Is NOP Commerce PCI PA-DSS compliant or not? When I do a search on the PCI page, it is not listed:
https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true
Is this the wrong page? Should I be looking somewhere else for PA-DSS? Why does NOP say it is compliant? How was it's complaint status determined?
Isn't PA-DSS essentially mandatory at this point to sell anything online?
I'm interested in using NOP and purchasing support, but this would be a requirement.
PCI compliance
- 1
- 2
- 3
- 35
- 1/7/2013
- Canada
I accept your answer, and I understand why you wouldn't want to go through the expense for free software, but I'm not sure how to rectify that with this statement:
“The Visa Payment Application Compliance Program (PACP) requires all merchants to be utilizing applications which have been validated as compliant to PA-DSS no later than July 01, 2010” otherwise, lots of fines.
So even if I think my operation, running your software is PCI compliant. It doesn't sound like I'll be officially compliant in the end because I'm using software that isn't PA-DSS certified. Every nopCommerce site can't possibly be using a hosted payment solution? Are they paying to get nopCommerce PA-DSS certified themselves?
“The Visa Payment Application Compliance Program (PACP) requires all merchants to be utilizing applications which have been validated as compliant to PA-DSS no later than July 01, 2010” otherwise, lots of fines.
So even if I think my operation, running your software is PCI compliant. It doesn't sound like I'll be officially compliant in the end because I'm using software that isn't PA-DSS certified. Every nopCommerce site can't possibly be using a hosted payment solution? Are they paying to get nopCommerce PA-DSS certified themselves?
- 382
- 2492
- 12/30/2010
- United Kingdom
cbuckley wrote:
Hi,
I am in the UK and Barclays have no problem with me using NopCommerce with any of there api's, nor did Cardsave when i use to use them.
If you are using them as a host ie like when you buy something off fley bay you are transfered to PlayPay then you wont be storing card data anyway so that is not a problem.
hth
I accept your answer, and I understand why you wouldn't want to go through the expense for free software, but I'm not sure how to rectify that with this statement:
“The Visa Payment Application Compliance Program (PACP) requires all merchants to be utilizing applications which have been validated as compliant to PA-DSS no later than July 01, 2010” otherwise, lots of fines.
So even if I think my operation, running your software is PCI compliant. It doesn't sound like I'll be officially compliant in the end because I'm using software that isn't PA-DSS certified. Every nopCommerce site can't possibly be using a hosted payment solution? Are they paying to get nopCommerce PA-DSS certified themselves?
“The Visa Payment Application Compliance Program (PACP) requires all merchants to be utilizing applications which have been validated as compliant to PA-DSS no later than July 01, 2010” otherwise, lots of fines.
So even if I think my operation, running your software is PCI compliant. It doesn't sound like I'll be officially compliant in the end because I'm using software that isn't PA-DSS certified. Every nopCommerce site can't possibly be using a hosted payment solution? Are they paying to get nopCommerce PA-DSS certified themselves?
Hi,
I am in the UK and Barclays have no problem with me using NopCommerce with any of there api's, nor did Cardsave when i use to use them.
If you are using them as a host ie like when you buy something off fley bay you are transfered to PlayPay then you wont be storing card data anyway so that is not a problem.
hth
- 4
- 24
- 9/6/2012
- United Kingdom
Please check this email: Now I am confused what to do because they gonna hold my pay pal account. which we are using for at least 10 sites.
Dear Customer,
Thanks for letting us know that your business is PCI compliant, that's great news. All we need now is for you to send us your PCI certification for our records. It's very straight forward, just follow these steps:
• Click the button below
• Fill in the online form with your business details
• Upload a copy of your PCI certificate
Please note that the certification you provide must have been carried out by a PCI Qualified Security Assessor (QSA) who is certified by the PCI Security Standards Council to carry out compliance assessments. So that's it, once we have your certification, we can update our records and it's back to business as usual. Why not get it out of the way now?
If you have any questions, you can log in to your PayPal account and click 'Contact us' for personalised information on how best to get in touch with your PayPal team.
Yours sincerely,
PayPal
Dear Customer,
Thanks for letting us know that your business is PCI compliant, that's great news. All we need now is for you to send us your PCI certification for our records. It's very straight forward, just follow these steps:
• Click the button below
• Fill in the online form with your business details
• Upload a copy of your PCI certificate
Please note that the certification you provide must have been carried out by a PCI Qualified Security Assessor (QSA) who is certified by the PCI Security Standards Council to carry out compliance assessments. So that's it, once we have your certification, we can update our records and it's back to business as usual. Why not get it out of the way now?
If you have any questions, you can log in to your PayPal account and click 'Contact us' for personalised information on how best to get in touch with your PayPal team.
Yours sincerely,
PayPal
- 382
- 2492
- 12/30/2010
- United Kingdom
[email protected] wrote:
Hi,
That is a standard letter, i had one from Barclays.
Basically the PCI Qualified Security Assessor will run a seris of Security tests againts your servers websites security, ie firewall, anti-virus to make sure your website is secure, once you have passed, the QSA will issue a certificate to that effect.
I dont know who you bank with in the UK but Barclays refered me to a company called Security Metrics who charge £11.99.
I would go and talk to your bank.
note: i have a merchant account with paypal and i use them to process payments, ie the customer goes from my site to make payment with paypal, therefore no credit card details are stored on my db, no PCI Compliance required.
HTH
Please check this email: Now I am confused what to do because they gonna hold my pay pal account. which we are using for at least 10 sites.
Dear Customer,
Thanks for letting us know that your business is PCI compliant, that's great news. All we need now is for you to send us your PCI certification for our records. It's very straight forward, just follow these steps:
• Click the button below
• Fill in the online form with your business details
• Upload a copy of your PCI certificate
Please note that the certification you provide must have been carried out by a PCI Qualified Security Assessor (QSA) who is certified by the PCI Security Standards Council to carry out compliance assessments. So that's it, once we have your certification, we can update our records and it's back to business as usual. Why not get it out of the way now?
If you have any questions, you can log in to your PayPal account and click 'Contact us' for personalised information on how best to get in touch with your PayPal team.
Yours sincerely,
PayPal
Dear Customer,
Thanks for letting us know that your business is PCI compliant, that's great news. All we need now is for you to send us your PCI certification for our records. It's very straight forward, just follow these steps:
• Click the button below
• Fill in the online form with your business details
• Upload a copy of your PCI certificate
Please note that the certification you provide must have been carried out by a PCI Qualified Security Assessor (QSA) who is certified by the PCI Security Standards Council to carry out compliance assessments. So that's it, once we have your certification, we can update our records and it's back to business as usual. Why not get it out of the way now?
If you have any questions, you can log in to your PayPal account and click 'Contact us' for personalised information on how best to get in touch with your PayPal team.
Yours sincerely,
PayPal
Hi,
That is a standard letter, i had one from Barclays.
Basically the PCI Qualified Security Assessor will run a seris of Security tests againts your servers websites security, ie firewall, anti-virus to make sure your website is secure, once you have passed, the QSA will issue a certificate to that effect.
I dont know who you bank with in the UK but Barclays refered me to a company called Security Metrics who charge £11.99.
I would go and talk to your bank.
note: i have a merchant account with paypal and i use them to process payments, ie the customer goes from my site to make payment with paypal, therefore no credit card details are stored on my db, no PCI Compliance required.
HTH
- 382
- 2492
- 12/30/2010
- United Kingdom
[email protected] wrote:
I have been watching that post.
1: do you store credit card details on your server, ie database, if no then you do not have to have the PCI cert as nop is already pci compliant.
2: does paypal or google or your bank process the payments for you, if so the above applies also.
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
https://www.nopcommerce.com/boards/t/17391/paypal-pci-compliance-required-from-30th-july-2012-amazon-checkout.aspx
Please have a look at the last post
Please have a look at the last post
I have been watching that post.
1: do you store credit card details on your server, ie database, if no then you do not have to have the PCI cert as nop is already pci compliant.
2: does paypal or google or your bank process the payments for you, if so the above applies also.
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
- 382
- 2492
- 12/30/2010
- United Kingdom
daveb wrote:
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
I can't see any reason for anyone to store CC details on their server. It's just asking for trouble.
Hi,
Yer i know, we dont store anything like that on our servers, let the banks and paypal worry about that, thats what we pay the percentage and monthly charge for, saves on costs on compliance certs etc etc.
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
I can't see any reason for anyone to store CC details on their server. It's just asking for trouble.
Hi,
Yer i know, we dont store anything like that on our servers, let the banks and paypal worry about that, thats what we pay the percentage and monthly charge for, saves on costs on compliance certs etc etc.
- 1
- 2