Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 2 of 2
Anyone know whether or not Magento CE need to be PA-DSS approved by the July 1st deadline? 
 
truetechsupport
Jr. Member
 
Avatar
Total Posts:  26
Joined:  2010-05-04
Minnesota
 
Neuraxial - 23 July 2010 07:44 AM

Crucial: So in enters Secure Payment Bridge, offering you a way to pass SAQ-C more easily?

TW: Some “average” consumers I’ve talked to give PayPal absolutely no trust… Perhaps the worries about losing conversions ARE overstated, but as long as I see an SSL certificate and some trustmarks I’d always prefer to just type my credit card number in with the merchant, instead of jumping through the hoops of logging into PayPal or Google and selecting the credit card there. To each their own, I suppose… but it sounds like perhaps not, anymore rasberry

Has anyone tried CRE Secure or another outsourced-embedded option?

Use authorize.net SIM.. Most people that use CRE secure are probably going to be using an authorize.net account anyway. Unlike google or paypal, they won’t have to log in or enter in any additional info to get to the credit card page. It won’t necessarily be ‘seamless’, but the customer won’t have to enter any additional info, and the store owner won’t be stuck with extra monthly fees.

 
Magento Community Magento Community
Magento Community
Magento Community
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

What seems cool about CRE Secure is the iFrame method of integration, so nothing changes visually in the checkout at all… With SIM it gets rather ugly rasberry

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

There could be some confusion here, due to the fact that a PA-DSS certified application may not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data - however, requirement 2 does state that the PA-DSS certified application must “Protect stored cardholder data”, which ultimately implies that cardholder data can be stored, however must be done so in a way that fully protects that stored cardholder data.  Slightly different than “the application does not, at any point, store credit card information.”, which may be a slight over statement and I dont mean to nit pick, but to simply be clear. 

Gotcha...I may have misread, misinterpreted (or downright misunderstood smile ) what they meant.  I wonder how many PA-DSS certified apps out there actually do store the information.  I would think the measures that would have to be undertaken would be pretty large to want to do that as a 3rd party app.

Absolutely correct - a merchant should do everything possible to not store or transmit cardholder data to avoid SAQ-C & SAQ-D certification, which most retailers here would simply not be able to achieve financially or technically speaking.

Yea, although I think most could handle SAQ-C (although if you can easily get in lower, might as well)......SAQ-D is pretty far out there for anyone without a dedicated team to try and cover.

Well said - With the major point being a firm understanding of which SAQ the merchant should fill out.

Definately important to know which to fill out.  Fill out SAQ-A and your really SAQ-C and.....well....I’m not sure what would happen other than your not truly PCI compliant smile

Heh - I often wonder about this one.  Is it *really* in the payment acquirer’s best interest for all merchants to be PCI Compliant?  I must imagine that the acquirer’s would much rather hand the costs of a security breach off to the merchant rather than absorb those costs themselves.  I’ve often felt that this may be the main reason why PCI Compliance has really not effected many merchants to date even though PCI Compliance has been mandated for many years.  It’s a very easy way for the acquirer to ‘pass the buck’ by just not making a big deal of it, until the breach occurs.

I’ve also found that many merchant providers are clueless when it comes to compliance issues - I’ve dealt with a few that simply said, “pass the scan and your good’ - this is obviously false and misleading information, but we see it everyday from clients.

True, in the end it might be easier for them to pass the buck.  But if you make the call they aren’t going to pass it off on you anymore smile As for knowledge on compliance.....I’m sure that’s pretty hit or miss.  We were pretty lucky and our provider helped lead us down the path to compliance.

It can be confusing and scary and big.  The big thing for people out there is to take it one simple step at a time.

As you said, first thing is first and spend the time figuring out which SAQ you need to be using.
Then, sit down with the SAQ and go through it, point by point.  If you didn’t fall under SAQ-D, it is fairly manageable.  We picked off the things we knew we were fine of and crossed them off right away and went back through the other points one by one.  If you do fall under SAQ-D....well....it may be easier to redo your process so you fall under a lower SAQ.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
Neuraxial - 23 July 2010 07:44 AM

Crucial: So in enters Secure Payment Bridge, offering you a way to pass SAQ-C more easily?

The Secure Payment Bridge doesn’t really change anything.  What it does is provide a PA-DSS compliant software for Professional Edition and Enterprise Edition clients.  It really has zero effect on the Self Assessment Questionaire that is required for your SAQ level, in this case, SAQ-C. 

Effective July 1, 2010, all merchants that transmit or store credit card data were required to use a PA-DSS compliant software, assuming the software was an ‘off the shelf’ solution.  The PA-DSS does not apply if you have developed your own software for transmitting or storing card data - it is stictly for distributed software solutions.

The SAQ level is determined by a number of questions - all available in the SAQ of your choice/need.  For SAQ-C those requirements are;

==================================================
1. Merchant has a payment application system and an Internet or public network connection on the same
device;

2. The payment application system/Internet device is not connected to any other system within the merchant
environment;

3. Merchant does not store cardholder data in electronic format;

4. If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is
not received electronically
;

5. Merchant’s payment application software vendor uses secure techniques to provide remote support to
merchant’s payment application system. (In comes PA-DSS)

source: https://www.pcisecuritystandards.org/pdfs/pci_saq_c.pdf
==================================================

If your organization meets these criteria then you are eligible for SAQ-C compliance.

Let’s point out now that any merchant not meeting the requirements of SAQ-A, SAQ-B (primarily offline businesses) or SAQ-C then fall into the SAQ-D requirement by default.  For example, simply storing cardholder data automatically qualifies the organization for SAQ-D Compliance.  SAQ-D is sort of the ‘catch all’ for any merchant not neatly fitting into SAQ-A through SAQ-C.

SAQ-C Compliancy has 43 controls that must be met.  While these controls are far less than the 210 controls that must be complied with for SAQ-D they should not be diminished in their complexity.  Specifically Requirement 10 (Track and monitor all access to network resources and cardholder data.) and requirement 12 (Maintain a policy that addresses information security for employees and contractors).

While at the surface these issues may seem trivial in the even of a breach an assigned Auditor will not see things the same way.  The auditor is in place to protect the Credit Card companies and ensure that the merchant was, in fact, compliant with the ‘appropriate’ SAQ, to the letter.  The SAQ must be signed by the Merchant Executive Officer and the organization and the guarantor of the merchant account will be held liable for ‘any’ inconsistencies.  PCI Compliance is an ‘all or nothing’ compliance.  Fail a single requirement and you are 100% not PCI Compliant and liable for all cost incurred due to the breach.

I would advise that any readers interested in this topic take two hours and watch the following two Webinars presented by Varien, the creators of Magento.

1.  PCI Compliance 101 for Magento Merchants - Presented by Magento and Coalfire Systems

Unfortunately - it doesn’t look like the second part of these PCI Compliance series has been posted for viewing at the time of this post, but suffice to say that you should be able to find it at the following URL in a short time.

http://www.magentocommerce.com/media/webinars

TW: Some “average” consumers I’ve talked to give PayPal absolutely no trust… Perhaps the worries about losing conversions ARE overstated, but as long as I see an SSL certificate and some trustmarks I’d always prefer to just type my credit card number in with the merchant, instead of jumping through the hoops of logging into PayPal or Google and selecting the credit card there. To each their own, I suppose… but it sounds like perhaps not, anymore rasberry

I have to agree with this statement - I feel that a client that has an established Merchant Account promotes a stronger degree of trust of that Merchant.

Has anyone tried CRE Secure or another outsourced-embedded option?

This is an excellent option - we have multiple clients using this system and have heard no complaints regarding the service personally.  You can bet that other systems very similar to this are being developed as you read this as this will be the way small Merchants will be forced to do business in the future.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
fr0x - 23 July 2010 09:43 AM

Gotcha...I may have misread, misinterpreted (or downright misunderstood smile ) what they meant.  I wonder how many PA-DSS certified apps out there actually do store the information.  I would think the measures that would have to be undertaken would be pretty large to want to do that as a 3rd party app.

Agreed - I dont think you will find many PA-DSS compliant systems that offer Cardholder Data Storage.  My understanding is that Magento’s Secure Payment Bridge does, but I could be wrong here - although, I dont think so as this is actually a function of Magento and not the Payment Bridge - but, I’m kindof in the dark here as I have no experience with the Payment Bridge as of this time.

Yea, although I think most could handle SAQ-C (although if you can easily get in lower, might as well)......SAQ-D is pretty far out there for anyone without a dedicated team to try and cover.

WAY out there would be more appropriate smile

Definately important to know which to fill out.  Fill out SAQ-A and your really SAQ-C and.....well....I’m not sure what would happen other than your not truly PCI compliant smile

I can tell you… FAIL.  The responsibility for this decision rests squarely on the Merchant Executive Officer and the Merchant Account guarantor/signer.  This person should be DAMNED sure what SAQ they are and what they are signing their name too as it is the difference between bankruptcy and safe harbor in the event of a data breach.

True, in the end it might be easier for them to pass the buck.  But if you make the call they aren’t going to pass it off on you anymore smile As for knowledge on compliance.....I’m sure that’s pretty hit or miss.  We were pretty lucky and our provider helped lead us down the path to compliance.

Well - sure they can.  Imagine the scenario where the data/server was breached and a $10/hr employee told you all you need to do is pass the scan.  You then try to explain that to the on site auditor who says, “Didn’t you READ the SAQ that you signed?”.  FAIL.  As far as this goes, GET IT IN WRITING is the best advise I can give, and I’ll bet that nine times out of 10 they wont and the answer will significantly change.

If you do fall under SAQ-D....well....it may be easier to redo your process so you fall under a lower SAQ.

It’s really the only alternative for 95% of small businesses who rely on third party hosting solutions.  Very well said.

 
Magento Community Magento Community
Magento Community
Magento Community
 
TWDesign
Member
 
Total Posts:  38
Joined:  2009-10-31
 

The PA-DSS does not apply if you have developed your own software for transmitting or storing card data - it is strictly for distributed software solutions.

Yes, but if your solution is developed in-house you still have to make a declaration that it complies with all the relevant PA-DSS principles.
So it amounts to the same thing, really.

If your inhouse team cobbles together your own website to take credit card payments you will not be PCI compliant unless it is designed to meet the PA-DSS guidelines, regardless of whether or not it is actually certified as such.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
TWDesign - 23 July 2010 07:07 PM

Yes, but if your solution is developed in-house you still have to make a declaration that it complies with all the relevant PA-DSS principles.
So it amounts to the same thing, really.

Same thing, other than that $30K + fee involved with PA-DSS Compliance certification.  This fee obviously must be passed on to the purchaser, which is why PA-DSS certified software sells for a premium. 

The in house developed software certainly must comply with the PA-DSS security requirements, just does not have to be PA-DSS certified since it is not ‘distributed’.  Good point -

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ambal
Jr. Member
 
Avatar
Total Posts:  1
Joined:  2010-08-02
Russia
 

> Same thing, other than that $30K + fee involved with PA-DSS Compliance certification.  This fee obviously must be passed on to the
> purchaser, which is why PA-DSS certified software sells for a premium.

Maybe make PA-DSS component at cheaper price as a separate add-on for Magento?  I feel like http://www.youtube.com/watch?v=yxY7ZjroIYM when I think no PA-DSS for CE :(

 
Magento Community Magento Community
Magento Community
Magento Community
 
xpayments
Jr. Member
 
Avatar
Total Posts:  3
Joined:  2010-06-15
Ulyanovsk, Russia
 

\"Cheaper\" PA-DSS for Magento? Look at our X-Payments Connector for Magento.

X-Payments is a PA-DSS certified payment application, compatible with Magento. It is designed for on-line merchants, who accept credit card payments and require compliance with the Payment Card Industry Data Security Standard (PCI DSS) v1.2 standard.
X-Payments is inexpensive and straightforward solution to make Magento PCI-DSS ready:
- Easily integrates via Magento Connect
- Compatible with Magento community edition
- Accepts credit cards on your domain
- Works on any compatible web hosting

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 
truetechsupport - 23 July 2010 09:05 AM

Most people that use CRE secure are probably going to be using an authorize.net account anyway. Unlike google or paypal, they won’t have to log in or enter in any additional info to get to the credit card page. It won’t necessarily be ‘seamless’, but the customer won’t have to enter any additional info, and the store owner won’t be stuck with extra monthly fees.

Many big names are not PA-DSS compliant: Yahoo Stores, 3dcart, Volusion, Big Commerce are non-compliant for PA-DSS.
Besides. you can avoid PA-DSS certification in certain cases: PA-DSS compliance FAQ

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 2 of 2