I would like to share some information on the PA-DSS point.
First of all, currently we do not plan to certify the CS-Cart software itself for PA-DSS due to the necessity of the repeated certification for every new software update. However, we will continue to study the point to find the most effective and affordable solution for both us and CS-Cart store owners.
Thus, if your online shop already operates outside USA and Canada, you must confirm that you use a PA-DSS compliant application by July 1 2012 but not by July 1 2010. In other words you should not worry about possible PA-DSS compliance issues on your side till July 1 2012. Let me note, this is how we understand this document, but we would advise you to contact your payment provider for the exact information.
For those, who do not fall into this category of merchants, we will recommend to use a third party service (as soon as the integration is done) which provides an intermediary PA-DSS compliant service to process online payments on their side - [URL]http://www.cresecure.com/[/URL] . We are actively cooperating with them now to deliver a bridge module between CS-Cart and their service as soon as possible.
There is also the following interesting piece of text in this VISA PDF document linked above:
[quote]“Acquirers may determine the PA-DSS compliance of a payment application through their own alternate validation processes, which confirm that applications meet the PA-DSS requirements and facilitate compliance with the PCI DSS.”
[/quote]So, as we understand this statement, it can be that your payment provider (or acquirer in terms of VISA document) will determine the PA-DSS compliance of your payment application (CS-Cart) by himself. And here, our engineers did their best to meet all of the software-related PCI requirements in the latest CS-Cart releases.
Anyway, we strongly recommend ALL merchants who accept credit card payment[/COLOR][/COLOR][COLOR=#000000][COLOR=#000000] DIRECTLY[/COLOR][/COLOR][COLOR=#000000][COLOR=#000000] on their websites to contact their payment providers and ask what kind of extra actions do they require from a merchant so that he could continue using the service.
[/COLOR][/COLOR][COLOR=#000000]And finally, I want to make it clear that all these PA-DSS and PCI requirements, deadlines etc. do not affect your webstore operation anyhow if you use one of the so-called form payment methods, like PayPal Website Standard, Google Checkout etc., and your customers do not enter any credit card information on your website. Generally, if you use any payment method which redirects your customer to the website of your payment provider so that customer enters his credit card details there instead of your website then there is no need for any kind of security compliance of your store.[/COLOR]
[COLOR=#000000][COLOR=#000000]
I hope this information will be helpful.
Feel free to share your opinion, post comments etc. in this thread.
I appreciate your response in this matter but no outside authority is going to issue a PCI (especially PA-DSS) certification for CS-Cart until this issue has been addressed:
Name -Unencrypted Sensitive Form Detected
Category HTTP - Web Application Severity Medium High In PCI
I am not quite sure where I and others like me fall into PCIi compliance regulations.
I process off-line using Quickbooks, which uses Intuit as a processor. They say that it not an issue since they are PCI compliance and I am transmitting the CC info from Quickbooks through intuit. They are not involved with the cart.
I was just wondering about the short time between getting an order and copying and pasting the cc from cs-cart to Quickbooks. As soon as this is done, the cc information is deleted. I don’t allow for storage of CC info. I don’t transmit the information via email or via an export, just copy and paste.
For some reason, Quickbooks does not require, and the current version does not even accept the cvv2 code, except manually entering, so I don’t even have to collect it to process the card. For security, it probably is better to use it.
So far, never had a charge back or fraud with credit card processing in the last 8 years.
Then how do you process cc off line without storing the credit cards, until you get the order out of the cart.
Is cs-cart going to prevent off line processing?
I assume people using Quickbooks for credit card processing from a cart, won’t be doing this anymore. It seems like much of the requirements is based on the use of processor such as authorize.net. I don’t use a CC processor on line.
I like using Quickbooks to process CC orders. I guess the alternative is just to use PayPal or cresecure when it comes out.
For those, who do not fall into this category of merchants, we will recommend to use a third party service (as soon as the integration is done) which provides an intermediary PA-DSS compliant service to process online payments on their side - [URL]http://www.cresecure.com/[/URL] . We are actively cooperating with them now to deliver a bridge module between CS-Cart and their service as soon as possible.
[/QUOTE]
Will this bridge module be made for those using CS 1.3.5 sp4?
you cannot do offline transactions while shopping online. that means someone somewhere is storing CC # ,exp and CVV code (which is and in violation of rules of VISA, MC, AMEX, etc) I also think it is against the law and you may be held liable.
Basically if you do business online, you need an online processor.
I would assume CC companies use an offline method for phone orders and customers in front of you, not for online orders.
I am not quite sure where I and others like me fall into PCIi compliance regulations.
I process off-line using Quickbooks, which uses Intuit as a processor. They say that it not an issue since they are PCI compliance and I am transmitting the CC info from Quickbooks through intuit. They are not involved with the cart.
I was just wondering about the short time between getting an order and copying and pasting the cc from cs-cart to Quickbooks. As soon as this is done, the cc information is deleted. I don’t allow for storage of CC info. I don’t transmit the information via email or via an export, just copy and paste.
For some reason, Quickbooks does not require, and the current version does not even accept the cvv2 code, except manually entering, so I don’t even have to collect it to process the card. For security, it probably is better to use it.
So far, never had a charge back or fraud with credit card processing in the last 8 years.
Would like some feed back.
Thanks,
Bob[/quote]
Bob,
Your question is interesting.
I just called Innovative Gateway which we use and from what I understand is basically the same system as what Quick Books users use.
They basically said what you report.
First, they are compliant which is good. they may have software upgrades which they will email us about and all we have to do is a very simple upgrade online nothing like CS Cart headaches.
Next, they seem to have no interest in shopping carts and no concerns.
As a theoretical matter we as merchants need to follow the rules and basically do periodic scans and follow best practices etc…
As a practical matter in our case Innovative is both our merchant bank and payment gateway.
From Cresecure:
“All deadline enforcement will come from your merchant bank.”
Which means that as a practical matter as long as Innovative is not asking us to do scans etc we really have no extra steps that we need to take in the near future unless they add new requirements.
Think about it if the credit card companies really enforce lots of new rules on level 4 small merchants they will simply lose millions of customers overnight.
How likely is this to happen?
Very unlikely.
Meanwhile we are reviewing and upgrading our systems. If a secure cart is required in the future sadly we will have to leave CS cart for a cart that places security as a top priority.
If need be I suggest CS cart raise its prices to reflect its additional costs to remain compliant.
NO cart that stores CC info so you can key code them offline later will ever be compliant.[/QUOTE]
Probably true - although never say never at least thats what James Bond said - or something like that - but I did not say otherwise and I do not ever store credit card information.
My point is very simple in many ways this is all worrying over not much for small merchants at least for Innovative customers.
Innovative is not requiring anything currently in terms of the customer end.
And Innovative as our merchant bank and gateway will be the enforcer not Visa etc…
Visa already has rules and if you store the CV2 code you are breaking those rules and Visa can ban you for life and impose penalties. Will they? probably not since you’re a small merchant but those rules do exist.
[quote name=‘ETInteractive’]Visa already has rules and if you store the CV2 code you are breaking those rules and Visa can ban you for life and impose penalties. Will they? probably not since you’re a small merchant but those rules do exist.[/QUOTE]
I never mentioned storing CV code information and personally I never store any credit card information and never will.
So to be clear if you are a small merchant and do not store credit card information and you are an innovative customer you have little to worry about.
Actually if you are an Innovative customer or
“all EXISTENT merchants outside USA and Canada …”
Or using other payment gateways (i think that I read somewhere that Authorize is one) that have already issued later compliance dates there is little to be worried about for quite a while.
The odds of Visa closing down millions of small businesses for noncompliance overnight are almost zero.
The stock holders simply would not allow it as their shares would dive…
You have a better chance of being struck by lightning.
For most there is little to worry about just now - next year? I don’t know but not today.
We now use Paypal as one of our payment gateways so overnight we could switch over with little loss of revenue so this adds to my relaxed attitude.
[quote name=‘ETInteractive’]I agree. With avenues like Google, paypal, cresecure, etc. users have options.[/QUOTE]
Options sure, however, none of these are on the same level as an actual business merchant account. Neither Google checkout or paypal payments are really legitimate B2B payment options, B2C fine. Re: Cresecure, I am not much interested in using some proprietary payment system designed by a shopping cart developer to get around the whole compliancy issue.
Regardless, I am not loosing much sleep over all this “yet” considering the deadline is July 2012, hopefully there will be many changes over the next two years!
I think it’s best not to store and cc information, however,I have been researching and have come across several sources that say it is not mandatory NOT to store any information.
This states that only certain information can not be stored, such as pin numbers, CVV and magnetic strip info.
I don’t normally mention other carts, but I think the information supplied by Miva Merchant on their certification also states that some info can be saved. They have a good document for reference. The documents were too large to attach. They can be retrieved at:
Miva has no concerns about being compliant. They do rev up their versions, although not as much as cs-cart. I have not seen other cart’s documentation for PCI compliance, but thought the one from Miva may be a good model for cs-cart.
PCI compliance looks like it would be a greater selling point right now, ahead of new features.
