[pcisecuritystandards.org ]

What it means for us is that neither our order management software nor our shopping cart vendors have released PA-DSS compliant versions of their products. So imagine you are a small business with 10 years of custom code, scripts, macros, etc, interfacing your shopping carts and your order management/CRM and you can't even begin working on migrating this to the PA-DSS versions because they don't exist. And you have 11 months left.

I can't imagine us meeting the July 2010 compliance deadline, so we will be at risk of fines. No one really seems to know what those fines are, but obviously if customer payment data is compromised through your site while you are non-PCI compliant, you are subject to hefty fines. I asked Visa what sort of enforcement would take place, and they said ask your acquiring bank. I asked our acquiring bank and all they have said is, "July 2010 is the deadline."

If you visit the official PCI site, you'll see a list of compliant PA-DSS applications. Currently there are only three shopping carts listed.

So what will you be doing until July 2010? Are you already not storing credit cards and using an external gateway and a PA-DSS compliant shopping cart?

As far as I can see the only way around using compliant applications is to code your own custom ones (securely of course) which are then not subject to the PA-DSS. At this pace, that might be the only (extremely expensive) solution if we want to meet the deadline.