Announcement:Materials and articles for ProductCart 5 can be found at our brand new support center.

Create an account to edit articles | See Formatting Syntax for Wiki syntax | We look forward to your contribution!

ProductCart & PCI Compliance

Internet merchants are required to be compliant with the Payment Card Industry (PCI) cardholder data security requirements. Using a quality e-commerce application like ProductCart can help you achieve this goal. To start, you may want to take a few minutes to get more familiar with the concept of PCI Compliance: knowing that PCI compliance sounds like hieroglyphs to most people, the PCI Security Standards Council has put together some documents to make things easier to understand and help you get started. Please see:

If you are a small business, in most cases you will be asked to submit an annual Attestation of PCI compliance within the Self-Assessment Questionnaire

ProductCart v4

ProductCart v4 is PA-DSS Validated

ProductCart v4 received official PA-DSS validation from the PCI Security Standards Council in October of 2009. PA-DSS stands for Payment Application Data Security Standards.

“The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.”

PA-DSS applies to item 6.3 of the PCI DSS requirements: ”Develop software applications (internal and external, and including web-based administrative access) in accordance with PCI DSS and based on industry best practices. Incorporate information security throughout the software development life cycle.” Unless you are using a PA-DSS validated e-commerce application, it is difficult and expensive for you to demonstrate that you are compliant with this requirement.

PA-DSS and PCI Compliance

In other words, using a PA-DSS certified e-commerce application can help your business become PCI compliant as it reduces the burden on the merchant in terms of demonstrating that they are using a compliant e-commerce application. However, remember that a PA-DSS certified application is not enough to be PCI compliant. There are decisions that you make every day in the way you use ProductCart and - more generally - in the way you run your business that affect your PCI compliance.

Specifically, relevant elements to an e-commerce business' PCI compliance status include:

  • Properly using your PA-DSS certified e-commerce system
    For this purpose, carefully review the ProductCart PA-DSS Implementation Guide for information on how to use ProductCart in a way that ensures PCI compliance. For example, if you are using “offline credit card processing” in ProductCart, you should purge credit card information from the ProductCart Control Panel and shred any printed version of it, immediately after the payment has been captured.
  • Using a PCI compliant Web hosting environment
  • Using a PCI compliant payment provider

Self-assessment Questionnaire

All merchants are required to file a self-assessment questionnaire. See the document “Payment Card Industry (PCI), Data Security Standard, Self-Assessment Questionnaire, Instructions and Guidelines”. As of July of 2011, the latest version of this document can be downloaded here:

See the section entitled ”Selecting the SAQ and Attestation that Best Apply to Your Organization”. Which SAQ applies to you depends on many factors, including which payment options are active on your Web store, where your store is hosted, whether it is connected to a POS or accounting system, etc.

When you can use the short-form questionnaire (SAQ-A)

Questionnaires vary in length. The short-from self-assessment questionnaire (SAQ-A) is much easier and quicker to fill out, but can only be used when your store does not “directly” process payment information.

If your store is using ONLY any of the following payment options (you may be using more than one), then you can use SAQ-A:

  • The ProductCart Payment Gateway, introduced with v4.5
    The ProductCart Payment Gateway handles payments in a way that allows your store to avoid being considered a “payment application”. Credit card information is posted directly to the payment gateway, rather than being handled by the page (payment form) where customers enter payment details on your Web store. This is invisible to your customers, who remain on your Web site. When payment information is saved, it can be saved in a PCI-compliant payment vault (if features requiring credit card storage are used), which again ensures that the store does not become a “payment application”. Learn more.
  • PayPal Express Checkout
    Express Checkout only, not in conjunction with Website Payments Pro Direct Payments

What these payment systems have in common is that either:

  • There is no payment form hosted on your store (e.g. PayPal Express Checkout, Google Checkout, etc.)
  • The payment form posts data directly to a secure URL hosted by the payment gateway (e.g. ProductCart Payment Gateway)

You can also use this questionnaire when you do not accept credit card payments (e.g. your only payment method is “Net 30”).

When you cannot use SAQ-A

In all other cases, you may not use the short-form questionnaire and - in most cases - you will need to use SAQ-D. You have two options:

  • Read the PCI Security Standards documentation to locate the correct SAQ (see links and comments above)
  • Use a third-party tool to guide you through the process. Your payment gateway or merchant account provider may have such a tool. Inquire with them.

ProductCart v3

ProductCart v3 already contained features that can assist you in passing PCI compliance testing. ProductCart v3, however, is not PA-DSS certified. For example, it does not allow you to change the encryption key used to encrypt credit card information, which you should change annually. We recommend upgrading to v4. The upgrade is free under the ProductCart Technical Support & Updates plan.

QR Code
QR Code ProductCart & PCI Compliance (generated for current page)