PA-DSS certification for Blesta?

[andor]

I'm wondering if the developers have plans for addressing the PA-DSS standards for ecommerce/online credit data etc.

[richwalker]

Hi Andor

Our blesta install is scanned very 3 months and has passed for the last year. What problem are you having?

[andor]

It was just a general question. I did a search here in the forum to see if PA-DSS came up and nothing was visible... It's not mentioned on the main Blesta pages either. I've been following the next version blog and its impressive what is going on in terms of the development, hence I wondered if PA-DSS compliance was also going to be part of that, especially seeing that Blesta does permit storage of customer credit details in the database on the host etc. and PA-DSS specifically looks at those requirements. Other things, like passwords for admin users needing to be reset every 30 days etc. etc.

The issue comes down to not exposing ourselves legally to any losses if credit data is stolen from an application that is not PA-DSS certified. If Blesta is compliant, as is the 3rd party gateway, then we're in the clear. If Blesta is not, then we're liable for losses, no matter how well the system works.

And just because a system passes a scan does not mean it is PA-DSS certified.

[Paul]

We spent a considerable amount of time reviewing PA-DSS guides during the data design phase for v3. It's something that has been on our radar for quite some time. The issue with PA-DSS is that almost any application can be validated, but their required implementation guides are so involved that you could never use the app as intended. An implementation guide to meet PA-DSS that undermines your ability to use the application as it is intended to be used and remain in compliance is no help. We think everything worth doing is worth doing right.

So, you can expect to hear more from us on this in the future. It's something we are definitely mindful of.