Rank: Member
Joined: 1/22/2008(UTC)
Posts: 3
|
Hi
I am considering alternatives for ASP.NET ecommerce platforms. One of your competitors is making a very big thing about the fact that they are PABP certified. What is your take on this (as in, how necessary is it) and is it on your roadmap?
Many thanks
Tony
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 2,136
Was thanked: 1 time(s) in 1 post(s)
|
Are you asking BV Software specifically, or all the lurking merchants in general? |
|
|
|
|
|
|
Rank: Member
Joined: 1/22/2008(UTC)
Posts: 3
|
I was actually hoping as this is a pre-sales forum that BV Commerce themselves would reply......
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
The major credit card companies are giving merchants until 2010 to ensure that all applications are PABP certified or PCI compliant. PABP certified is used for packaged software (like BV Commerce 5) and PCI is used for hosted services and hosting companies.
There are 4 levels of merchants and the deadlines are different for each one.
Level 4 Merchants - Process 0 to 20,000 transactions per year
Level 3 Merchants - Process 20,000 to 1 Million transactions per year
Level 2 and Level 1 Merchants - Process over 1 Million transaction per year
Terms used
Known Vulnerable Applications - Software known to Visa to store unsafe data. (BV Commerce is NOT a known vulnerable appliction)
Certified Applictions - Software that has passed a certification test
New Accounts - New credit card processing accounts for merchants that do not currently process cards
Schedule of Requirements
Phase 1 - January 1, 2008
New Account must not be using Known Vulnerable Applications. A new merchant can use BV Commerce as it is NOT a known vulnerable application. No effect on existing merchants.
Phase 2 - July 1, 2008
Payment processing companies must only certify new software that is also a Certified Application. Current software and customers are not affected. Current merchants are able to use BV Commerce just as they do now.
Phase 3 - October 1, 2008
New Accounts are required to EITHER use a PCI compliant hosting company OR use a PABP certified application. Existing merchants are not affected and can continue to use BV Commerce as normal. New Accounts must use a PCI compliant hosting company if BV Commerce is not certified by this date. We fully expect that BV Commerce will be certified long before this time.
Phase 4 - October 1, 2009
Known Vulnerable applications will be de-certified for credit card processing. BV Commerce is not a Known Vulnerable application and will also be certified by this date. No impact to any BV Commerce merchant.
Phase 5 - July 1, 2010
All merchants will be required to use Certified Application. BV Commerce will have been certified long before this time and there will be no risk/impact to merchants.
Summary - Impact to BV Commerce merchants
BV Commerce 5 is currently 90% compliant and we are working hard to implement the last few remaining features. The major hold back at this point is the requirement that we allow merchants to change encryption keys on the fly on a running store. This will require a service pack to BV Commerce 5 and we will complete certification before the end of this year.
There will be no impact/risk at all to BV Commerce 5 merchants. Existing merchants will have until 2010 to move to a certified solution but BV Commerce 5 will have been certified long before that deadline.
BV Commerce 2004 merchants will need to upgrade to BV Commerce 5 (or a later version) before July 1, 2010 in order to process credit cards with a certified application.
|
|
|
|
|
|
Rank: Member
Joined: 8/17/2006(UTC)
Posts: 681
|
Any news on this PCI compliance? October is just around the corner :)
BTW, Is there a plan to remove the encryption key out of the DB or use DB Encrypted Columns in the DB?
DB Encrypted Columns have the advantage of not being able to be decrypted if you move/steal the DB and install it on a new comp and don't have a backup of the original keys.
Very powerful stuff. Banks and compliance companies love it.
Regards,
Corneliu. |
|
|
|
|
|
|
Rank: Member
Joined: 4/22/2004(UTC)
Posts: 280
|
Marcus,
Can you please confirm that BVC 5 will be PCI compliant by the end of this year as you stated in this thread? I'm asking for confirmation because I know that PABP has already been retired/replaced with PA-DSS. I just don't want to have missed something - like this being moved to BV 6 or the time frame for BVC 5 has changed.
Those of us with clients and stores on BV 2004 have to move them up, which means lots of planning and time - especially for heavily customized stores.
Thank you,
Linette
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
We are currently evaluating the PA-DSS cerification process in comparison to PABP. Right now, it looks like there will be little to no change in our plans to be certified by October.
|
|
|
|
|
|
Rank: Member
Joined: 4/22/2004(UTC)
Posts: 280
|
Marcus,
Are you definitely going to certify BVC5 by October?
Thanks,
Linette
|
|
|
|
|
|
Rank: Member
Joined: 10/7/2008(UTC)
Posts: 17
|
We are thinking of buying BVCommerce software, but we are very concerned that this thread seems to have died and about the status of BVCommerce compliance. Will someone from BVSoftware please chime in as to BVCommerce's current status and plans as far as security certifications.
Thanks,
Joyce
|
|
|
|
|
|
Rank: Member
Joined: 10/20/2008(UTC)
Posts: 1
|
I also would like to know about the status of BVC5 and PCI Compliance before licensing this software. Any updates on this subject?
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
BV Commerce 5 is still going through the PCI Compliance certification process for applications. So as of today it is not officially certified as a PABP application. However, we use PCI certified payment processors and individual installations of the software can be PCI certified once installed at a web host. We have many clients who have gone through the certification process for individual sites without issue on BV Commerce 5.
Keep in mind that PCI rules do not affect existing merchants at all at this point. New merchants will need to use a hosting company that is PCI certified to get the best rates for new merchant accounts. Again, as long as your web host is PCI certified you DO NOT need a certified application until July of 2010. BV Commerce 5 is going through the certification process now.
|
|
|
|
|
|
Rank: Member
Joined: 12/6/2005(UTC)
Posts: 26
|
Marcus,
Not to beat an old (not dead) horse, but any further updates on progress with the PCI compliance? We have customers who are asking.
Thanks.
:smile:
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
The PCI standards keep changing so it has been difficult for us to get development synched with the specs. Now that kitting has shipped in 5.4 PCI certification is the top priority for BV Commerce development. We're targeting PCI-DSS 1.2.
|
|
|
|
|
|
Rank: Member
Joined: 4/8/2008(UTC)
Posts: 18
|
Marcus,
Do you have a new target date?
Thanks,
Josh |
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
I don't want to release any target date yet as it could set false expectations.
|
|
|
|
|
|
Rank: Member
Joined: 4/8/2008(UTC)
Posts: 18
|
How about an expected time frame?
2-3 months?
6 months?
1 year? |
|
|
|
|
|
|
Rank: Member
Joined: 3/10/2009(UTC)
Posts: 3
|
It's been a couple months, are there any PCI compliance updates?
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
Service pack 5.5 will introduce most of the updates for PCI-DSS 1.2 but we're not certified yet.
|
|
|
|
|
|
Rank: Member
Joined: 3/20/2009(UTC)
Posts: 6
|
Marcus,
Thanks for the update. The community really appreciates the work you're doing toward PCI-DSS certification.
To clarify your statement a little, are saying that BV Commerce will be PCI-DSS 1.2 certified after service pack 5.5? Or that service pack 5.5 narrows the gap, but still can not be PCI-DSS 1.2 certified?
- Ben
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 1,786
|
SP 5.5 should implement the technical changes needed for PCI-DSS 1.2 but the actual certification process takes a while longer. So, it is possible that 5.5 will pass the certification and then, yes, it will be certified. However, if the certification authority requires changes it may be 5.6 before we are officially certified.
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.