View Single Post
  #10  
Old 03-07-2009, 09:16 AM
 
geckoday geckoday is offline
 

X-Wizard
  
Join Date: Aug 2005
Posts: 1,073
 

Default Re: X-Cart and PCI-DSS / PA-DSS compliance

Quote:
Originally Posted by handsonwebhosting
Because there's certificate involved in exactly how the process works, I'm sure SOME of it would have to be encoded just so that actions by users wouldn't circumvent the certification itself. The purpose of the certification is so that they can verify that it's secure and whatever, if it's opensource and anyone can access the code and modify it, then essentially EACH OF US would need to get re-certified that the process is still doing what it was originally designed to do.

At least, that's what I would think anyway?
The intent of PA-DSS is to facilitate/allow PCI-DSS compliance by merchants not to force/enforce it. Therefore PA-DSS does not require encoding the software so it can't be modified. PA-DSS only requires the vendor to develop their software in a PCI-DSS compliant manner. Any modifications would be custom development for that one merhcant and as such those modifications would not be subject to PA-DSS. Custom developed payment applications fall under the merchants PCI-DSS assessment. For most of us smaller merchants that means we would need to attest in our self assessment questionnaire that we followed PCI-DSS guidelines in developing our modifications and no outside verification would be required. That's the same thing that PA-DSS is doing for vendors - making sure they follow PCI-DSS guidelines in developing their software. PA-DSS requires that vendors get outside certification because their application will be used by many merchants and magnifies the impact of insecure development.

Another example of how PA-DSS only facilitates compliance and does not mean that a vendor must prevent you from shooting yourself in the foot and implementing their software in a non-PCI-DSS compliant manner. PA-DSS only requires that the vendors software *can* be implemented to be PCI-DSS compliant and the vendor has documented for the user how to implement it securely. IOW, its ok for the application to have the an option to store CVV numbers. But the documentation with the application has to tell the user that option must be turned off to be PCI-DSS compliant.
__________________
Manuka Bay Company
X-Cart Version 4.0.19 [Linux]

UGG Boots and other fine sheepskin products
http://www.snowriver.com
Reply With Quote