July 22, 2010
Guest Post By Craig Fox, Founder and VP of Marketing for Pinnacle Cart
PA-DSS Compliance – Will It Change the Way I Manage My Business?
The short answer is absolutely, but the more important question is “Are you running an ecommerce business which requires you to be on a PA-DSS certified application?”
A quick explanation: PA-DSS is a standard set by the PCI Security Council designed to increase the security of your storefront. The council set a deadline of July 1, 2010 for all merchants to be on a PA-DSS complaint system. Merchants not meeting the deadline could face additional fees from their merchant services provider or loss of their merchant services account entirely.
So, still, do you need to be on a complaint system? For the most part yes, though there are some exceptions the council have outlined. First, if your cart never transmits or stores credit card information, a compliant cart isn’t required. For example, if you’re only using PayPal Traditional and the customer is transferred over to PayPal to complete the order, you are fine. However, if you’re using any other PayPal method, or a method where the credit card is accepted on your site (authorize.net or intuit for example) and the payment information is posted to your payment provider for authorization, you need a compliant cart. Another exception is in-house applications which are not sold or distributed.
The rules are very specific, if your storefront STORES or TRANSFERS customer sensitive information, you are required to be compliant. Of course, the easy solution is simply move to a payment system (like PayPal Traditional) that moves your customer over to their site to complete the transaction. Anyone in the ecommerce world for even a short period of time knows this action can have a significantly negative impact on sales. Moving a customer from one site to another to complete a transaction increases cart abandonments, sometimes as much as 30% or more.
This standard isn’t designed to make a merchant’s life more difficult, but to increase the security of internet transactions. In the end, secure transactions and increased customer confidence result in more business for all merchants conducting business on the internet – and that’s a good thing.
If you’re in the market for ecommerce software, you must determine if the company’s offerings are PA-DSS complaint. If the software is not PA-DSS compliant, weigh potential risks – both personal and financial. Even if you don’t accept credit cards on your site today, understand you will need to eventually if you expect to grow your business. If you’re using an existing ecommerce platform, be sure they are compliant or inquire as to when they expect to achieve compliance. The deadline has passed, and merchant account providers will certainly start assessing fees soon if they haven’t already.
Craig Fox is Founder and VP of Marketing for Pinnacle Cart, the leading eCommerce / Store Builder application for small to mid size businesses. For more information direct your browser to www.pinnaclecart.com
Every once in awhile we will have guest authors write for our news as well. These guest authors are always experts in the industry and we require that they write from a non-bias point of view, unless the content is noted as an OpEd piece. If you would like to be a guest author on our site, please contact admin at zippycart.com. Anyone who would like to become a regular guest author has the option of being featured on this page.
This is a nice and informative post. I have lots of ideas about PayPal and Credit Cards that I am understood now. Thanks for posting your thoughts. I really appreciated all your ideas.
What a great and concise explanation. Well written. Thanks!
I’m wondering if Craig can answer a follow-up question? There are just a handful of shopping carts that are actually compliant and many of the big names are not compliant. Yahoo Stores and Volusion aren’t compliant. Some of the smaller companies like Big Commerce and 3d cart are also non-compliant for PA DSS.
So the question is, why are so few companies actually compliant and are we seeing a consolidation in this industry? It just seems if you don’t get the shopping cart compliant, you aren’t even offering a legitimate solution to your customers. What am I missing here?
Thanks for the question. Our President was at Hosting Con last week and participated as a speaker in a session on PCI / PA DSS compliance. As an industry, the consensus is through attrition we will start to see a reduction in the shopping cart offerings due to compliance. There are over 450 shopping cart platforms available today and only eight or nine are certified or compliant. We understand the time and dollar investment required to not only become PA DSS compliant, but to continue to stay with compliance standard as it evolves. The PCI Security council will have new guidelines in October that build upon what we have already done making the barrier even higher.
The bottom line is PA DSS compliances is a huge barrier to entry for our industry and we do see consolidation coming over the next few years. As a small business owner who can now be held personally responsible for breach of data, why would you use a platform that makes you more vulnerable?
A great push in the right direction! Shoppers appreciate the increase in security – as do online merchants who will appreciate the increase in sales. Looking forward for this to be implemented widely. I’m interested in the response to M. Juanito’s question.