I agree with everything you’ve said here and you are dead on with your comments. I would like to point out one thing, however;
Actually, the PCI Compliance has nothing directly to do with PA-DSS. An application that is PA-DSS is much easier to become compliant with but nowhere in any of the PCI SAQ documents is there a requirement for PA-DSS. In fact, the only mention of PA-DSS is in regards to whether or not you store credit card information. PA-DSS is just a certificate whose main point is that the application does not, at any point, store credit card information.
There could be some confusion here, due to the fact that a PA-DSS certified application may not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data - however, requirement 2 does state that the PA-DSS certified application must “Protect stored cardholder data”, which ultimately implies that cardholder data can be stored, however must be done so in a way that fully protects that stored cardholder data. Slightly different than “the application does not, at any point, store credit card information.”, which may be a slight over statement and I dont mean to nit pick, but to simply be clear.
Gleamed from: https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf
A base Magento install does not do this. You can be PCI compliant *without* a PA-DSS certified system. You just have to know enough about the system to appropriately fill out the given SAQ. Even if you do store credit cards with a plugin or edits to Magento, you can STILL be PCI compliant....it’s just a much larger road to go through filling out SAQ D (much much much larger).
Absolutely correct - a merchant should do everything possible to not store or transmit cardholder data to avoid SAQ-C & SAQ-D certification, which most retailers here would simply not be able to achieve financially or technically speaking.
Even if Magento CE was PA-DSS certified, that doesn’t mean you are PCI compliant. You can just fill out a bit more of the SAQ without having to know detailed information about the system (ie, if its PA-DSS certified, you can easily check off that you aren’t storing credit card numbers instead of having to look through the code to make sure you aren’t).
Unless, of course, the payment application is storing credit card information, just not magnetic stripe information and CCV data.
Becoming PCI compliant is two things....
Filling out the proper SAQ (and being compliant on all the points within it).
Doing a quarterly scan on your network.
(this is slightly different if you are a level 1 or 2 merchant, but I’m guessing if you are looking in here for answers, you aren’t that big).
Well said - With the major point being a firm understanding of which SAQ the merchant should fill out.
Just would hate for people to get hung up on the PA-DSS portion (and the fact that Magento CE is not PA-DSS certified) and then not go through with their actual PCI-Compliance.
ALL merchants MUST be PCI Complaint regardless of their SAQ or Type. If your websites accepts payments in any form or fashion, you are fully responsible for being PCI Compliant, the only way around this is to simply not accept credit cards *gasp*
As always, talk to your authorization service. They will help you and steer you in the right direction. They want you PCI Compliant more than anyone.
Heh - I often wonder about this one. Is it *really* in the payment acquirer’s best interest for all merchants to be PCI Compliant? I must imagine that the acquirer’s would much rather hand the costs of a security breach off to the merchant rather than absorb those costs themselves. I’ve often felt that this may be the main reason why PCI Compliance has really not effected many merchants to date even though PCI Compliance has been mandated for many years. It’s a very easy way for the acquirer to ‘pass the buck’ by just not making a big deal of it, until the breach occurs.
I’ve also found that many merchant providers are clueless when it comes to compliance issues - I’ve dealt with a few that simply said, “pass the scan and your good’ - this is obviously false and misleading information, but we see it everyday from clients.
Ultimately, I think PCI-DSS is crap and merely a way for the Payment Card Industry to milk more money out of merchants. If they really wanted true security, the card itself would be changed and things like PIN numbers would be instituted instead of printing every piece of information necessary to steal an identity and card information directly on the card itself. Not much different that the Debit Cards in use today. Heck, even the signature is on the back of the card 9 times out of 10… This is just dumb.
Excellent points Fr0x and I enjoy your posts - keep up the great work.