Looking for the v10 manual? Visit our new user's guide!
 
Search Descriptions Version
 
 
This article applies to: E-Commerce Basics

PCI PA-DSS


As of the release of our version 10 software, AspDotNetStorefront is PA-DSS certified. This manual page is for older versions of AspDotNetStorefront and the content is outdated. To learn more please visit this page.

Update Nov. 29 2010

While there are no imposed deadlines for all merchants to be using Payment Application Data Security Standard (PA-DSS) compliant shopping carts, the Payment Card Industry, in a declaration of new standards on 28th October, 2010, reinforced its requirement for e-commerce to honor the PA-DSS guidelines. In the spirit of that, AspDotNetStorefront will continue to lead the way by certifying all our payment applications via an appointed QSA.

Today, all of our editions are deemed compliant, and those that are not yet through the certification process will be accredited in early 2011. We had paused our certification processes while we waited to learn about any new diligence announced in the latest release but we are proud to reveal that we are already compliant with any and all new requirements

Update August. 8 2010

Version 9 is PA-DSS certification pending. Version 8 is PA-DSS certified already. We have to re-certify each new build version. ETA: 2-3 mos.

In 2005, VISA developed the Payment Application Best Practices (PABP) guidelines to help store owners set up secure e-commerce sites and protect their customers' sensitive information. In 2008, the Payment Card Industry Security Standards Council (PCI SSC) adopted and expanded VISA's guidelines, creating the Payment Application Data Security Standard (PA-DSS). Beginning July 1, 2010, YOU are responsible for adhering to those guidelines!

Full PCI compliance covers a lot of ground – everything from who has physical access to your data, to what you print out and how often you change your passwords. The most important (and often complicated) part of PCI compliance is the software that you run your sales on. That software determines what customer data is stored (and how), and how that data is handled when running credit card transactions. Using AspDotNetStorefront takes the hassle out of this part of PCI compliance. When you install our software, you can rest assured that your store has a strong and secure foundation to build on!

The Facts:

  • PCI is here. The deadlines for most online merchants are long past, and as of July 1, 2010, everyone who accepts credit card payments online has to be compliant! AspDotNetStorefront was one of the first payment applications to become certified.
  • The penalties for not meeting PCI compliance regulations can be between $5,000 and $100,000 per month! Do you want to take that risk?
  • Becoming PA-DSS certified is not cheap! If you develop your own 'homegrown' payment application, you may be responsible for paying to have it certified – a cost that can go into the tens or even hundreds of thousands of dollars! AspDotNetStorefront has done the work for you, making PCI compliance much cheaper!
  • PCI compliance can be easy! Using PA-DSS compliant software like AspDotNetStorefront and PCI compliant hosting from one of our hosting partners can make the process easier than it sounds.
  • If your site accepts credit card payment online, you are responsible for following the PCI guidelines, even if you don't store that data. You can make compliance easier (and cheaper!) using so-called 'boomerang' gateways - payment options that take customers off your site to pay then return them when the order is complete. AspDotNetStorefront supports eight of these boomerang gateways, making compliance a cinch!
  • Many applications that say they are compliant are only certified under the old PABP rules. Those certifications expire this year! AspDotNetStorefront is certified under the full PA-DSS guidelines (.pdf), and we work with the PCI SSC to keep that certification up to date. Don't take the chance on outdated certifications ruining your site!

PCI Today

Typically, PCI compliance is initially driven by the merchant's acquiring bank. As more of the large brick and mortar retail merchants, and high visibility e-commerce merchants attain compliance or make significant progress towards compliance, smaller and lesser known e-commerce merchants are beginning to get more attention. Today, these banks are broadening their communication to the smaller e-commerce merchants, to ensure they address their current gaps in compliance and work to resolve them. Currently, these banks are levying fines to merchants that do not get in to compliance by previously provided deadlines. Similarly, for merchants that are compromised, they are levying fines and penalties that can quickly exceed one millions dollars.

If you are still using an AspDotNetStorefront version prior to v8.x, we again strongly encourage you to update so you can take advantage of our PA-DSS certification for your site.

AspDotNetStorefront, by virtue of our PABP certification and PA-DSS certification, has partnered with longtime PCI assessor Coalfire Systems, to develop a program aimed to assist our 8.x clients in cost effectively attaining compliance. Coalfire Systems serves as a one-stop shop for PCI, offering a host of services which drive merchants to compliance. Coalfire is an Approved Scan Vendor (ASV), authorized to provide the required quarterly network scans. The quarterly network scans are a cost effective way to ensure your payment card environment (PCE) is adequately protected. These quarterly scans are a requirement for all merchants. Additionally, Coalfire provides cost-effect PCI compliance assessment and consulting services, intended to assist merchants with completing the PCI Annual Self Assessment questionnaire, a requirement for all Level 1-3 merchants and select Level 4 merchants.

COALFIRE SYSTEMS PCI COMPLIANCE PARTNER SERVICES

Note that even though we provide VISA PA-DSS certification on our software platform, you (the merchant) must still perform and obtain your own PCI compliance, which also involves testing your hosting/server environment together with the software.

To inquire about Coalfire Systems PCI services that you may use for your own PCI compliance testing, please contact:

Ryan McGowan
(206)352-6028 ext 7504

VERIFIED BY VISA/MASTERCARD 3-D SECURE

On a related topic, we also support Verified By Visa/Master Card 3-D secure in the US and U.K. for selected gateways. Click here for more info.