[ic] PCI / PA-DSS

Nick nick_ic at selltothem.com
Fri Jul 23 15:41:39 UTC 2010

I know there was a recent discussion about PCI compliance that focused 
on vulnerability scanning, but I have been looking into the issue more 
and am wondering what everyone's thoughts are on the PA-DSS component 
(Payment Application Data Security Standard):


If I am understanding the requirements correctly, it seems as though it 
is not good enough to simply have your site scanned for vulnerabilities, 
ensure you use good passwords, etc, but if your site accepts credit 
cards, such as through a payment gateway like authorize.net, your 
e-commerce application needs to be PA-DSS approved.

The requirements might not be too difficult to meet, but of course 
getting it approved requires many thousands of dollars of fees. It seems 
to me as though no open-source e-commerce application is likely to be 
able to afford to have the application certified, so I'm hoping that I 
am just reading the requirements incorrectly and that Interchange is OK, 
but does anyone with more knowledge about this have any insight? Thanks,


More information about the interchange-users mailing list