Now that it’s a requirement, online store owners are finally starting to get the term PA-DSS drilled into their heads. I’ve spoken about this for some time, but it seems far too few merchant account providers took time to notify companies early and often. Some companies are already being charged monthly fees for not following the global security standard set forth by the Payment Card Industry Security Standards Council (PCI, for short).
PA-DSS stands for Payment Application Data Security Standard. It was created to set specific data-transmission and storage standards for payment applications (like online shopping carts and payment gateways). The standard prevents third-parties from storing sensitive information, like magnetic stripe data, CVV2 (or CID) numbers and PINs.
PCI-DSS (the PCI’s own Data Security Standards) now requires that applications be PA-DSS validated as well. PCI standards include the transmission of data using SSL encryption, protecting cardholder information, and creating and enforcing strict security policies.
Online shopping cart developers have been scrambling this past year to update their software so it can be authenticated. For some, it will be the end of the road, since the development process can be both lengthy and expensive.
The deadline for PA-DSS was July 1, 2010. It is now up to merchant account providers to take one of many steps to enforce the rules, including:
- Warning companies that they are not compliant, and providing a deadline for rectification.
- Charge companies additional fees (the average I’ve personally seen is $25/month) for not being compliant, and provide a definitive deadline.
- Inform companies that failure to rectify could result in loss of the merchant account (the ability to accept online payments).
- Cancel merchant accounts for companies which refuse to comply (this is not commonly the first or second action by the provider).
Some merchants argue that the new standards are really about money, because previous standards were created to protect cardholders and, in many ways, failed. For example, the CVV2 (or, CID) – those 3 to 4 numbers on the front or back of the credit card – was implemented to protect both consumers and merchants. It was a method used to prove possession and ownership of the credit card. It wasn’t long before thieves got hold of this information as well, sending the world of identity theft spinning even faster.
Regardless, the compliancy standards are here, and merchants need to take them seriously. Here’s a few steps store owners should be taking right now:
- Confirm the shopping cart you use passes PA-DSS. Vendors will receive an Attestation of Validation, and will also (though it could take several months to be finalized) be listed at the PCI web site. (Current Listings) VISA maintains an easier-to-read listing in PDF format.
- If the software is not yet validated, find out if the company is in the testing process.
- If there’s no intention to become validated, start researching other shopping carts that provide the features you want and get estimates on making a switch.
Note: If you use a third-party application to process payments, such as PayPal or Amazon Checkout, which do not handshake card data back to your server, the shopping cart doesn’t necessarily need to be validated, but you should check to make sure that the shopping cart itself doesn’t touch the payment data at all.
Whatever you do, don’t just assume. Some online store owners are already reporting being billed for not being compliant. Ensuring your shopping cart, and other tools you use, pass validation will keep your business running smoothly and (hopefully) money rolling inward.