PA-DSS: What is it and why is it important for my online shop?

Published on May 13, 2010 PA-DSS: What is it and why is it important for my online shop?

On 1 July 2010, Visa are making a new set of security standards mandatory for all shopping cart websites that process Visa credit cards. These new standards are called PA-DSS (which stands for Payment Application Data Security Standard) and are to do with how credit card data is collected and stored by your shopping cart software. This is to ensure that no online or offline software collecting credit card data stores prohibited things such as the CVV. How is this different from what is in place now and what does this mean for you?

The rules that are to become the PA-DSS standard are not new at all: they were previously a set of best practice rules. The key difference is that from 1 July 2010, it will be mandatory that any application processing Visa credit cards comply to these standards. Massive fines will be issued to merchants who are using non-compliant carts and to shopping cart providers.

When the new standards come in to force, there will be three ways that an online shop can be compliant:

• Have the shopping cart certified by an approved Visa security auditor – this will be required when the shopping cart is a downloadable one that can be installed on any server
• Have the payment part of the shopping cart redirect to the payment provider’s website and redirect back after the payment (the way providers like e-path and PayPal generally works)
• Meet the exemption criteria: a cart that is built for the business doing the building (this is the case with hosted shopping carts like Ozcart that do not allow users to modify the code or install the software on their own servers)

In addition to the PA-DSS rules, all merchants still need to comply with existing PCI DSS security standards defined by the whole payment industry. These relate to both your server environment and your business processes.

Visa have stated that compliance applies to new merchant accounts issued from 1 July 2010 and existing merchant accounts from 1 July 2012.

At Ozcart, although our hosted shopping cart meets the exemption criteria above, we have made a business decision to update all of the payment components in new and existing customer’s website prior to 1 July 2010 to ensure that all redirect to the payment provider’s website (this is how most of them work right now anyway). This makes the payment part of our cart easier for everyone to understand (it’s the same no matter what option you use).