At the present time, Abison Commerce Suite, AssistCornerstone (currently in process), Celerant, CommercialWare (for CWDirect and CW Serenade), MOM (Dydacomp), Escalate (Ecometry and Escalate eCommerce), and Junction Solutions are the only direct commerce order management systems in the US or the UK on the list of PA-DSS-validated solutions. Some have completed their assessments and applied for inclusion on the list. We will update this information as it becomes available. Note: solutions hosted at a third-party site or by the solution provider only need to be PCI-compliant, and do not require PA-DSS validation if no credit card data passes through servers at a merchant's own site.

But note that the PCI Council’s PA-DSS list has two categories: one for applications “acceptable for new deployments” and the other for applications “acceptable only for pre-existing deployments.” Make sure the product (and version) you are considering is in the first category and not in the second.

Until recently PCI compliance had all the earmarks of theY2K scare: warnings of dire outcomes, but no major consequences for the non-conforming. In 2009, however, the Payment Card Industry Security Standards Council (PCI SSC) announced a new component in the compliance equation, the Payment Application Data Security Standard, or PA-DSS. This applies not to the merchants, but directly to the credit card processing systems themselves.

Multi-channel merchants had until July 1, 2010, (a deadline imposed by VISA, not the PCI SSC), at which time the systems they use to process credit card transactions must be “PA-DSS compliant,” i.e., they must comply with new data security standards established by the PA SSC. If a merchant is not using PA-DSS compliant systems, they cannot technically be compliant with PCI standards, and they will be in danger of losing their merchant account, that is, their right to accept credit card transactions (although this may only be discovered through a "forensic" assessment after a security breach).

PA-DSS represents a very specific set of requirements that a system must meet if it is used in processing credit cards. An assessor approved by the PCI DSC must audit each such system and assign a “pass” or “fail” to the application. Those that pass are put on an official list of PA-DSS-compliant applications (available on-line at www.pcisecuritystandards.org).

If you are a merchant with a home-grown system, or one that has been written for you on a custom basis by an outside developer, you are exempt from PA-DSS requirements. You only have to pass the PCI test.  

The only other exception is for merchants using browser-based systems or thin-client applications on solutions hosted off-site (Software as a Service), with all data maintained on the hosted solution. Such systems themselves must be certified PCI-compliant, however, and merchants using them still need their own PCI certification.

Merchants who are not PCI-compliant are not only exposed to possible fines and penalties, but, as noted, risk having their credit card privileges revoked. Continued....