Ubercart

Hello! I work for an organization that is very interested in using Ubercart, but we are very sensitive to need for robust PCI compliance. It looks like you folks have been working to ensure that Ubercart is PCI compliant, and I, for one, appreciate that very much.

But the story doesn't quite end there. First, PCI compliance refers to an organizations entire system of processing credit card transactions, and not simply to applications themselves. In other words, the PCI-DSS requires that your entire payment process be PCI-compliant. An application, like an online shopping cart, can either ensure that your entire system remains PCI compliant, or it can handle credit card data in some way that is PCI non-compliant, thus making your entire system non-PCI compliant. And that, as you know, opens people up to fines, etc.

Now why is that distinction important? The first reason is obvious: using a shopping cart that does not break your PCI-compliance is a must. The second reason to properly understand the distinction is a little less obvious: a payment application, like an online shopping cart, is actually subject to an entire set of standards of its own that simply fits into the entire PCI-compliance "net", if you will. The Visa PABP program that was mentioned above has now been taken over by the PCI Data Security Standards Council, and is now referred to (in its new, updated format) as the Payment Application DSS. ("PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP).") You can find the Payment Application DSS here.

Now the first question that came to my mind was, "Is the PA-DSS mandatory for all payment application providers?". According to the PCI security standards council FAQ, the answer is, "The PA-DSS applies to all payment application providers. Whether it is mandatory or not will be determined by the payment brands." Really pretty vague, right? Doesn't exactly answer the question.

Next, you might wonder what the PA-DSS requires. It is a 36-page document, but here are the important points. First, there is this section under "Roles and Responsibilities":

"Software vendors (“vendors”) develop payment applications that store, process, or transmit cardholder
data as part of authorization or settlement, and then sell, distribute, or license these payment applications
to third parties (customers or resellers/integrators). Vendors are responsible for:
- Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers’
PCI DSS compliance. (The application cannot require an implementation or configuration setting
that violates a PCI DSS requirement.)
- Following PCI DSS requirements whenever the vendor stores, processes or transmits cardholder
data (for example, during customer troubleshooting)
- Creating a PA-DSS Implementation Guide, specific to each application, according to the
requirements in the Payment Application Data Security Standard
- Educating customers, resellers, and integrators on how to install and configure the payment
applications in a PCI DSS-compliant manner.
- Ensuring payment applications meet PA-DSS requirements by successfully passing a PA-DSS
review as specified in PCI PA-DSS Requirements and Security Assessment Procedures.
Vendors submit their payment applications and supporting documentation to the PA-QSA for review. Any
agreements and costs associated with the assessment are negotiated between the vendor and the PAQSA.
Vendors provide permission for their PA-QSA to submit resulting PA-DSS compliance reports to
PCI SSC."

Finally, under the heading "To which application does PA-DSS Apply?", you will find the following:

"The following guide can be used to determine whether PA-DSS applies to a given payment application:
- PA-DSS does apply to payment applications that are typically sold and installed “off the shelf”
without much customization by software vendors.
- PA-DSS does apply to payment applications provided in modules, which typically includes a
“baseline” module and other modules specific to customer types or functions, or customized per
customer request. PA-DSS may only apply to the baseline module if that module is the only one
performing payment functions (once confirmed by a PA-QSA). If other modules also perform
payment functions, PA-DSS applies to those modules as well. Note that it is considered a “best
practice” for software vendors to isolate payment functions into a single or small number of baseline
modules, reserving other modules for non-payment functions. This best practice (though not a
requirement) can limit the number of modules subject to PA-DSS.
- PA-DSS does NOT apply to a payment application developed for and sold to only one customer
since this application will be covered as part of the customer’s normal PCI DSS compliance review.
Note that such an application (which may be referred to as a “bespoke” application) is sold to only
one customer (usually a large merchant or service provider), and it is designed and developed
according to customer-provided specifications.
- PA-DSS does NOT apply to payment applications developed by merchants and service providers if
used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed
payment application would be covered as part of the merchant’s or service provider’s normal PCI
DSS compliance."

(I would encourage all of you who have a stake in this kind of thing to download the PA-DSS and give it a look.)

As I see it, credit card companies, and the merchant account providers, aren't really cracking down on this at all right now. If you are a small merchant, you can basically sign up for a merchant account and use any shopping cart that you'd like. However, I'd like to know if Visa and the other credit card companies are going to begin requiring that payment applications be certified before we can use them. That, of course, would have huge implications for Ubercart. The pdf that I attached to this comment leads me to think that they might. And the process of having your software PA-DSS certified is quite large: many, many man hours, and $12,000+ (I called a couple QSA's to get an idea).

What do you folks think? Am I missing something? Should we be concerned about this?

Thanks again for all your work.