PDA

View Full Version : Mandatory deadline to become PA-DSS Validated



tomrogers
07-13-2010, 08:28 AM
Today I received an email from Miva Merchant re: IMPORTANT AND CRITICAL UPDATE FOR ALL 5.5 STOREOWNERS. I'm sure everyone with a Miva store got it.

Although I've upgraded the software, I looked at the PA-DSS checklist within the store and we are passing only 6 out of 21 items.

What are the consequences of not meeting these requirements?

Some items on the list seem pretty simple. But with some, I'm afraid of a cascading effect where you change one thing and soon learn that it has effected something else.

It looks like some items are things that WestHost would have to do. Here are some from the list that failed that pertain to WestHost:

1) We need Miva Empresa Version v5.07 when it's currently 5.06.
2) The primary database should not be located on the web server (my site is "localhost")
3) Primary database should be password encrypted (mine failed, not sure if that's an easy fix)
4) Private keys stored in secondary database
5) Private key database on different server than primary database
6) Private key database password encrypted
7) All users passwords SHA-1 encrypted

Comments?

wildjokerdesign
07-13-2010, 11:08 AM
I would contact WestHost direct on this one. While I can see that item 1 is something that they could deal with I doubt that database issue is going to be something they would deal with. You would almost need a second account to deal with those issues I would think or maybe a node over at VPS.net set up to handle the database stuff. I wonder if this is why they have decided to not offer Miva on new accounts.

rweight
07-30-2010, 12:26 PM
The PA DSS Validation applies to applications or modules that are provided for credit card processing. As per the following from the PCI security counsel at https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_faqs.pdf

Q. What part of the payment transaction process is addressed by the PA-DSS?
A. The PA-DSS applies to software vendors and others who develop payment
applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third-parties.

Payment applications validated per PA-DSS, when implemented in a PCI
DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, and CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches. Internally developed
applications that are not sold or distributed to third-parties are not subject to PCI PA-DSS but are subject to PCI DSS.

As such you should be able to ignore the PA-DSS issues, as those should be
handled directly by the payment gateways or developers of applications that
handle credit card processing.

dolson
07-30-2010, 05:50 PM
Tom,

We are happy to help you get Empresa upgraded to the newest version. To any clients that have this same issue, please submit a ticket to us at http://members.westhost.com/contactus.html and we will get that taken care of. Regarding the other items in your list, we are still working with Miva to clarify what needs to happen on our end as the host. Once that is fully clarified, we will post a followup with a more definite answer.