We want to make sure we are on PA-DSS compliant shopping platform since the requirement of being PA-DSS compliance is starting soon. We have started looking and have found the following: Magento’s Enterprise Solution (around $10,000), Miva, and Pinnacle Cart ($597), from my understanding they will all be ready for the July compliance requirement. We have posted in a few other forums trying to understand what others are doing regarding PA-DSS and we have not received any response regarding this issue. It seems like very few are thinking about this issue now. We are trying to determine what others are planning or if they have any ideas on how to handle this matter.
You do not need a PA-DSS compliant cart unless it is paid software and hosted and supported by the company selling it. Open source carts that you host yourself or on managed or shared hosting, or carts where you purchase the cart and the source code is included, normally fall under PCI-DSS compliance. There are only a handful of carts that have PA-DSS compliance. In either case, you still have to become PCI-DSS compliant yourself. Well supported and developed carts like Magento Community, or Oscommerce, or others are just as secure, and often times much more secure than proprietary carts. The reason is because when a security compromise is found, the community publicly reports it and quickly fixes it. Proprietary carts are often on their own in finding and fixing security holes. The one exception to this is a non PA-DSS compliant cart that is hosted and supported by a 3rd party. Since you have no control over the source code, or any other factor, it's arguable whether you can get PCI compliant, so PA-DSS is a must.
I think the question is regarding how PA-DSS compliancy will affect carts that arent compliant. For example, I process sales on my site (i.e. I accept Credit Cards through my site and the transaction takes place on my site) so I am required to be compliant if I wish to continue doing this after the April deadline. This means my cart, my host and my site must be compliant and there are certain audits and checks that have to be routinely done to maintain certification. If you transfer people to paypal or some other approved gateway to do the processing then you do not need to worry about being compliant.
You are required to be PCI compliant, but not PA compliant. This rule applies specifically to managed payment software. If the software is not PA-DSS compliant, you must be able to prove that it is secure. Without full access to source code (both in license and the actual code) it is impossible to prove that something is secure.
Besides being PCI-DSS compliant at some level (there are levels of compliance - see http://help.qtmsoft.com/index.php?t...evels.E2.80.99_and_how_are_they_determined.3F) a PA-DSS compliant software is a must if you want to accept credit cards on your site (i.e. customers enter credit cards right on your web-site page and send to a payment processor so a customer doesn't leave your web-site). Magento doesn't offer PA-DSS for their Community edition used by the most of magento people. Neither do freebies like ZenCart and OsCommerce. However, there is a way to avoid that - use PA-DSS certified payment middleware like CRE Secure (SaaS) or X-Payments (a standalone PA-DSS certified script). They integrate with Magento, ZenCart and OsCommerce as well as with X-Cart.