Getting Your Site Up to Speed With PA-DSS Compliance
Keep in mind that with data encryption, a system must support “key rotation” (to periodically refresh encryption algorithms) or “split keys” (which require input from two key holders for decryption) to be PA-DSS compliant, not just simple encryption or data masking.
MWhat you should do Contact your system vendors immediately to find out what they are doing to become PA-DSS compliant. As of early March, no OMS vendors were on the PA-DSS approved vendor list.
Ask when your vendors expect to be certified, and whether the version of the system the merchant is running will be included in certification. And if so, will there be any additional costs to the merchant? If PA-DSS compliance will require an upgrade, how much will it cost, and when can an upgrade installation or conversion be scheduled?
Most vendors are likely to be uncertified until early 2010. By then, if your provider is still not on the list, you'll have little time to convert to another system by July 1.
So it behooves you to put pressure on your current provider to achieve PA-DSS compliance as soon as possible — and to secure your place now in the upgrade queue if an upgrade will be required.
If your compliance efforts go awry, you might be able to work with your provider to maintain your account if you can demonstrate steady progress toward compliance. So it's better to do something, and have a process in place with your system vendor, than to do nothing at all.
Beating the clock: PA-DSS is a work in progress for the Security Standards Council, so there will likely be a crush of assessments in the first half of 2010. And there will probably be revisions of current mandates to clarify some of their ambiguities as assessors start dealing with the reality.
But one thing is for sure: Even if the Council is forced to move the deadline to a later date, coping with PA-DSS is going to be a major challenge that multichannel merchants will ignore at their peril.
Ernie Schell (ernie@schell.com) is director of Ventnor, NJ-based consultancy Marketing Systems Analysis.
TOP 10 PA-DSS requirements
-
CVV or card validation codes must be encrypted, and not stored anywhere after card authorization
-
Encrypt credit-card numbers everywhere
-
Require secure authentication log-ons for system users
-
Keep logs of all payment activity
-
Maintain network security
-
Maintain secure data communications
-
Don't store credit-card data on servers with Internet access
-
Test all interfaces to other systems for meeting PA-DSS security standards
-
Maintain instructional documentation for system use
-
Maintain a PA-DSS Implementation Guide that documents how PA-DSS requirements are met for this system
ADVERTISER INDEX
Receive supplier information fast using Multichannel Merchant Advertiser Index
| ADVERTISER | PAGE | PHONE | WEBSITE |
|---|---|---|---|
| AccuData Integrated Marketing | 18 | 800-732-3440 | www.accudata.com |
| B&W Press | 23 | 877-246-3467 | www.bwpress.com |
| Blue Package Deliver LLC | 3 | 651-773-0031 | www.bluepackage.com |
| CCT Marketing, LLC | 4 | 800-213-4144 | www.cctll.com |
| Dydacomp | 21 | 800-858-3666 | www.dydacomp.com/mmm |
| Escalate Retail | 39 | 888-777-6811 | www.escalate.com/ecometry |
| FedEx SmartPost | 11 | 800-GoFedEx | www.fedex.com/us/smartpost |
| Global Response | 12 | 800-537-8000 | www.globalresponse.com |
| InOrder Enterprise Management System | C2 | 888-667-7332 | www.getinorder.com |
| iServe Direct Commerce Services | 26 | 866-895-4379 | www.iServeDCS.com |
| Lexis Nexis | 36 | 866-818-0265 | www.risk.lexisnexis.com/charge-back |
| MeritDirect | C3 | 914-368-1000 | www.MeritDirect.com |
| Millard Group, Inc. | 29 | 603-924-9262 | www.millard.com |
| NewPage | 14 | 800-638-3313 | www.Newpagecorp.com |
| NXTbook Media | 30 | 866-268-1219 | www.nxtbookmedia.com |
| PCS ProfitCenter Software | C4 | 888-446-6240 | www.profitcenter.com |
| Ripon Printers | 17 | 800-321-3136 | www.riponprinters.com |
| U.S. Monitor | 33 | 800-767-7967 | www.usmonitor.com |
| Walter Karl, Inc. | 6 | 845-620-0700 | www.walterkarl.com |
| William-Neil Associates | 32 | 800-846-8902 | www.william-neil.com |
| MCM NCOF SUPPLEMENT 2009 | |||
| 24-7 InTouch | N2 | 800-395-8301 | www.24-7intouch.com |
| ACCM 2009 | N5 |
| www.accmshow.com |
| Blower Application Company | N4 | 800-959-0880 | www.bloapco.com/rungreen |
| Chicago Tag & Label, Inc. | N7 | 800-826-8260 | www.chicagotag.com |
| Dydacomp | N11 | 800-858-3666 | www.dydacomp.com/mmm |
| Endicia | N12 | 800-576-3279 | www.endicia.com/mcm |
Want to use this article? Click here for options!
© 2012 Penton Media Inc.
Acceptable Use Policy blog comments powered by Disqus
