PABP and VISA Compliance – Get the Facts

Why you need to understand PABP and Visa Compliance Rules and Regulations

You’ll be hearing more and more about PABP and VISA compliance. It’s not something you can afford to ignore any more. Visa developed the Payment Application Best Practices (PABP) to help vendors create secure payment applications that help merchants limit compromises, prevent the bad practices of storing sensitive cardholder data and support compliance with the PCI Data Security Standard (PCI DSS).

Wow, that’s a mouth full. What PABP basically means, is Visa wants to decrease fraud while increasing customer and vendor security. If you are a new website and seeking a vendor to process your orders.

Here’s the basic PABP time line and list of compliances

• The terminal has no connections to any of the merchant’s systems or networks
• The terminal connects to the acquirer or processor
• The terminal vendor provides secure remote access, updates, maintenance and troubleshooting
• The following are never stored post authorization: the full contents from the magnetic stripe (that is on the back of a card, in a chip, or elsewhere), CVV, CVV2, PIN or encrypted PIN block

Is your online cart PABP compliant? As of January 1, 2008, any shopping cart that does not meet phase 1 of Visa’s PABP compliance faces fins and charges of $25,000 per month.

January 1, 2008, you can not use an application that has a known vulnerability. That seems logical enough, but do you know how many shopping carts that eliminates? You don’t want to get stuck on this one. Not only will Visa stop allowing you to take their cards (yes they will) but you can receive an HUGE fine and be held liable for any information that is breached because of the shopping cart you use. Visa is serious and you should be too. After January 1, 2008, all new customers seeking to accept visa payments MUST be using PABP compliant software and applications.

July 1, 2008, straight from VISA, “VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant”. Seems a lot like what happens after January 1, 2008, but this is more for application development. VisaNet and it’s agents won’t accept new software that hasn’t been PROVEN to be PABP compliant. Proven is the key word there and to prove your application is PABP compliant is going to cost you around… $30,000, yes, that’s $30,000 for PABP compliance testing.

October 1, 2008, Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. This is the big one for PABP compliance, after this date, you better make sure your applications are PCI or PABP compliant. Those who aren’t, we be fined and no longer be able to accept credit cards baring the Visa logo. This is HUGE.

October 1, 2009, the real pain begins. Visa doesn’t actually process all the orders themself, they use VPNs to process the cards for them. This is the day Visa tells its VPNs to stop allowing and decertify clients who are using vulnerable applications for processing credit card information. Decertify is the keyword here. That means, if your application isn’t PABP certified by then, Visa is going to no longer allow you to process their cards.

July 1, 2010, being PCI compliant will no longer cut it, you now need to be using a PABP shopping cart – period. If you don’t have a PABP certified shopping cart by then, Visa could drop you as a merchant at any time.

PABP is serious business that WILL affect your business. If you’re looking to get an online shopping cart, be sure and choose one that is already PABP certified and PCI compliant. This will ensure you business will stay online and you won’t have to change everything in a few months.

PABP Certified Shopping Carts

ASPDotNetStoreFront my favorite PABP compliant shopping cart
Incartia – never used it but it is PABP compliant
DMDStudios – Custom carts reported to be PABP compliant
Magento – Open Source and seeking PABP compliance, I can’t wait to play with this one!

I’m sure there are others and I will edit the list if needed, but at this time, these are the major players for PABP compliance. Don’t start your online business stuck behind the 8-ball, make sure you’re getting a shopping cart that your company will be able to use in the future without fear of being shut down by Visa.