PCI and PA-DSS compliance seem to be one of the most misunderstood subjects in E-Commerce, so I’ll attempt to explain it as simply as I can as it relates to your business.
PA-DSS vs PCI
PCI Compliance is the overall regulation governing credit card handling and processing on the web. PA-DSS has to deal with the shopping cart software itself, and it is part of being PCI Compliant. If you are using an SaaS cart like Shopify, AmeriCommerce or Big Commerce, your cart is exempted from PA-DSS. Why? Because SaaS companies limit your access to certain areas of the code, thus ensuring that security holes can’t be left open by incompetent developers :) So if you are on one of those platforms, you don’t have to worry about it.
PA-DSS compliance regulates how a merchant (store) handles customer credit card data. While there are many parts to the regulation, what matters most in this discussion is that a store can no longer store data on a server connected to the internet, and that data cannot be transmitted through an application (shopping cart) that is not certified. Certification is not a cheap process, and as of the writing of this article, there are not many shopping cart platforms under $1000 that have been certified. This regulation is the reason we switched to Pinnacle Cart – it is a fully PA-DSS compliant cart.
How can you comply?
You basically have 3 options:
1. Migrate to a PA-DSS compliant shopping cart.
2. Switch to an off-site payment gateway (one that handle the credit card data on their site) such as PayPal or Authorize.NET SIM
3. Use a system like Authorize.net DPM or X-Payments
Keep in mind that any option that adds a step to the checkout process or sends the customer off your site will impact your conversion rate. Using a fully PA-DSS compliant cart is the best solution if it is not cost prohibitive for you.
What else is required to be PCI Compliant?
PCI Compliant Hosting Account
If you are on a self-hosted platform, you need to be on a PCI Compliant hosting account. This means that the server is routinely scanned (more on that in a minute) for security holes, outdated software and potential threats from hackers. Cheap hosting accounts like GoDaddy or Hostgator will generally fail these scans, so they are not recommended. You’ll pay a bit more for a good, compliant host, but trust me when I tell you that it is definitely worth it.
Many merchant banks will require you to run a monthly scan on your e-commerce web site. This will check the software for any security issues, as well as the hosting account. There are many companies that do this sort of thing, including Trustwave, Control Scan, McAffee, etc. Your merchant bank will usually tell you which one they require.
Self Assessment Questionnaire (SAQ)
Your merchant bank will also require you to fill out a quarterly/yearly SAQ. These forms can get extremely complex depending on what type of business you are running, and how you are handling credit card data. In the chart to the right you can determine which type of form you will need to fill out. They get more complex the further down the list you get.
What if I am not compliant?
Well if you are not using a PA-DSS compliant cart, you can be subject to fines and penalties. Worse, if your store is hacked and credit card data is stolen, you can be held liable. If your merchant account has not yet enforced this certification, they most certainly will be calling soon.
Visit the PCI Security Standards Council for much more in-depth info on all of these topics. We can also help you with a lot of the tech stuff if you are running Pinnacle Cart, just drop us a line!