Knowledgebase

Portal Home > Knowledgebase > Articles Database > How do you know if you software is really PCI PA-DSS compliant?


How do you know if you software is really PCI PA-DSS compliant?




Posted by kabam, 09-02-2009, 09:12 AM
I am looking at implementing a shopping cart solution for a client. I've used other products from this certain vendor in the past, so I know it's a good product that they take seriously. The software's feature list states that it is PCI compliant (I'm assuming PA-DSS). However, I checked the list on the PCI website and didn't see it listed. So... how do I determine if the software really is PCI complaint? Is the "Listing of PCI Security Standards Counsel Validated Payment Applications" the only valid applications that I can technically use? Thanks in advance!
Posted by pmabraham, 09-02-2009, 04:16 PM
Greetings: You ask the vendor, you double check with VISA. Thank you.
Posted by zendzipr, 09-02-2009, 04:20 PM
If the application is certified, it will be on this list: https://www.pcisecuritystandards.org...oval_list.html All PA-DSS certified applications are listed.
Posted by kabam, 09-03-2009, 06:03 PM
Thank you! Follow up question... If the application isn't on this list, does that mean that I can't use it at all? Or can I still use it and just have my finished install certified / approved?
Posted by zendzipr, 09-03-2009, 06:10 PM
If your application is not on the list, it is not certified. If your merchant account was active before Oct 2008, you have until 2010 before you are required to have PA-DSS certified software. If however your merchant account is newer than Oct 2008 you are required to have PA-DSS certified software. So your answer depends on when you got your merchant account. Also, check with the software vendor, just because you don't need certified software today does not mean you won't next year. If your application will no be certified it will force you to switch and change whatever you were doing. So don't base your business on non-certified software.
Posted by kabam, 09-03-2009, 06:16 PM
Am I correct in that this only applies if the point of entry for the credit is the shopping cart software? For example, if the shopping cart is set up to use PayPal for checkout, then PA-DSS does not apply. Is this correct?
Posted by hdsrob, 09-03-2009, 08:07 PM
Correct. Only the application that actually handles cardholder data needs to be PA-DSS Validated. The merchant is still required to be PCI Compliant.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Packets Lost (Views: 691)
Include .html into .php (PLESK) (Views: 812)
Plesk and hotlink protection (Views: 682)
php crypt() issue and limitations? (Views: 1343)
Clients e-mail are hanging or downloading multiple mails (Views: 709)

Language: