that rate never changes.
[QUOTE]In fact, I just ended up switching from my processor (merchant warehouse) and gateway (authorize.net) over to paypal pro because of the very reasons you mention. So many hidden and sneaky fees people dont realize when trying to compare apples to apples.[/QUOTE]
I agree with you Tirade & am also sold on PayPal Website Payments Pro!
Like you mention, we now know exactly what we are paying per transaction, 2.2% plus .30/transaction, no BS extra fees, nothing hidden.
Few other reasons that Paypal Pro appeals to us is the business debit card they offer. We use this card to make every business purchase we can because they offer 1% cashback on all purchases, so the more we use it, the further our credit card processing fees are reduced! Also, if you enroll in the Paypal Money Market account, you can choose to leave a portion of your funds generated from card sales in this account & collect interest on these funds, again, further reducing our card processing costs. Granted, the money market isnt paying diddly today, however, a coupe yrs ago it was paying 2.4% or more. The other very important thing I like about Paypal Payments Pro, is that when I transfer funds to our checking account, they hit our account very consistently in 2 days, you can bank on it. Other processors we have used over the years would take 4 days before the funds became available! 
Here is a good article on the credit card merchant account providers “confusion tactics” to generate profits:
[url]http://www.inc.com/magazine/20070401/finance-credit-cards.html[/url]
Well, PP will charge you more on Debit Cards than a direct merchant account. You pay 2.2% on every transaction + 0.3 each.
I’m with Sagepay and a merchant account with HBOS
No set up fees
No annual charges
No minimum terms
3D Secure and MOTO with CV2
Credit card 2.5%
Debit card 40p !!!
Commercial card 2.5%
- gateway charges 20quid per month up to 1000 per 3months.
Money in my account in 3 days.
About 40% of transactions are made with Debit Cards. And I don’t care if my turnover is 1k or 10k per month. Charges are the same. So, the bottom point is, if you have huge turnover each month, PP is better on Credit Cards, but fails on Debit cards + they are difficult to deal with if theres a dispute.
Good points Noman. Definitely a consideration (as is the average price per transaction).
In my case I sell furniture and most people arent buying furniture on a debit card, so for the % fee is important. If youre selling $2 digital downloads then the transaction fee might be a bigger issue.
Anyway, regardless (to get back on track) we need CS-Cart to respond on the PCI issue and see what their progress/stance is on this.
Huuuuuh ?
We don’t pay more than 2.2% ever, regardless of card type, credit, debit, corporate, etc. etc.
We have used Paypal Web Payments Pro for at least two years now without a single problem. Paypal has never questioned our sales activity even when we have had single charge amounts 3-4 times over our average sales amount.
Ironically, that was the reason we ended up looking & switching our merchant account to Paypal Pro. We were with a provider tied into authorize.net which froze our merchant account funds for like 5 days simply because a very long term customer of ours decided to pay us for a late invoice in the amount of like $8K via credit card. This is considerably higher than our average transaction, so without any contact, they froze our account & took their sweet ***** time in unlocking our merchant account. I was so angry I was chewing nails, so about the same day they unfroze our account, I switched processors! Knowone will do that to us more than once, guaranteed… 
BTW, we have never had a single charge-back in over 9 years, so yeah, totally unwarranted…
I have read horror stories from people in years past of having their accounts frozen by Paypal, etc. But, like anything you read, I am sure plenty of those situations were “self inflicted”.
Guys, there’s no perfect solution for it. Different companies & different goods with different profit. That’s it. For me, PP isn’t good at all. Far too expensive because of Debit Cards charges. And buyers sometime turn nasty, trying to replace the item in the box and send it back as faulty. With PP, the case would be almost lost. With Sagepay, we can talk to real people and provide them with the proof. A CCTV camera is installed above the packing desk and we can check later what really happened. Selling expensive items, you will get 2.2% with PP easily, but if they are like 40quid and less on average, then we need to be careful.
Also, going back to the point we started at, I don’t care about PA-DSS. We do not take orders on the phone or by email. Sagepay is OK with that validation. So, we sleep well.
[quote name=‘Noman’]
Also, going back to the point we started at, I don’t care about PA-DSS. We do not take orders on the phone or by email. Sagepay is OK with that validation. So, we sleep well.[/QUOTE]
For Sagepay are the users transferred off your site for the payment? if so then you have nothing to worry about.
[quote name=‘Tirade’]For Sagepay are the users transferred off your site for the payment? if so then you have nothing to worry about.[/QUOTE]
Sagepay [former Protx] is a gateway. They take care of CC numbers and validation. I have only standard customers details stored.
I was curious about this and did some searching to see if I could find something more recent referencing the July 1 deadline. I think this page gives a nice overview:
[url]http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html[/url]
As of 10/08, merchants had to either be compliant or use compliant applications and as of 07/10, acquirers must ensure we are using compliant applications. In 10/08, my acquirer started charging the yearly fee for use of Trustwave. In addition, a $20/mo penalty would be assessed if I was not compliant. On 07/10, I am guessing what will happen is that rather than losing a lot of clients, the acquirers will charge us a monthly penalty for using an application that isn’t compliant. It would probably be a good idea to call your acquirer and find out what they plan on doing when we reach the 07/10 deadline. I’ll add that to my to-do list.
We are considering moving to CS-Cart but the PCI issue may be a dealbreaker. Not much to chose from and the choices aren’t great.
Here is the current list direct from PCI [URL=“https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html?mn=&vn=0&ap=10&rdSort=1&rdSortOrder=1&rg=0”]https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html?mn=&vn=0&ap=10&rdSort=1&rdSortOrder=1&rg=0[/URL]…
Application Type: Pick Shopping Cart
13 Vendors/16 Applications
Vendor Name WebPage URL Payment Application Version
AbleCommerce www.ablecommerce.com AbleCommerce 7
Budgetext Corporation www.budgetext.com WebMatePayment 1
CASHNet www.cashnet.com CASHNet 3.0G11 Build P004
Discovery Productions www.aspdotnetstorefront.com AspDotNetStorefront 8
Early Impact, Inc. www.earlyimpact.com ProductCart 4
eOne Group, a Division of Micros-Retail www.micros-retail.com eOneCommerce 9
Escalate www.escalate.com Escalate e-Commerce 9.0.3
Escalate http://www.escalate.com Escalate e-Commerce 10.0.2
Horizon Software International, LLC Order Express 3
Ignify, Inc. www.ignify.com Ignify eCommerce 4
Mercantec www.mercantec.com PowerCommerce 2005
ShopSite www.shopsite.com ShopSite 10
TMA Resources www.tmaresources.com Personify 7.1.1
TMA Resources www.tmaresources.com TIMSS 6.5.1
Ungerboeck www.ungerboeck.com Ungerboeck 18.1
Ungerboeck www.ungerboeck.com Ungerboeck Software 19.1/20.1