We now offer McAfee PCI Compliance Service, a simplified and easy-to-use system that is optimized for Level 2, 3, and 4 merchants that need to successfully complete all requirements for PCI certification. Only $99/yr. – a 65% saving!
McAfee PCI Compliance Service is designed for Level 2-4 merchants that need to successfully and confidently complete the steps necessary for PCI certification. Originally developed for Visa International, the service includes automated state-of-the-art scanning, an online self-assessment questionnaire, McAfee Technical Assist (extensive technical support, such as vulnerability remediation assistance), and the PCI Wizard to help manage compliance activities. Tens of thousands of organizations around the world—from government agencies and online retailers, to nonprofits and manufacturers—trust McAfee to audit their initial and ongoing PCI compliance status.
Click here for more information about our compliance services.
PA DSS and the Shopping Cart Industry
PA-DSS and the shopping cart industry
The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In July of 2010 standards will no longer be option, but required by any payment application dealing with card holder data. Simply put, if a merchant is not running a PA DSS-validated application after the deadline, they will automatically fail their PCI assessment.
In July of next year, new merchants that apply to get a merchant account will have to show the bank, as one of the steps to getting the account, that they are using a PA DSS certified shopping cart. Currently the only place that will have the verified list is the Visa website. If the cart they are using isn’t certified, the store owner will not be able to get a merchant account. Increasingly, merchants are getting letters about compliance and it will ultimately lead much higher fees for those on an uncertified platform and, we believe, ultimately to the cancellation of services if an approved platform isn’t adopted.
We are in the final stages of being certified and our 3.7 release will be our first PA DSS certified release. We are trying to be on the leading edge of the education process for our industry and it is very clear there are a lack of understanding and a ton of misinformation out there. I have personally been sending in requests to cart companies asking about PA DSS certification. My question is simply – are you currently, or in the process of becoming PA DSS certified for your shopping cart? Here are a couple responses.
“It does not need to be. The server is the portion that needs the certification as the cart does not handle the CC information but hands it off to a payment gateway.”
Here’s another – “PA DSS software vendor – I am 99% sure this is for your quarterly network scans which need to take place. We use MacAfee which are qualified.
I have more but all of them are patently false answers. Unless you are only using a payment product like PayPal standard where the card holder data isn’t touched by the application, you should be using a PA-DSS certified application. We are seeing an increase in this type of offering from the gateway companies but these pages aren’t on the client’s website and that simple change guarantees a decrease in sale conversions. I will write a separate post on this topic in the coming weeks.
It’s important to understand that at the time of this posting, no open source or “free” application has announced any intent of certifying their applications PA-DSS. In fact, Magento has clearly stated on their site they WILL NOT be certifying their community application and are encouraging customer to move up to their $10,000 enterprise level application to reach certification. This, of course puts many merchants in a bad situation. We are in the process of working with a number of vendors who will assist clients in moving from these non-compliant applications into Pinnacle Cart.
Undoubtedly, the changes in our industry will create considerable consolidation. By and large the shopping cart industry has been considered a cottage industry made up of hundreds of companies with just 2-3 people. The tens of thousands of dollars that must be invested and the changes to the software product will be too much for many to withstand.
As part of our effort to educate the industry, we will have a booth at the Hosting Con Tradeshow in Washington D.C., next month and I will be part of a panel speaking on this topic. Hope to see some of you at the convention or at our booth #343.
Feel free to give me a call or drop me an email to discuss further.
Mike Auger
PCI Compliance Part I – What is it and do I need it?
For those of you that don’t know, PCI DSS is the Payment Card Industry’s (PCI) Data Security Standard. Which essentially is the standard created by the credit card industry to protect consumers against credit card and identity theft. I think we call all universally agree that creating a standard for managing and securing customer data is a great idea so I’m not going to get into the pros and cons of the concept of PCI, but I do have a beef with the way compliance is currently being done. Before I get into that let me give you the 30 second history on PCI DSS.
The beginnings of the program can be traced back to completely separate security standards created by VISA, MasterCard, American Express and Discover. Each program had its own set of rules and regulations that merchants had to adhere too. The Payment Card Industry Security Standards Council (PCI SSC) was formed with the intent of creating a universal standard for securing data and on December 15th, 2004 the newly formed entity released its uniform set of standards which became what we now know as PCI DSS.
Without getting into too much detail there are essentially 4 different levels of PCI compliance, with most merchants falling into level 4.
Here’s the breakout:
Level 1 – Any merchant – regardless of acceptance channel – processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1
Level 2 – Any merchant processing 150,000 to 6,000,000 Visa e-commerce transactions per year.
Level 3 – Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.
Level 4 - Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6,000,000 Visa transactions per year.
The current version of the standard specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives.” You can verify these requirements by doing a “self-assessment” or though one of many Qualified Security Assessors (QSAs). The good news is these QSA’s will walk you through the compliance process, step-by-step. I’ve personally gone through the compliance process with two rather large QSA’s, Control Scan and Scan Alert for a couple of reasons. For starters I wanted our company to be better educated on the process so we could answer any questions that our customers may have as they become compliant, but also I wanted to better understand the dreaded “false positive” syndrome surrounding compliance.
Stay tuned for my experiences in PCI Compliance part II!