[ic] PCI / PA-DSS

Jon Jensen jon at endpoint.com
Sat Jul 24 18:50:09 UTC 2010

On Fri, 23 Jul 2010, Nick wrote:

> If I am understanding the requirements correctly, it seems as though it 
> is not good enough to simply have your site scanned for vulnerabilities, 
> ensure you use good passwords, etc, but if your site accepts credit 
> cards, such as through a payment gateway like authorize.net, your 
> e-commerce application needs to be PA-DSS approved.
> The requirements might not be too difficult to meet, but of course 
> getting it approved requires many thousands of dollars of fees. It seems 
> to me as though no open-source e-commerce application is likely to be 
> able to afford to have the application certified, so I'm hoping that I 
> am just reading the requirements incorrectly and that Interchange is OK, 
> but does anyone with more knowledge about this have any insight?

Nick, I don't know what will happen. I've read the requirements, and I 
don't see how they can possibly be met by any ecommerce application that 
allows any customization whatsoever.

If I have a custom in-house ecommerce app, and get it certified, is it 
invalid the next day when I fix a bug or add a new feature?

If I use a "toolkit"-style framework like WebSphere or ATG or whatever, 
even if the toolkit is certified, what about my thousands of lines of 
custom code?

Open source will obviously be a problem for PA-DSS, but only as a subset 
of the bigger realm of *all custom software* which is par for the course 
in ecommerce.

I suspect, like the earlier PCI requirements, there will be several years 
of phase-in, compromise, deadline slips, etc. during which we'll find out 
how this will actually play out.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list