I just recently received this message. Does anyone have the similar circumstance? If this is the target from Card Processing Service to increase profit at the cost of this Rule then nopCommerce user could suffer mass of consequences for not have this certification.
"These PCI security requirements have been phased in over time and now apply to ALL merchants that accept Visa, MasterCard and other payment cards."
See Below for full message.
---------------------------------------
subject IMPORTANT NOTICE [ACTION REQUIRED]
mailed-by securitymetrics.com
Thank you for choosing Card Processing Service for your Visa, MasterCard and other networks payment processing needs. Please keep reading for essential data security information about your account.
If you are concerned with the validity of this email, please call us at THE CUSTOMER SERVICE NUMBER LOCATED ON YOUR MERCHANT STATEMENT to validate this notice.
Why am I getting this e-mail?
We are the processor for your Visa, MasterCard and other payment card transactions. We are sending you this email to alert you to urgent actions you are required to take to help combat cardholder fraud and identity theft. THESE ACTIONS ARE REQUIRED BY VISA, MASTERCARD AND THE OTHER PAYMENT CARD NETWORKS.
Data Security Standards Background
In 2005, the payment card networks established a common set of industry requirements designed to help with the safe handling of sensitive payment card account information. These requirements are known as the Payment Card Industry (PCI) Data Security Standard. These PCI security requirements have been phased in over time and now apply to ALL merchants that accept Visa, MasterCard and other payment cards.
More information about this security standard is available online at: www.pcisecuritystandards.org
www.visa.com/cisp
www.mastercard.com/sdp
What do I need to do?
IF YOU ARE NOT PCI COMPLIANT, IT IS URGENT THAT YOU BECOME PCI COMPLIANT WITHOUT DELAY. To help you to achieve PCI compliance, Card Processing Service has arranged for SecurityMetrics, a certified security assessor for Visa, MasterCard, American Express and Discover Card, to provide you with their "Site Certification" service. There is NO additional cost to you for this service. The fee for the SecurityMetrics Site Certification PCI services is covered by your Annual Compliance Service Fee. You can contact SecurityMetrics at 800-557-4684. You may also contact them online at: www.securitymetrics.com.
When do I need to do this?
You are requested to resolve this by December 18, 2010, so please ACT NOW to avoid the monthly Non-Receipt of PCI Validation Fee.
What if I fail to become PCI Compliant?
The Card Associations are very serious about data security. Security breaches have affected merchants of all sizes. If you are compromised, the Association fines can range up to $500,000 per Association. These fines are in addition to other liabilities you may face in connection with the security breach.
Your participation in this program is essential in allowing us to help you be protected against any unwanted security breaches. We appreciate your time and assistance.
Sincerely,
Card Processing Service
-----------------------------------------------------------------------
PCI Compliance
- 437
- 3231
- 6/24/2010
- United States
From http://www.securitymetrics.com/
Site Certification Price Quote
Site Certification - Annual Service - No Internet with Self Assessment Questionnaire (Annual Price) 1 149.99
Acquiring Bank Discount 1 -125.00
Total $24.99
NOTE: This product consists of a small online questionnaire only—no scanning is included.
You may purchase this product ONLY if you meet the following criteria:
1. I certify that I do not have any device connected to the Internet that displays, views, processes, stores, or transmits cardholder data.
2. I understand that misrepresentation of the above leaves me liable for card association fines, restrictions, penalties, forensics, audits, etc.
3. I understand that if my situation changes, I am responsible for upgrading to the appropriate Site Certification service.
This is a quote using Paypal as the "Acquiring Bank". So apparently you can get your site "certified" (if you use Paypal) for $24.99 per year (it may be more depending on what bank you use, up to $150 - with quarterly scan price is $149 discounted, $700 with no discount). I like the fact that this "certification" is just a "self-assessment questionnaire" - which means that you can answer any way you like - which means that it means NOTHING.
Now, I understand the need to keep consumers credit information secure - I want MY information secure - but this just seems like another way for someone to make some money off of people. I don't see why someone who uses a third party who is certified isn't covered under that third party's umbrella as far as compliance is concerned. I have a feeling that the credit card companies are profiting from this somehow.
All the rules and regulations and costs associated with running a business seem designed to nickel and dime small businesses - which most nopCommerce users are - right out of business. That's my two cents - oh look, another cost! :)
Site Certification Price Quote
Site Certification - Annual Service - No Internet with Self Assessment Questionnaire (Annual Price) 1 149.99
Acquiring Bank Discount 1 -125.00
Total $24.99
NOTE: This product consists of a small online questionnaire only—no scanning is included.
You may purchase this product ONLY if you meet the following criteria:
1. I certify that I do not have any device connected to the Internet that displays, views, processes, stores, or transmits cardholder data.
2. I understand that misrepresentation of the above leaves me liable for card association fines, restrictions, penalties, forensics, audits, etc.
3. I understand that if my situation changes, I am responsible for upgrading to the appropriate Site Certification service.
This is a quote using Paypal as the "Acquiring Bank". So apparently you can get your site "certified" (if you use Paypal) for $24.99 per year (it may be more depending on what bank you use, up to $150 - with quarterly scan price is $149 discounted, $700 with no discount). I like the fact that this "certification" is just a "self-assessment questionnaire" - which means that you can answer any way you like - which means that it means NOTHING.
Now, I understand the need to keep consumers credit information secure - I want MY information secure - but this just seems like another way for someone to make some money off of people. I don't see why someone who uses a third party who is certified isn't covered under that third party's umbrella as far as compliance is concerned. I have a feeling that the credit card companies are profiting from this somehow.
All the rules and regulations and costs associated with running a business seem designed to nickel and dime small businesses - which most nopCommerce users are - right out of business. That's my two cents - oh look, another cost! :)
- 11
- 55
- 7/29/2010
- Venezuela
nopCommerce team | a.m. wrote:
I guess until NopCommerce gets PA-DSS certified our options are solutions like Paypal Standard, 2CO, Authorize.net SIM... etc.
I also wanted to know whether the latest version 1.80 is complaint with PCI DSS Compliance ? If yes then can we get detail information that how it's been compliant ?
nopCommerce 1.80 also meets all PCI Compliance requirements. But we haven't passed any official certification
nopCommerce 1.80 also meets all PCI Compliance requirements. But we haven't passed any official certification
I guess until NopCommerce gets PA-DSS certified our options are solutions like Paypal Standard, 2CO, Authorize.net SIM... etc.
- 45
- 309
- 8/13/2010
- United Kingdom
jsantaella wrote:
The PA-DSS certification process is a joke.
Another ecommerce application we sought it on (not a shopping cart) we were quoted around $65,000!!! And then as we release each new version it needs to be recertified. Few shopping cart producers have that kind of money.
The rules are so absurd that very few are using PA-DSS certified carts, as most carts aren't. Even things like Magento don't certify the free version.
The problem is that their is no differentiation between levels of PA-DSS - you're either approved or not. To me this is crazy - there should be 3 levels, similar to how PCI-DSS does it
1) Application stores credit card details (highest level, very difficult to get certified for)
2) Application can support input of credit cards, but these are never stored, but passed in real time to the gateway - ie customer doesn't leave the site (medium level)
3) Application cannot accept any credit card data - only supports integration with gateways where customer inputs credit card details on the gateway's site (lowest level, much easier to validate)
The other major flaw with the process is that it can take weeks to validate a new release. So imagine NOP fixes an important security flaw, and that new version hasn't yet been PA-DSS approved. What do you do? Run with the vulnerable software that is PA-DSS certified, or upgrade to the fixed but non approved software?
In the end the process is so ridiculous that few carts are certified, and hence few customers are running approved carts. The banks then have the choice to turn off all their customers, or just accept that they'll continue to run non-certified software.
I also wanted to know whether the latest version 1.80 is complaint with PCI DSS Compliance ? If yes then can we get detail information that how it's been compliant ?
nopCommerce 1.80 also meets all PCI Compliance requirements. But we haven't passed any official certification
I guess until NopCommerce gets PA-DSS certified our options are solutions like Paypal Standard, 2CO, Authorize.net SIM... etc.
nopCommerce 1.80 also meets all PCI Compliance requirements. But we haven't passed any official certification
I guess until NopCommerce gets PA-DSS certified our options are solutions like Paypal Standard, 2CO, Authorize.net SIM... etc.
The PA-DSS certification process is a joke.
Another ecommerce application we sought it on (not a shopping cart) we were quoted around $65,000!!! And then as we release each new version it needs to be recertified. Few shopping cart producers have that kind of money.
The rules are so absurd that very few are using PA-DSS certified carts, as most carts aren't. Even things like Magento don't certify the free version.
The problem is that their is no differentiation between levels of PA-DSS - you're either approved or not. To me this is crazy - there should be 3 levels, similar to how PCI-DSS does it
1) Application stores credit card details (highest level, very difficult to get certified for)
2) Application can support input of credit cards, but these are never stored, but passed in real time to the gateway - ie customer doesn't leave the site (medium level)
3) Application cannot accept any credit card data - only supports integration with gateways where customer inputs credit card details on the gateway's site (lowest level, much easier to validate)
The other major flaw with the process is that it can take weeks to validate a new release. So imagine NOP fixes an important security flaw, and that new version hasn't yet been PA-DSS approved. What do you do? Run with the vulnerable software that is PA-DSS certified, or upgrade to the fixed but non approved software?
In the end the process is so ridiculous that few carts are certified, and hence few customers are running approved carts. The banks then have the choice to turn off all their customers, or just accept that they'll continue to run non-certified software.
- 220
- 1722
- 1/2/2010
- United States
bfranklin825 is on the right track. I have owned 2 businesses (non eCommerce) and there are legions of businesses and middle men setup for the sole purpose to take a bite out of other businesses. Many of these are actually sanctioned by the government as the "official" toll collector to whatever regulation happens to be in effect.
This quote from a previous post is a classic example:
foreyk wrote:
Let me translate this statement:
"There is nothing anywhere that says you HAVE to pay us for any security certification. The world is a dangerous place and bad guys are everyone. It is our mission to scare the bejesus out of you and try and extort as much money we can from you as possible. We won't tell you that a simple self assessment survey is available that will enable you to be completely in compliance at a reasonable price. Please sign up for our extortion errrr I mean 'Gold Level Protection Services' and the bad guys will never touch you again.
P.S. We also offer a 2 year platinum warranty protection plan on every product you sell in your store."
t
This quote from a previous post is a classic example:
foreyk wrote:
"What if I fail to become PCI Compliant?
The Card Associations are very serious about data security. Security breaches have affected merchants of all sizes. If you are compromised, the Association fines can range up to $500,000 per Association. These fines are in addition to other liabilities you may face in connection with the security breach."
The Card Associations are very serious about data security. Security breaches have affected merchants of all sizes. If you are compromised, the Association fines can range up to $500,000 per Association. These fines are in addition to other liabilities you may face in connection with the security breach."
Let me translate this statement:
"There is nothing anywhere that says you HAVE to pay us for any security certification. The world is a dangerous place and bad guys are everyone. It is our mission to scare the bejesus out of you and try and extort as much money we can from you as possible. We won't tell you that a simple self assessment survey is available that will enable you to be completely in compliance at a reasonable price. Please sign up for our extortion errrr I mean 'Gold Level Protection Services' and the bad guys will never touch you again.
P.S. We also offer a 2 year platinum warranty protection plan on every product you sell in your store."
t
- 45
- 309
- 8/13/2010
- United Kingdom
AB Fitness wrote:
You're failing to understand the difference between PCI for a site, and PA DSS (which applies to shopping carts).
If your cart is a payment application, and its an off-the-shelf one, then it should be PA-DSS certified. Its getting this certification that is very very expensive, because of the amount of testing it requires. Even if NOP does everything right it would cost lots of money to certify that. I'm not so sure NOP would pass PA-DSS without some work, since they look at the processes involved in creating the code, do you have secure means to issue patches, etc - its a bureaucrat's heaven of box ticking.
That's not to say the site isn't secure and/or won't pass scans - it most probably will. But the scan doesn't check whether your cart is PA-DSS certified, and according to the rules, it should be if its an off-the-shelf package.
In theory to get PCI certified for your site you should show that the shopping cart is either outside the bounds of PA-DSS (see below) or that it is PA-DSS certified, along with showing your payment gateway is, hosting is, etc. Bear in mind that each time you update the software it needs to be recertified - so there is an ongoing expense.
Clearly if the payment gateways stuck to the letter of the rules, a majority of the sites out there would have to close down since most carts aren't PA-DSS certified.
Fortunately most if not all of the payment gateways seem to have realized that PA-DSS is a joke, and seem to be happy as long as your site passes more standard PCI scans.
If they do insist on PA-DSS these are the options
1) if you never take credit card numbers in NOP but always transfer to the gateway for this, then you can argue it isn't a payment application, and therefore outside PA-DSS (since payment application is one that processes, transmits etc card data).
2) custom-built or heavily modified carts are outside scope of PA-DSS, so modify it a bit and then claim this exemption :)
3) find a gateway that isn't so bothered by PA-DSS.
Personally I'm pretty sure that they PA-DSS regime will change heavily in the near future as the current system is unworkable. Money spent on PA-DSS at this stage might therefore be wasted. I expect that they'll simplify it at some point, and have different levels of certification - level 1 being much easier (where transactions are done entirely at gateway), level 2 more difficult (transaction happens in cart but no credit card details stored, sent to gateway in real time) and then level 3 which would be as tough as at present (card details stored in cart)
My website perfectly passes all PCI tests and is fully PCI complaint since v1.4. Why do you think nopcommerce can't pass PCI DSS compliance procedures?
You're failing to understand the difference between PCI for a site, and PA DSS (which applies to shopping carts).
If your cart is a payment application, and its an off-the-shelf one, then it should be PA-DSS certified. Its getting this certification that is very very expensive, because of the amount of testing it requires. Even if NOP does everything right it would cost lots of money to certify that. I'm not so sure NOP would pass PA-DSS without some work, since they look at the processes involved in creating the code, do you have secure means to issue patches, etc - its a bureaucrat's heaven of box ticking.
That's not to say the site isn't secure and/or won't pass scans - it most probably will. But the scan doesn't check whether your cart is PA-DSS certified, and according to the rules, it should be if its an off-the-shelf package.
In theory to get PCI certified for your site you should show that the shopping cart is either outside the bounds of PA-DSS (see below) or that it is PA-DSS certified, along with showing your payment gateway is, hosting is, etc. Bear in mind that each time you update the software it needs to be recertified - so there is an ongoing expense.
Clearly if the payment gateways stuck to the letter of the rules, a majority of the sites out there would have to close down since most carts aren't PA-DSS certified.
Fortunately most if not all of the payment gateways seem to have realized that PA-DSS is a joke, and seem to be happy as long as your site passes more standard PCI scans.
If they do insist on PA-DSS these are the options
1) if you never take credit card numbers in NOP but always transfer to the gateway for this, then you can argue it isn't a payment application, and therefore outside PA-DSS (since payment application is one that processes, transmits etc card data).
2) custom-built or heavily modified carts are outside scope of PA-DSS, so modify it a bit and then claim this exemption :)
3) find a gateway that isn't so bothered by PA-DSS.
Personally I'm pretty sure that they PA-DSS regime will change heavily in the near future as the current system is unworkable. Money spent on PA-DSS at this stage might therefore be wasted. I expect that they'll simplify it at some point, and have different levels of certification - level 1 being much easier (where transactions are done entirely at gateway), level 2 more difficult (transaction happens in cart but no credit card details stored, sent to gateway in real time) and then level 3 which would be as tough as at present (card details stored in cart)
- 8
- 50
- 10/26/2010
- United States
For those of us in the development forum, it would seem even worse. If in PA-DSS cert "they look at the processes involved in creating the code, do you have secure means to issue patches, etc," then any of us who are touching/extending the source in any way are fundamentally undermining whatever certifications the product has. Fail.
The problem (as I understand) is that unless the product is coming right OOTB, fully built and signed (i.e., tamper-proof), there is no PA-DSS. Plus, if you are storing cards then you are still subject to PCI-compliance scans/auditing. The underlying certs on applications just become pieces in the larger, very expensive and resource consuming puzzle.
We have been getting by on PCI scans/self-questionnaires because of the level we're at (number of customer cards we store). As we grow toward the full-audit level, we're actively pursuing PCI-DSS by passing through all cards to a tokenized solution, e.g. CyberSource Payment 2.0 model, or Sage Vault.
The problem (as I understand) is that unless the product is coming right OOTB, fully built and signed (i.e., tamper-proof), there is no PA-DSS. Plus, if you are storing cards then you are still subject to PCI-compliance scans/auditing. The underlying certs on applications just become pieces in the larger, very expensive and resource consuming puzzle.
We have been getting by on PCI scans/self-questionnaires because of the level we're at (number of customer cards we store). As we grow toward the full-audit level, we're actively pursuing PCI-DSS by passing through all cards to a tokenized solution, e.g. CyberSource Payment 2.0 model, or Sage Vault.
- 45
- 309
- 8/13/2010
- United Kingdom
Marcal,
The problem (as I understand) is that unless the product is coming right OOTB, fully built and signed (i.e., tamper-proof), there is no PA-DSS
That is probably true. However, such applications (bizarrely) probably don't require PA-DSS.
PA-DSS doesn't apply to custom-built applications, or off-the-shelf ones that have been modified a lot. So you can actually avoid the requirement to show PA-DSS by claiming that your application is home made.
So if one wants to comply with a particularly strict PCI certification one can't use an off the shelf solution that hasn't been PA-DSS certified built by experts, eg nopcommerce, magento (free version), opencart, kartris etc, despite that these applications are all regularly tested by third party security companies seeking vulnerabilities.
Instead the option would be
1) use one of the above applications, but modify it extensively
2) write an application from scratch.
Doesn't anyone else think its mad that a regime that is supposedly designed to increase security instead encourages users to avoid off-the-shelf software built by experts, but instead encourages them to either hack these shops to pieces, or develop a new application entirely from scratch!
The problem (as I understand) is that unless the product is coming right OOTB, fully built and signed (i.e., tamper-proof), there is no PA-DSS
That is probably true. However, such applications (bizarrely) probably don't require PA-DSS.
PA-DSS doesn't apply to custom-built applications, or off-the-shelf ones that have been modified a lot. So you can actually avoid the requirement to show PA-DSS by claiming that your application is home made.
So if one wants to comply with a particularly strict PCI certification one can't use an off the shelf solution that hasn't been PA-DSS certified built by experts, eg nopcommerce, magento (free version), opencart, kartris etc, despite that these applications are all regularly tested by third party security companies seeking vulnerabilities.
Instead the option would be
1) use one of the above applications, but modify it extensively
2) write an application from scratch.
Doesn't anyone else think its mad that a regime that is supposedly designed to increase security instead encourages users to avoid off-the-shelf software built by experts, but instead encourages them to either hack these shops to pieces, or develop a new application entirely from scratch!