Version 8 is PABP/PA-DSS Certified. Version 9 is pending Certification now, with ETA about 2-3 months required to complete the process. We can make version 8 still available to anyone who needs PA-DSS right away. To view our PCI PA-DSS Acceptance Letter for AspDotNetStorefront ML v8.0, please click here (.pdf).
To see the list of Visa PABP Validated Payment Applications, including AspDotNetStorefront ML v7.x, please click here (.pdf).
Update Nov. 29 2010
While there are no imposed deadlines for all merchants to be using Payment Application Data Security Standard (PA-DSS) compliant shopping carts, the Payment Card Industry, in a declaration of new standards on 28th October, 2010, reinforced its requirement for e-commerce to honor the PA-DSS guidelines. In the spirit of that, AspDotNetStorefront will continue to lead the way by certifying all our payment applications via an appointed QSA.
Today, all of our editions are deemed compliant, and those that are not yet through the certification process will be accredited in early 2011. We had paused our certification processes while we waited to learn about any new diligence announced in the latest release but we are proud to reveal that we are already compliant with any and all new requirements
AspDotNetStorefront ML is Visa Approved and PABP Certified. This also means we are now certified to the PA-DSS specification with our ML version. If you choose a NON PABP approved shopping cart platform, you may be unable to obtain a merchant account starting sometime in 2008! Why take the risk?
Update August. 8 2010
With AspDotNetStorefront, you are choosing to use an elite E-Commerce
shopping cart platform that has been certified through the Visa Payment
Application Best Practice (PABP) assessment. The certification process
confirmed, among other things, that our 8.x release is secure, does not retain
full magnetic stripe data or CVV2 data.
This elite designation confirms that our 8.x release will not prevent our
customers, the e-commerce merchant, from reaching compliance with the Payment
Card Industry (PCI) Data Security Standard. PCI is a set of very detailed
standards relating to all merchants or service providers that store, process or
transact credit card data.
For our developer customers, you will also know that you are providing the
best possible e-commerce platform for your own customers, and can leverage off
of the work that we have put into the platform for you out of the box. To use
another shopping cart platform which is not PABP approved, or even worse, an
open-source cart with no testing whatsoever, is to just place unnecessary risk
on your own business, or your customers.
This quote is direct from VISA:
Visa Announces New Payment Application Security Mandates, October 23,
2007 , Beginning January 1, 2008, Visa will implement a series of mandates
to eliminate the use of non-secure payment applications from the Visa
payment system. These mandates require acquirers to ensure their merchants
and agents do not use payment applications known to retain prohibited data
elements and require the use of payment applications that adhere to Visa's
Payment Application Best Practices (PABP). PABP-compliant applications
help merchants and agents mitigate compromises, prevent storage of
prohibited data and support overall compliance with the Payment Card
Industry Data Security Standard (PCI DSS) and the Visa U.S.A. Inc.
VISA MANDATES, OCTOBER 23, 2007
mark the first strongly worded, firm deadlines promoted by Visa.
Separately, the PCI Security Standards Council recently assumed ownership of
the PABP from Visa, which further illustrates the importance of this
initiative. Merchants (and developers providing ecommerce
solutions for merchants) are either going to quickly adopt the PABP as a
cost of doing business, or, they're going to have to start winding down
their business. Good for AspDotNetStorefront to be ahead of the
McGowan, Security Account Manager, Coalfire Systems, Inc. (a certified PCI
Consultancy & Assessor)
PABP REQUIRED FOR MERCHANT ACCOUNTS
Additionally, many merchant account providers will
NOT EVEN ISSUE MERCHANT ACCOUNTS now if you are not using a PABP approved shopping cart system. With AspDotNetStorefront, this PABP compliance is
already done for you, so you have no need to worry.
If you are choosing an uncertified cart or want to use one of the "free" open
source cart, beware, as you may be unable to even get a merchant account starting sometime in 2008 for Internet based card not present sales! "Free" doesn't sound like too good of a value, if
your business is shutdown.
MERCHANT PCI REQUIREMENTS
PCI Compliance is no longer optional, or just a "nice to have" when running
an online commercial commerce business. Merchant validation to the PCI standard
is determined by the number of transactions processed. What's important to note
it, regardless of transaction volume, is that all merchants must be in
compliance with PCI. What differs, based on transaction volume, is the manner in
which the merchant must attest to compliance. For more information regarding PCI
compliance, merchant level definitions and associated attestation requirements,
please note the below link:
To download the complete Payment Card Industry Data Security Standard, please
note the below link:
Typically, PCI compliance is initially driven by the merchant's acquiring
bank. As more of the large brick and mortar retail merchants, and high
visibility e-commerce merchants attain compliance or make significant progress
towards compliance, smaller and lesser known e-commerce merchants are beginning
to get more attention. Today, these banks are broadening their communication to
the smaller e-commerce merchants, to ensure they address their current gaps in
compliance and work to resolve them. Currently, these banks are levying fines to
merchants that do not get in to compliance by previously provided deadlines.
Similarly, for merchants that are compromised, they are levying fines and
penalties that can quickly exceed one millions dollars.
If you are still using an AspDotNetStorefront version prior to v8.x, we again
strongly encourage you to update to the latest build so you can take advantage
of our PABP certification for your site.
AspDotNetStorefront, by virtue of our PABP certification, has partnered with
longtime PCI assessor Coalfire Systems, to develop a program aimed to assist our
8.x clients in cost effectively attaining compliance. Coalfire Systems serves as
a one-stop shop for PCI, offering a host of services which drive merchants to
compliance. Coalfire is an Approved Scan Vendor (ASV), authorized to provide the
required quarterly network scans. The quarterly network scans are a cost
effective way to ensure your payment card environment (PCE) is adequately
protected. These quarterly scans are a requirement for all merchants.
Additionally, Coalfire provides cost-effect PCI compliance assessment and
consulting services, intended to assist merchants with completing the PCI Annual
Self Assessment questionnaire, a requirement for all Level 1-3 merchants and
select Level 4 merchants.
COALFIRE SYSTEMS PCI COMPLIANCE PARTNER SERVICES
Note that even though we provide VISA PABP certification on our software
platform, you (the merchant) must still perform and obtain your own PCI
compliance, which also involves testing your hosting/server environment together
with the software.
To inquire about Coalfire Systems PCI services that you may use for your own PCI
compliance testing, please contact:
(206)352-6028 ext 7504
VERIFIED BY VISA/MASTERCARD 3-D SECURE
On a related topic, we also support Verified By Visa/Master Card 3-D secure
in the US and U.K. for selected gateways. Click here for
Please see our forums for any updates to this important topic.