While an SSL certificate isn’t full required (because within Magento you can submit orders without an SSL, or transact orders offline) all the time, SSL is ideally used when sending sensitive information over the network. This could be customer data, shipping/payment information and credit card numbers, expiration and CVV number.…
What is PA-DSS? When should PA-DSS be applied?
The Payment Application Data Security Standard (PA-DSS)
is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. PA-DSS aim is to secure cardholders data, and make online shopping more secure in general. It could be a surprise for you, but PA-DSS is not needed for 85% of online stores, only 15% (or even less) merchants need it. Many big names are not PA-DSS compliant: Yahoo Stores, 3dcart, Volusion, Big Commerce are non-compliant for PA-DSS
In short, if customer enter credit data information on your site, you need PCI-DSS compliance (SSL or a payment gateway/ PayPal or Authorize.net). You need PA-DSS if you are storing credit card data (for subscriptions or payment outside the system). If you are using SaaS you don’t need it.
If you are interested in more reading material you can find some great ebooks and print books at Amazon.com
PCI Compliance, Fourth Edition: Understand and Implement Effective PCI Data Security Standard Compliance