Introduction.
In this article, I will try to accumulate all possible solutions for merchants regarding PA-DSS certification.
Here you will find the recommendations and explanations of the PA-DSS.
I hope it will help your online business, so lets move forward!
What is PA-DSS?
PA-DSS is a payment application data security standard created by Visa.
Initially PA-DSS was created for ATM/hardware terminals, and I know that many QSA (Qualified Security Assessor - companies that will certify your store or software) will agree that PA-DSS is not ideal for ecommerce stores, as it was designed for banks and ATM. That is why it is not so easy to understand PA-DSS requirements sometimes :).
Why PA-DSS?
PA-DSS aim is to secure cardholders data, and make online shopping more secure in general.
It could be a surprise for you, but PA-DSS is not needed for 85% of online stores, only 15% (or even less) merchants need it.
Many big names are not PA-DSS compliant: Yahoo Stores, 3dcart, Volusion, Big Commerce are non-compliant for PA-DSS!
So, do I need PA-DSS?
PA-DSS certification is applied to specific ecommerce systems.
If you will read the PA-DSS certification requirements (Page V) you will see that PA-DSS is not applied to:
- PA-DSS does NOT apply to payment applications offered by application or service providers only as a service
- PA-DSS does NOT apply to non-payment applications that are part of a payment application suite.
- PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review.
- PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house
Practically, it means that you can avoid PA-DSS certification in certain cases.
You need PA-DSS:
- if you use payment application that sold and installed “off the shelf” without much customization by software
vendor - and if you accept credit cards on your “off the shelf” shopping cart (customer enter credit card information directly on your site)
You DON'T need PA-DSS:
- if you use SaaS system
- if you use custom shopping cart
- if your store doesn't transmit the credit card information (read next point)
So if you use SaaS system or custom shopping cart, PA-DSS is not required.
But what to do if your store need PA-DSS? Please read further.
How can I become PA-DSS certified easy?
In general, if your shopping cart never transmits or stores credit card information, PA-DSS validation isn’t required.
Lets study the most common cases, it is based on real questions we receive from our customers.
Case 1: I use web-based payment processor (e.g. Paypal Standard). Do I need to pass PA-DSS?
It means that your store does not transmit credit card information (as the credit card data is processed on payment processor side). So you don't need PA-DSS validation.
Case 2: I use recurring billing (subscription) in my store. Is it compatible with PA-DSS?
It is acceptable for PA-DSS only if you do not store any credit card information. You might consult with your shopping solution provider as many subscription modules store credit card data and then use it for recurring payments. It is not PCI-DSS compliant and the solution is to switch to web-based subscription processor (such as PayPal Subscriptions).
If you use web-based subscription processor (i.e. you do not store any credit card data), PA-DSS is not required.
Case 3: I use hosted payment solution, i.e. customer enter credit card information directly on my site. Is it PCI-DSS compatible?
As said above, if customer enter credit data information on your site, you need PCI-DSS compliance.
The most simple way is to switch to web-based payment, in this case you don't need to pass PA-DSS certification (see case 1). This is rather good solution, because today many customers feel comfortable when they pay e.g. on real PayPal site. It will be some kind of additional security level.
Case 4: But I still want to accept credit cards directly on my site, are there any easy solution?
Yes, it is possible, you can use your current shopping cart with CREsecure hosted solution which is compatible with all major banks and processors. They have already developed several modules for most popular shopping carts (Magento, osCommerce, etc) and will develop many modules for other shopping carts in the future. It is the easiest way to be PA-DSS certified, if you still want to be certified :)
Important note: these are the most common cases, you might want to consult with the specialist regarding PA-DSS of your store.
Further reading:
Still have questions? We gather some useful links on PA-DSS certification:
This information really helped me, I am sharing with a few friends....
I really think your blog is great! I've added a link back here; I hope that's alright as I'd like my readers to check your site & articles out. It's Here on my site's blog. Always like to honor high quality content. Great job!...
PA-DSS is shockingly expensive - annual fees of tens of thousands of dollars, because if you run on (eg) windows and MS issues an update (to either windows, IIS or SQL server), your application needs to be re-certified. Well that is what the PA QSA told us. He could probably retire on the fees from our application alone.
So the options:
1) rather than use a well-tested secure shopping cart developed by people with expert knowledge and years of experience of web security, you can develop your own homemade system (even if you have zero experience or qualifications) - since custom applications don't need PA-DSS!
2) as a cart vendor, we can reduce our fees by patching our software as little as possible. If we find a bug, keep quiet and hope no one notices, and we save thousands of dollars.
Whoever thought this up was obviously drunk, incompetent, or both. The rules just encourage users to write their own amateur solution rather than buying a secure professional one.
The official document with requirements is here:
https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf