Costs for PA-DSS Certification
December 2, 2009 2:08 PM   Subscribe

PA-DSS Credit Card Certification, how much does it cost? I'm one of the core developers for Satchmo, an open source e-commerce toolkit. It looks like we need to be PA-DSS certified by next summer, but the costs are quite vague.

From what I can tell, it costs $1250 to list your application as certified, plus $250 per update release. Never mind that this is an incredible, thoughtless, not-going-to-make-things-any-more-secure burden for an open source project, the real question is "how much will it really cost to certify Satchmo?"

It appears from looking at the horrible documentation that the best path to certification is to hire an outside firm to do it. Has anyone done that? Is it not merely suggested, but well-nigh required? Has anyone done it without an outside firm?
posted by Invoke to Computers & Internet (1 answer total) 1 user marked this as a favorite
Best answer: I don't know much about PA-DSS, but have been heavily involved on the merchant side for PCI. I am not your QSA. PCI and PA-DSS apply to systems and software that 'store, transmit or process' PANs (credit card numbers).

Obviously, the PA-DSS standard is written with commercial products in mind.

The standard says:

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

So I suppose that, even if you don't sell Satchmo, you do distribute or license it?

Further down, it says:

PA-DSS does apply to payment applications that are typically sold and installed “off the shelf” without much customization by software vendors.

Does this exclude you?

From scanning the standard, it looks like, unlike PCI-DSS, there's no option to simply self-assess (and not use a third-party QSA) for the PA-DSS. So if the standard applies to you, you have to go outside for certification.

A couple thoughts and questions:

- Where did this come up? Who is saying you must be compliant?
- The PA-DSS form requires the signature of an executive. Does Satchmo even have someone in that role?
- From that, I think you should contact PCI and possibly a couple QSAs to get their take on it. What have other open source store frameworks done? In my experience from the merchant point of view, there can often be questions of scoping. Make sure you're careful about what is and is not 'in scope'.

Sorry this isn't more of an answer. Feel free to contact me if you have further questions, sadly my understanding on the PA side is limited.
posted by These Premises Are Alarmed at 7:47 PM on December 2, 2009

« Older I need some advice about publishing my story.   |   Financial world post apocalypse Newer »
This thread is closed to new comments.