New MasterCard POS standards

[LosAngelesZCUser]

I wasn't sure where to post this. This doesn't concern any particular payment module, just ones that use a Point of Sale (POS) system, like Authorize.net. The website of one of my company's clients uses Zen Cart, and they recently received this message from MasterCard:

Your Point of Sale (POS) system must be upgraded

Your business has been identified as using a POS system that utilizes an integrated POS software application such as Aloha, Counterpoint, or Squirrel or an E-payment/Gateway application such as
Authorize.Net, Cybersource, and First Data Global Gateway. To be compliant with this new MasterCard
mandate, your POS system will need to be updated with new transaction specifications.

If your system is not compliant by May 1, 2010, you may be subject to a per transaction compliance fee
by MasterCard. To avoid MasterCard compliance fees associated with these new procedures, these new
specifications must be implemented on your POS system. You will want to contact your application
software vendor directly to find out what updates are available. Your vendor is responsible for updating
your application software.

Ensure you are PA-DSS compliant

When you contact your vendor we recommend you also confirm that your software is Payment Application
Data Security Standard (PA-DSS) compliant. Visa has mandated that merchants using POS software
applications will need to be compliant with the PA-DSS by July 1, 2010. To view an updated list of
compliant payment applications, please visit http://www.pcisecuritystundords.org/...tandczrds/vpa/

I know nothing about this stuff. I couldn't find Authorize.net in the list of compliant applications that they link to. Should I be concerned? This particular website uses the iTransact (RediCharge) module, but several other clients have websites that use Authorize.net. Can anyone who's an expert on this stuff tell me if these modules are compliant with these new standards? What about PayPal/PayFlow modules?

I apologize upfront for my ignorance about payment gateways. My expertise is with the aspects of Zen Cart that take place entirely on the website; I don't know much about the parts that involve communication with outside gateways.

[Kim]

Does this customer also have a physical store? Are they using their Zen Cart as a Point of Sale system in the brick and mortar?

[LosAngelesZCUser]

Does this customer also have a physical store? Are they using their Zen Cart as a Point of Sale system in the brick and mortar?

I don't think so. Can you explain how that would work, and why it makes a difference?

[kobra]

Can you explain how that would work, and why it makes a difference?

I see where MC is using the acronym POS as the same as a gateway

POS is normally associated with "Point of Sale" or just like when you pay at a department store with a CC...
You and the card are physically present

Using a gateway you or your card are not present

Look at the site they linked to for the "Self Evaluation" thing
If one answers these questions correctly they should fall into level/class 4 - and personally be compliant

I have not re-read it recently but there may be items your host must comply with as in possibly subscribing to a PCI Scanning service.
The gateway provider will have some responsibilitirs also

[LosAngelesZCUser]

By the way, the URL in the message should be https://www.pcisecuritystandards.org...standards/vpa/. The message came in a PDF and for some reason I couldn't copy the text as text, only as an image. I had to use OCR software to convert it to text.

[LosAngelesZCUser]

The only self-assessment questionnaire I see on pcisecuritystandards.org is for PCI-DSS, not PA-DSS. Are these the same thing, or what's the difference?

[Kim]

PA-DSS if for the payment application (the program) - PCI is for the merchant.

[kobra]

Haven't looked and might be the same...
Also, see if you can finf a def of what constitutes being compliant

[kobra]

PA-DSS if for the payment application (the program) - PCI is for the merchant

So this is the gateway application?

[LosAngelesZCUser]

OK, so the message the client received included instructions to contact the application software vendor to find out if the latest version of the software complies with these new MasterCard standards. Again, their website uses the iTransact payment module, which I got from here: modyourzencart.com/free-of-charge/payment-modules

So I suppose I have to contact that website and find out if the latest version of their module is compliant.