Payment Application Data Security Standard (PA-DSS)

Does anyone know what the score is with regard to the Payment Application Data Security Standard (PA-DSS)?

Is nopCommerce PA-DSS compliant?

If not, will it be made compliant in future, and what are the implications for merchants running nopCommerce right now?

Regards,

Chris

I'd be interested to know this too.

Does NOP store credit card number / ccv data for example ?

We just run a script to clear cr card data.

IF an E-Commerce solution is not PCI complant in the USA and other compliances standards in other countries I do not find much use of the entire product in General.

I would suggest researching some of the compliance rules for E-Commerce and make sure this product is ready for "Prime-Time".

I think this is a Fantastic Product if it only had this ONE feature (which is the most important one for business owners)

Unfortunately no. But PCI DSS is on our roadmap.

Hi Andrei,

I know PCI compliancy is a big issue... But wonder if I can run this application in the US, accepting credit cards without it having a PCI certificate?

Merry Christmas
Oliver

P.S. Thank you for this great FREE app...

PCI compliance is a very complicated matter with many vague rules. the PA-DSS compliance is for software vendors who sell applications that process credit cards, how this affects open source solutions is unclear from what I have read. A place that develops their own software/website is not required to be PA-DSS certified if it is used in house, now if somebody else uses that as a base framework without paying for it is where this would be unclear.

The merchant is the one responsible to be PCI compliant depending on what merchant level they fall into based on PCI guidelines and their merchant bank can require compliance even if it is not required by PCI standards. For example with the current rules a merchant that sells less than 1 million a year online is a level 4 which does not require PCI certification, however many banks such as First National Merchant Services and many others require their customers to be certified and will charge a small fine ~$30 a month until next July when they will cut off processing credit cards for places that are not certified.

Sadly many of the banks such as the one named above force customers to use certain PCI clearing houses like Trustwave rather than letting you use one of your own choosing. For websites the fee is usually around $140 a year and this includes monthly vulnerability scans of the website and an online questionnaire. Once the questionnaire is filled out to compliance and the scan passes you get an electronic certificate. The certificate is good for one quarter as the requirement for scans is quarterly. With Trustwave and other you do get an ssl certificate and a fancy pci compliance logo to put on your site.

I forgot to mention that if you are offloading the payment part to a third party such as PayPal you do not have to have the scans done as you are not handling the credit card information.

Hi netsysllc,

I appreciate your detailed answer... It did shed some light on the issue.

Thank you,
Oliver

So do we have a verdict on this. Can we implement nopCommerce for clients in U.S? if Yes what about Payment Application Data Security Standard (PA-DSS) in this case.

In my opinion if you are doing the site for yourself you are covered since it is self designed, and if you are building a site for somebody else you are selling them one off software which is also covered. This shopping cart would be seen as a framework rather than a finished product and it is opensource, not sold. Also the US has nothing to do with this, PCI is a world wide thing from the credit card companies and the US is one of the slackers in getting it implemented. There is no government regulation in the United States for this stuff.