PCI-DSS / PA-DSS Compliance & Kentico CMS

As we receive numerous questions on PCI compliance I would like to explain some basic terms and requirements. We would also welcome your ideas related to Kentico CMS compliance.


What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements meant to ensure that companies involved in the process of card payment maintain a certain level of security to protect the cardholder data. It was designed by major card brands in response to the growing number of data security breaches and the resulting unlawful uses of this data.

PCI DSS in its current version (2.0) is defined as a set of twelve rules, which the involved entities must adhere to. The following table lists the requirements organized into logically related groups, called control objectives.

Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware

6.Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Who must comply?

PCI DSS is a mandatory standard which applies to all entities that take part in payment card processing. This includes retailers, acquiring organizations, card issuers and any other subject that accepts, transmits or stores cardholder information.


What is PA DSS?

Payment Application Data Security Standard enforces the security of software used to process, transmit and store cardholder data. Similarly to PCI DSS, it defines a list of requirements the applications have to comply with. The current version (2.0) of PA DSS comes with the following requirements:

1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data.
2. Protect stored cardholder data.
3. Provide secure authentication features.
4. Log payment application activity.
5. Develop secure payment applications.
6. Protect wireless transmissions.
7. Test payment applications to address vulnerabilities.
8. Facilitate secure network implementation.
9. Cardholder data must never be stored on a server connected to the Internet.
10. Facilitate secure remote software updates.
11. Facilitate secure remote access to payment application.
12. Encrypt sensitive traffic over public networks.
13. Encrypt all non-console administrative access.
14. Maintain instructional documentation and training programs for customers, resellers, and integrators.

Who must comply?

PA DSS aims at software developers and integrators that deliver online payment applications, which are sold, distributed or licensed to third parties.


Both these standards ensure cardholder security, but at different levels. PA DSS is for software vendors, while PCI DSS is required for all merchants who handle cardholder information.

Although PA DSS is based on the PCI DSS requirements, using PA DSS certified software does not make a merchant PCI DSS compliant!

Kentico CMS compliance 

Basic facts

Since PCI DSS is focused on merchants and the institutions that process card payments, this standard is not directly related to Kentico CMS.

Despite the fact that Kentico CMS is currently not PA DSS certified, it is built in a way that doesn’t prevent retailers from obtaining the required PCI DSS certification.

Give us your feedback

As PCI DSS or PA DSS compliance might be a requirement as a part of certain local laws and we do not plan to go through the PA DSS certification of the Kentico CMS at this moment (we do still plan that for the future, though), we would like to ask you if there is anything we can improve on or change in Kentico CMS payment processing to make it easier for you to pass the PCI DSS certification (should you need it).

We are currently considering the following options:

1) Integrating one of the 3rd party PA DSS payment connectors to process all payments in your Kentico CMS on-line store. Unfortunately, if you do use such a connector in your on-line store, you will probably need to pay a fee to the 3rd party, based on its licensing model. Of course, using such a payment connector would be optional. You could still use our built-in integrations of payment gateways without any extra fee.

2) Replacing our current integration of Authorize.NET (in which customers have to enter details of their credit cards using a Kentico built-in web form) with an alternative integration using an Authorize.NET hosted form (in which case customers would enter details of their credit cards "outside the web" using a hosted Authorize.NET form). This latter approach could probably be applied to all new integrations of payment gateways where customers need to enter details of their credit card.

What do you think? Any feedback is really appreciated!

We will appreciate receiving your feedback below this blog post or by e-mail to petrv@kentico.com

PS: To learn more about the PCI / PA DSS standards and for information on how to validate your compliance, visit the PCI Security Standards Council’s website at https://www.pcisecuritystandards.org.
Share this article on   LinkedIn Google+

Petr Vozak

Product Owner responsible for Kentico E-commerce Solution. He writes about its new features, future plans and all related stuff you might be interested in.


Drew commented on

The issues I have to solve with our PCI compliance are things like SQL injection vulnerabilities and other security threats that may exists in the CMS.

petr.vozak-kentico commented on

Thanks Brian for your feedback! In fact, developers can integrate with 3rd party payment gateway even now, see http://devnet.kentico.com/Videos/E-commerce/Developing-Custom-Payment-Gateway.aspx

Do you have any suggestions regarding the PA-DSS certified 3rd party payment component we should consider for integrating with Kentico? Feel free to send me your tips via e-mail to petrv@kentico.com Thanks!

Brian McKeiver commented on

It seems to me that because requirements vary so differently from project to project that being built in a way that supports being PCI compliant is a good thing. That way if you need to be compliant with a standard you can customize if you have to.

I would vote to allow developers to integrate with 3rd party payment connectors, I have done this in the past and it is really not too hard to accomplish.

I would vote against replacing the current Authorize.Net functionality because we use it quite a bit for some of out e-commerce customers.