Are You Preventing Your Customers From Being PCI DSS compliant?
This month marks the one year anniversary since the Payment Application Data Security Standard, commonly known as the PA-DSS, was launched. So we thought now would be a good time to pose the question:
software vendors, are you preventing your customers from being PCI compliant?
The goal of PA-DSS is to facilitate the development of secure payment applications by software vendors. Each vendor of a software application that stores, processes, or transmits payment cardholder data must now follow the 14 PA-DSS requirements and successfully pass a PA-DSS review by an independent auditor (known as a PA-QSA).
Back in October, StorefrontBacktalk founder Evan Schuman wrote an excellent article on how PA-DSS is remarkably misunderstood, both by merchants and software vendors. Schuman wrote:
Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved.
Six months later, we are hearing that this is still the case. As of March 27th only 153 vendors representing 264 payment applications are PA-DSS validated. While this is progress, there are many vendors yet to become validated.
When we speak to non-validated software vendors, the reason most often cited for their non-compliance is that they don’t realize that PA-DSS applies to them. There is still a lot of education to be done regarding the scope of PA-DSS which states:
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization and settlement, where these payment applications are sold, distributed or licensed to third parties.
Simplified, if in a software application cardholder data is directly entered (this could be as simple as a text box input), then the application is a payment application and therefore, in scope.
Many software providers also don’t realize the relationship between PA-DSS and PCI DSS.
All software providers must meet PA-DSS requirements for their customers to comply with the mandated Payment Card Industry Data Security Standard (PCI DSS requirements). As of October 1, 2008, acquiring financial institutions cannot approve merchants for processing that are using non-compliant software. Software providers with applications that don’t meet PA-DSS (PABP) compliance requirements are beginning to lose customers as a result.
Related Posts and Pages:How to Become PCI Compliant