"A few weeks ago I blogged about the PA-DSS regulations which are going to be taking effect over the next year.

PA-DSS (Payment Application Data Security Standard)is an additional security policy that addresses applications that storeor transmit credit card data. The current regulation is ambiguousenough that many ecommerce shopping carts fall under the PA-DSSenvelope. If you use an API method of integrating with your paymentgateway, your shopping cart may need to be PA-DSS certified.

The current timeline for PA-DSS adoption is as follows:

1. New PCI Level 4 merchants (including new locations of existingrelationships) may not use vulnerable payment application versions –those that store prohibited cardholder data. January 1, 2008
2. New PCI Level 4 merchants using third-party payment software mustbe either PCI DSS-compliant or use PA-DSS validated compliant paymentapplications. October 1, 2008
3. ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010

Here's the problem:

There is currently only one shopping cart that is PA-DSS certified: PDG Commerce. Additionally, Magento Enterprise, Miva Merchant, and X Cartare scheduled to become PA-DSS certified.

Other than that, no othercarts have announced that they will be, or are planning on becomingPA-DSS certified before the deadline of July 2010. There's still timeto get certified, but 4 of the thousands of shopping cart providers isnot a promising number."

It's unclear how hard-line of a stance the card companies aregoing to take on non PA-DSS or PCI compliant websites. If they go thefull mile, they could shut down any website's credit card processingthat isn't compliant. They could also hand down some major fines fornon-compliance.