Introduction.
In this article, I will try to accumulate all possible solutions for merchants regarding PA-DSS certification.
Here you will find the recommendations and explanations of the PA-DSS.
I hope it will help your online business, so lets move forward!
What is PA-DSS?
PA-DSS is a payment application data security standard created by Visa.
Initially PA-DSS was created for ATM/hardware terminals, and I know that many QSA (Qualified Security Assessor - companies that will certify your store or software) will agree that PA-DSS is not ideal for ecommerce stores, as it was designed for banks and ATM. That is why it is not so easy to understand PA-DSS requirements sometimes :).
Why PA-DSS?
PA-DSS aim is to secure cardholders data, and make online shopping more secure in general.
It could be a surprise for you, but PA-DSS is not needed for 85% of online stores, only 15% (or even less) merchants need it.
Many big names are not PA-DSS compliant: Yahoo Stores, 3dcart, Volusion, Big Commerce are non-compliant for PA-DSS!
So, do I need PA-DSS?
PA-DSS certification is applied to specific ecommerce systems.
If you will read the PA-DSS certification requirements (Page V) you will see that PA-DSS is not applied to:
- PA-DSS does NOT apply to payment applications offered by application or service providers only as a service
- PA-DSS does NOT apply to non-payment applications that are part of a payment application suite.
- PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review.
- PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house
Practically, it means that you can avoid PA-DSS certification in certain cases.
You need PA-DSS:
- if you use payment application that sold and installed “off the shelf” without much customization by software
vendor - and if you accept credit cards on your “off the shelf” shopping cart (customer enter credit card information directly on your site)
You DON'T need PA-DSS:
- if you use SaaS system
- if you use custom shopping cart
- if your store doesn't transmit the credit card information (read next point)
So if you use SaaS system or custom shopping cart, PA-DSS is not required.
But what to do if your store need PA-DSS? Please read further.
How can I become PA-DSS certified easy?
In general, if your shopping cart never transmits or stores credit card information, PA-DSS validation isn’t required.
Lets study the most common cases, it is based on real questions we receive from our customers.
Case 1: I use web-based payment processor (e.g. Paypal Standard). Do I need to pass PA-DSS?
It means that your store does not transmit credit card information (as the credit card data is processed on payment processor side). So you don't need PA-DSS validation.
Case 2: I use recurring billing (subscription) in my store. Is it compatible with PA-DSS?
It is acceptable for PA-DSS only if you do not store any credit card information. You might consult with your shopping solution provider as many subscription modules store credit card data and then use it for recurring payments. It is not PCI-DSS compliant and the solution is to switch to web-based subscription processor (such as PayPal Subscriptions).
If you use web-based subscription processor (i.e. you do not store any credit card data), PA-DSS is not required.
Case 3: I use hosted payment solution, i.e. customer enter credit card information directly on my site. Is it PCI-DSS compatible?
As said above, if customer enter credit data information on your site, you need PCI-DSS compliance.
The most simple way is to switch to web-based payment, in this case you don't need to pass PA-DSS certification (see case 1). This is rather good solution, because today many customers feel comfortable when they pay e.g. on real PayPal site. It will be some kind of additional security level.
Case 4: But I still want to accept credit cards directly on my site, are there any easy solution?
Yes, it is possible, you can use your current shopping cart with CREsecure hosted solution which is compatible with all major banks and processors. They have already developed several modules for most popular shopping carts (Magento, osCommerce, etc) and will develop many modules for other shopping carts in the future. It is the easiest way to be PA-DSS certified, if you still want to be certified :)
Important note: these are the most common cases, you might want to consult with the specialist regarding PA-DSS of your store.
Further reading:
Still have questions? We gather some useful links on PA-DSS certification:
thank you for your comment.
you are correct, the credit card data is processed on CRESecure side to achieve the PCI-DSS compliance. However, CRESecure provides the HTML Clone™ technology so the customer might not notice he/she left the client site. It may be a good solution for merchants who wants to use the not web-based payment methods but do not want to spend tons of money for PCI-DSS certification and server re-configuration for PA-DSS modules of any type.
"CRESecure" is not "directly on my site". It's a SaaS and a buyer gets redirected to their web-site (see http://www.cresecure.com/pages.php?pID=7&CDpath=0).
They do offer an iframe integration method, but that's redirecting to their site anyway. Imagine what happens if they servers don't work for reason or there is a connection problem between your and their servers.