While an SSL certificate isn’t full required (because within Magento you can submit orders without an SSL, or transact orders offline) all the time, SSL is ideally used when sending sensitive information over the network. This could be customer data, shipping/payment information and credit card numbers, expiration and CVV number. Images, scripts and the normal shopping process (catalog, products, homepage) do not need to be secure. To read more about how to configure an SSL certificate with Magento you can read here The private SSL certificate is an important upgrade to your website. The basic function of an SSL is to encrypt all communication between the browser and the server, ensuring that all data goes through a secure (HTTPS) connection. An SSL certificate is a necessity when you want to operate an online shop and process the sensitive customers data through your software. It helps you gain your clients' trust and increase your web site's search engines rank. You can purchase a private SSL from the SiteGround SSL Certificate page. To configure Magento to work with your SSL certificate, first you need to login to your admin area and go toSystem -> Configuration. Next, click on the Web link under the General tab in your left menu. On this…
What is PA-DSS? When should PA-DSS be applied?
The Payment Application Data Security Standard (PA-DSS)
is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. PA-DSS aim is to secure cardholders data, and make online shopping more secure in general. It could be a surprise for you, but PA-DSS is not needed for 85% of online stores, only 15% (or even less) merchants need it. Many big names are not PA-DSS compliant: Yahoo Stores, 3dcart, Volusion, Big Commerce are non-compliant for PA-DSS
In short, if customer enter credit data information on your site, you need PCI-DSS compliance (SSL or a payment gateway/ PayPal or Authorize.net). You need PA-DSS if you are storing credit card data (for subscriptions or payment outside the system). If you are using SaaS you don’t need it.
If you are interested in more reading material you can find some great ebooks and print books at Amazon.com
PCI Compliance, Fourth Edition: Understand and Implement Effective PCI Data Security Standard Compliance