Direct Commerce Systems

RE: Order Management, eCommerce and Fulfillment Solutions for Direct Merchants

The clock is ticking on Payment Application Data Security Standards compliance...but this is still not a topic of huge interest/discussion. Vendors are quietly assessing/pursuing strategies. Any thoughts, comments?

Views: 23

Reply to This

Replies to This Discussion

We've found a tremendous amount of apathy amongst our customers, and it's clear that many of the payment processors are doing a mediocre job of getting the word out about the upcoming requirements and deadlines. As a result, we've taken it upon ourselves to educate our customers about compliance, and keeping them informed about the steps we're taking towards certification. A large percentage of our customer base is clearly not compliant (and some could honestly care less), so we have our hands full.
That's amazing input, Tom. I won't say "I'm shocked," but it is certainly very chewy food for thought....

Tom Danner said:
We've found a tremendous amount of apathy amongst our customers, and it's clear that many of the payment processors are doing a mediocre job of getting the word out about the upcoming requirements and deadlines. As a result, we've taken it upon ourselves to educate our customers about compliance, and keeping them informed about the steps we're taking towards certification. A large percentage of our customer base is clearly not compliant (and some could honestly care less), so we have our hands full.
Would I be right in thinking PA-DSS is an element of PCI-DSS, or are these seperate things? PCI-DSS is something we've just started to review in our company, but as it's so broad in scope it's a very difficult area to get started with. I would be very interested to hear if anyone has reccomendations for "primers" available to read in this area, or even better, conferences/courses to help people get started in the UK.
PCI is for merchants, PA-DSS is for system vendors. In theory, you can't be PCI-compliant if your systems aren't officially PA-DSS compliant. For much more detail, see http://www.dcsguide.com/Default.aspx?pageID=PADSS

Dan Prisk said:
Would I be right in thinking PA-DSS is an element of PCI-DSS, or are these seperate things? PCI-DSS is something we've just started to review in our company, but as it's so broad in scope it's a very difficult area to get started with. I would be very interested to hear if anyone has reccomendations for "primers" available to read in this area, or even better, conferences/courses to help people get started in the UK.
Dan, as I mentioned in my reply to Ernie's post, we've really had to take on the responsibility of educating our users to make sure that everyone "gets it" before it's too late. We're in the process of creating a section on our new website devoted to PCI issues, including compliance and support - but in the meantime have posted an external version of our internal wiki page on the subject, which can be found here: http://wiki.newhavensoftware.com/index.php/PCI_Compliance

This wiki page has a lot of information and links that might be helpful. We've also produced some videos about mor general aspects of compliance (not just setting up our software to be compliant), which will be published shortly.

Dan Prisk said:
Would I be right in thinking PA-DSS is an element of PCI-DSS, or are these seperate things? PCI-DSS is something we've just started to review in our company, but as it's so broad in scope it's a very difficult area to get started with. I would be very interested to hear if anyone has reccomendations for "primers" available to read in this area, or even better, conferences/courses to help people get started in the UK.
This is a huge insurance expense that the merchants and now the software vendors need to absorb, all because of a few bad apples in the world (and lack of common sense). The vendors will pass this expense on to their merchants (hence the need to educate them) and the merchants will pass this cost on to their customers. The hackers will still find ways to exploit (because we are human and especially because of the apathy) but at least it will be more difficult.
I will be doing a Workshop session on PCI and PA-DSS at ECMOD in London on 7 October, 2:15 - 3:00 PM. See ECMOD info here.

Dan Prisk said:
Would I be right in thinking PA-DSS is an element of PCI-DSS, or are these seperate things? PCI-DSS is something we've just started to review in our company, but as it's so broad in scope it's a very difficult area to get started with. I would be very interested to hear if anyone has reccomendations for "primers" available to read in this area, or even better, conferences/courses to help people get started in the UK.
On Evan Schuman's StoreFront BackTalk, David Taylor of the PCI Knowledgebase has a very good "editorial" on the upcoming "Community Meeting" of the PCI Security Standards Council members. It's more "retail-centric" than multichannel focused, but still a worthwhile read. Check it out HERE.
Question - If a merchant uses a service bureau for order entry, and there is a data breach and credit card data is stolen, who bears the responsibility -- the merchant, the service bureau, or both? If the ultimate "penalty" is loss of the credit card merchant account, then the merchant would bear the largest responsibility, if it is the account belonging to the merchant that is being used. Is that right?
Just found out the DMA has accepted my proposal to do a session on PCI/PA-DSS at NCOF next year, April 19-22, Walt Disney World Dolphin, Orlando, Florida.
At Stone Edge Technologies, we have come to the conclusion that the need for storing credit card account numbers at all is quickly coming to an end. All but one of the payment gateways that we integrate with offer the ability to use tokens in place of account numbers if you have to issue a credit or place an additional charge against an account. The account number is only used for the initial charge or authorization. After that, everything can be done with the token (or whatever that gateway calls it). No account numbers are stored, and tokens should be useless if they fall into the wrong hands. That should dramatically reduce the risks involved with credit card processing, and make both PA-DSS (for software developers) and PCI (for merchants) much easier to achieve and maintain. Comments, anyone?
Sadly, David Taylor died of a heart attack on October 27, 2009. See my blog posting.

Ernie Schell said:
On Evan Schuman's StoreFront BackTalk, David Taylor of the PCI Knowledgebase has a very good "editorial" on the upcoming "Community Meeting" of the PCI Security Standards Council members. It's more "retail-centric" than multichannel focused, but still a worthwhile read. Check it out HERE.

RSS

Psst!

Use the "Edit" button to display more than the default number of listings in each section....

Click the "PollDaddy" Tab to take our eCommerce poll.

Feel free to e-mail Ernie Schell at ernie@schell.com with an off-line comment or question or call me at 609-487-9340.

If your Twitter ID is in your profile and you don't appear in this site's TWfeed (bottom of this column), please let us know.

© 2017   Created by Ernie Schell.   Powered by

Badges  |  Report an Issue  |  Terms of Service