PCI DSS Compliance Blog

Element Payment Services recently received validation from Trustwave Holdings, Inc. confirming that Element’s Hosted Payments solution does indeed remove software applications from the scope of the Payment Card Industry Data Security Standard (PCI DSS). Trustwave Holdings, Inc. confirmed that Hosted Payments eliminates Integrated Software Vendor’s (ISVs) applications from the scope of PCI DSS and PA-DSS compliance requirements when implemented according to Element’s specification.

Hosted Payments is an integration method to Element's Express Processing Platform that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions, preserving the benefits associated with integrated payments. The process shifts the responsibility of handling sensitive cardholder data over to Element's PCI DSS compliant Express Processing Platform. By shifting the entry point and storage location of card sensitive data, ISVs also avoid the hassle of costs associated with compliance as well as compliance audits.

The PCI DSS apply specifically to environments that store, process or transmit credit card numbers. Assuming ISVs (or their applications) do not otherwise store, process or transmit cardholder data, Trustwave validated that ISVs leveraging Hosted Payments are eliminated from PCI scope and compliance costs.

"The payment industry and our ISV partners have recognized the scope removing attributes of Hosted Payments since market availability in 2008," said Sean Kramer, CEO and president of Element Payment Services. "This third party validation will allow ISVs to provide reassurance to their customers that out-of-scope processing is an industry-accepted alternative to PA-DSS/PCI DSS validation for software applications."

Not only do ISVs avoid the hassles associated with PCI compliance, but also through Hosted Payment's integration with Element's Level 1 PCI DSS compliant Express Processing Platform, both merchants and consumers can rest assured that they are receiving the highest level of protection from incidents that could potentially compromise cardholder data.

To date, more than 100 software applications have certified to Express via Hosted Payments.

Contact Element Payment Services for more information on Hosted Payments or the Express Processing Platform.

The release of CardSense™ has the industry buzzing about the new PCI Compliant technology that helps merchants and providers reduce credit card processing risk and fees. CardSense allows merchants to identify a customer’s card type before processing the transaction, resulting in risk mitigation, lower transaction fees, and secure handling at the point of sale.

Businesses, large and small, in industries, including lodging, rental car, retail and healthcare, can greatly benefit from pre-authorization identification of card types. CardSense™ easily provides this service without complicating or jeopardizing PCI compliance requirements. “CardSense allows customers to make informed decisions about how they accept payments,” said Sean Kramer, president and CEO at Element Payment Services. “As a result, customers will be able to more effectively manage processing expenses, which will improve overall operational costs.”

Earlier this year, Bluebird Auto Rental Systems (BARS), a leading provider of enterprise management software for the auto rental industry, effortlessly integrated CardSense™ into their RentWorks application. “CardSense was an anxiously awaited addition to RentWorks, and customer adoption of the technology has exceeded our expectations,” says Angela Margolit, president at BARS.

CardSense™ works by evaluating Bank Identification Numbers (BINs), a set of numbers that are issued by the credit card companies to identify the financial institution. BINs are a part of every MasterCard and Visa card number as well as account numbers to identify the type of card, i.e. credit card ranges and PIN-debit card ranges. Visa and MasterCard make these ranges available to member financial institutions in the form of BIN range tables. CardSense™ is a hosted, server-based, BIN management service allowing merchants to differentiate between credit, PIN-debit, prepaid, and FSA/HSA cards.

Adding CardSense™ to your suite of processing technologies is easy. After Independent Software Vendor’s (ISVs) business management software is incorporated with Element’s Express Processing Platform to support CardSense™, merchants simply swipe or manually run a customer transaction as usual. The business management software then allows the merchant to decide how to process the transaction: as a PIN debit, prepaid debit or a healthcare card.

CardSense™ does not require additional hardware to utilize and is designed to be fully integrated into any point-of-sale (POS) system. To get started with CardSense™, email or call an Element Payment Services customer service representative at 1.866.435.3636.

By Susan Kohl

As a software vendor, do you know what is required for your application to accept payments and be compliant with industry regulations? In order to understand the requirements independent software vendors (ISVs) need to determine which category is applicable to their business model.

Table 1:  Software Provider Categories 

As illustrated in the table above the requirements vary based on the business model which is representative of the types of services a software vendor provides to their customers.  This article focuses on clarifying the requirements for SaaS and hybrid models and can best be summarized with the following steps.

Registration with Credit and Debit Card Brands

The card brands (Visa, MasterCard, STAR, etc.) require “Registration” of all entities providing the following services to the payment industry (referred to as Third Party Service Providers or Agents (TPAs)):

• Solicitation of payment activities
• Chargeback, fraud and settlement management services
• Enabling authorization and/or settlement activities (gateway and hosting services)
• Performing payment encryption management services
• Payment program processing, managing, monitoring and/or reporting (such as loyalty programs)

SaaS ISVs provide services that hosts the software that stores, processes, and/or transmits cardholder data on behalf of their merchant therefore they qualify as a TPA. 

The purpose of Registration is to clearly identify all parties that handle payment transactions and/or cardholder data in any way.  TPAs must be registered by a card brand sponsor Member.   A Member must be a financial institution (aka bank) that meets the criteria of the card brand to sponsor TPAs.  We will refer to these Members as a “Sponsor Bank” for purposes of this article.  There are many other types of Members not relevant to this article.  TPAs can select their own Sponsor Bank or work through their payment processors’ Sponsor Bank to complete the proper Registration.  

The table below highlights key information required, at a minimum, from you for the Sponsor Bank to properly complete Registration.  Each Sponsor Banks’ Registration program requirements may vary, however some basic information standards are required by all Sponsor Banks as dictated by the card brands operating rules and bank regulations.

Table 2: Registration Information Required

	You Provide	Sponsor Bank Performs	Result
1.	Memo describing your business activities related to payments and provide a process flow that outlines incoming and outgoing activity (authorization pass through, settlement points, etc.), third party service touch points. If possible, request a face-to-face meeting with the Sponsor Bank and/or Processor.	Review to determine Registration category and how to underwrite the risk and identify what third party companies handle cardholder data (TIP: Sponsor Banks may not request this, however to avoid confusion on what category you should be Registered as and the risk associated with your business it is prudent to provide such documentation)	The more clear and concise the business overview and operations the less frustrating and misclassification will occur during your Registration process.
2.	Application for Registration	Information used for underwriting and to prepare the card brand specific forms	In some cases, the TPA may be requested to complete all of the card brand forms rather than a single application. Each Sponsor Bank may differ on their procedures. Inaccurate and/or in complete information may be grounds for denying an application.
3.	Registration and Application Fee(s) (Fee range is $10,000 to $25,000)	Submits fees to card brand and maintain a small portion for the administrative process	Fees along with submission of the required documents to the card brands yields “Registration”, if approved.
4.	List of all principal owners (for non-public entities only) (TIP: Run a federal and state background check on each of the principal owners first and be prepared to address any known issues.)	Background checks (criminal, credit, financial)/tax liens	Ensure the results do not violate company policy for items such as federal offenses and related financial crimes.
5.	Financial statements and tax returns (most recent year and 1 -2 previous years)	Financial analysis to determine credit and financial risk	The analysis may yield a required reserve and/or principal owner guarantee to cover risks that may exceed credit and financial ability.
6.	W-9 (Tax ID)	Run a company background check	May be denied Registration if the company Tax ID and business existence cannot be validated
7.	Business License, Declaration of Corporation (non-public entities only)	Validate business existence and purpose of conducting business	May be denied Registration if the company existence and business purpose cannot be validated
8.	Credit check authorization form (non-public entities only) (TIP: Review credit bureau reports for all principal owners first and be prepared to address any known issues.)	Perform a credit check	Derogatory credit information may either pend the Registration process requiring more information from the TPA or a higher requested reserve. The TPA may be denied if bankruptcy or poor credit scores were noted.
9.	PCI compliance status/validation (Estimated costs range from $250,000 - $2.5 million, includes implementation)	Review the list of approved service providers and the PCI status (Global List of PCI DSS Validated Service Providers) If not listed and/or a Report on Compliance (ROC) has not been provided by the TPA, they will request an action plan to achieve PCI DSS.	Entities not PCI validated may be denied Registration unless they can provide evidence that cardholder data is not “handled” (stored, processed and/or transmitted) in the TPA environment.
10.	Other information/forms specific to the Sponsor Bank (e.g. business insurance verification)	Varies depending on the information requested; ensure proper liability coverage	Will vary depending on the information requested. If insurance coverage is insufficient to cover the risk

PCI Data Security Standards (PCI DSS)

The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If your business accepts or processes payment cards, it must comply with the PCI DSS.

PCI DSS is an important component of the Registration process, one not taken lightly by a Sponsor Bank and the card brands. TPAs are not only required by the card brands to be Registered; they must also be PCI DSS compliant if they store, process and/or transmit cardholder data. PCI validation requirements vary slightly based on the Service Provider PCI Level as noted in the table below.

Table 3:  Service Provider PCI Levels and Requirements Summary

Service Provider PCI Compliance Level	Criteria (varies per card brand)	Requirements
Level 1	All third party agents that store, transmit, or process greater than 300,000 transactions annually (evaluated by individual card brand)	1. Annual Onsite Assessment by a Qualified Security Assessor 2. Quarterly Network Scan by an Approved Scanning  Vendor
Level 2	Includes all service providers that store, transmit, or process less than 300,000 transactions annually (evaluated by individual card brand)	1. Annual Self-Assessment Questionnaire (SAQ) – Version D 2. Quarterly Network Scan by an Approved Scanning Vendor

For more information about specific card brand PCI requirements review the following websites:

• Visa Third Party Agent or Service Provider(“CISP” Program)
  
• MasterCard Service Provider (“SDP”)
• American Express Service Providers
• Discover Service Provider (“DISC”)
  

Registration and PCI DSS Costs

Registration as a TPA typically costs between $10,000 and $25,000. Becoming PCI DSS compliant can add up anywhere from $250,000 to over $2 million. As a SaaS provider, you have the option of outsourcing your payment processing, which would eliminate the need (and cost) for registering as a TPA and decrease the burden of PCI DSS compliance.

Susan Kohl is CEO of ThoughtKey, a payment industry boutique consulting firm focused on PCI, regulatory compliance, risk management and expert testimony serving all parties of the payment industry value chain. You can reach Susan via email or phone (678)522-2466 or on Twitter @PCISK.

By Susan Kohl, CEO, ThoughtKey, Inc.

PCI is more than just a three-letter acronym that most do not wish to associate with their business environment.  It can be your enemy or your ally depending on your business.  If you are:

1. Vendor benefiting from the profits of providing PCI related solutions = PCI is clearly your ally

2. Payment processor paying the ongoing price tag of maintaining PCI compliance = PCI is your enemy

The most difficult of them all:

3.    Merchant who simply struggles to achieve the desired profit =  does not even want to think about PCI unless someone forces them to do so

I spend endless hours advising clients on how to “cope with” the onerous PCI standards plus the numerous state data security laws (we will refer to these collectively as “standards” for purposes of this article).

Translating these standards into an implementation plan can be complicated.  The solutions and procedures needed are highly dependent on the specific operation and technology environments. Unfortunately, there is not a one size fits all implementation plan!

My PCI Strategic Risk Advisory approach often catches my clients off guard.  They engage me to help them implement PCI, the core of my business, but my first objective is to figure out how to eliminate PCI applicability from their environment.  Other than not accepting credit and debit cards as a payment method, how can merchants achieve this objective?  The answer is simple – ELIMINATE ACCESS, TRANSMISSION, AND/OR STORAGE OF CARDHOLDER DATA.  One of my Florida clients termed this appropriately as “Be PCI-Free”.  The slogan fits and makes sense.

With the advent of hosted solutions (often referred to as “SaaS” or software as a service/solution) merchants can now achieve a Be PCI-Free objective while accepting credit and debit cards as payment.  What makes several hosted solutions even better is the recent availability of tokenized data elements. Merchants that need certain payment transaction details to assist customers can still do so when they select a hosted solution that provides tokenized data.  For example, merchants may need payment data to manage 1.) customer dispute resolution, 2.) recurring/subscription payments, and 3.) targeted marketing and analytics.

The first step with my merchant client projects is to begin by asking a few key questions.  Then, use their responses to build a data inventory and to determine what data security strategy is best for their business model.   

Data Types:  What types of non-public data (bank account information, credit and/or debit card data, social security numbers, etc.) exist in the business environment?

Quantity:  How much of this data exists?

Where:  Where is this data?

Handling:  How is this data handled (access, transmitted and/or stored)?

Why:  Is this data necessary?

Whenever possible, dependent upon the above responses, I strongly advise my merchant clients to avoid handling any cardholder and/or other non-public data by using a hosted solution with tokenization.  We then work collectively to evaluate the appropriate hosted solutions vendor that matches their business model and industry.  The benefits to a merchant for using a hosted PCI compliance solution with tokenization are priceless. 

• Significant reduction of data breach liability (shifted to the hosted provider) - $$$$
• Elimination of PCI managing costs (shifted to the hosted provider)  - $$$
• Reduce internal data storage and managing resources (shifted to the hosted provider) - $$$

If a hosted solution and tokenization is not possible for their environment, then we begin evaluating the business environment with the PCI and other data security rules. 

Susan Kohl is CEO of ThoughtKey, a payment industry boutique consulting firm focused on PCI, regulatory compliance, risk management and expert testimony serving all parties of the payment industry value chain. You can reach Susan via email or phone (678)522-2466 or on Twitter @PCISK.

PCI Compliance Thought Leader Q&A
Interview with Rick Dakin, President of Coalfire

PCI DSS Compliance Blog: Tell us about Coalfire.
Rick Dakin: Coalfire is an IT audit and compliance firm.  We spun out of an application hosting company in 2001 and have remained focused on a single mission since that time - to provide cost-effective IT audits and compliance advisory services.  This focus allows us to provide an independent view of compliance to stakeholders subject to Payment Card Industry (PCI), banking, healthcare and privacy regulations and laws.

The company provides a wide range of security and IT audit and advisory services through a team of 50 professionals from offices in Colorado, Washington and New York.

What work does Coalfire do in the area of PCI compliance?
Coalfire provides a full range of PCI assessment and compliance advisory services that includes certification to perform the following activities:
•    Qualified Security Assessor (QSA) – provide level 1 Report on Compliance (ROC) reports after on-site testing, and facilitation for completion of a Self Assessment Questionnaire (SAQ).
•    Payment Application – Qualified Security Assessor (PA-QSA) – Perform application testing and validation to the Payment Application-Data Security Standard (PA-DSS).
•    Approved Scan Vendor (ASV) –perform internal and external network vulnerability scans.
•    Penetration testing services are provided to all PCI clients.

What does it take to become a certified QSA? 
A QSA must work for a QSA company.  The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC).  All QSA companies are subject to review by the council.

Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA.  All QSA participants must then pass a background check and complete formal PCI training and certification testing. 

At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing.  In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry. 

Merchants and software developers are often confused by the various levels of advice available to them.  Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards.  Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.

How many assessments are you doing per year?
Coalfire will perform over 1,000 assessments this year for more than 600 clients.  Over 60% of those assessments will be performed for clients with PCI DSS or  PA-DSS requirements.  Our processes and methods to determine compliance have been developed and vetted through thousands of tests, council peer review and success in preventing compliance failure for any of our validated clients.

Are more of your customers concerned with PA-DSS (ISVs) or PCI DSS (merchants)?
Since merchants outnumber the payment application vendors in the market, we conduct more merchant and service provider level 1 and 2 ROC and SAQ testing.  However, we are seeing a dramatic increase in the amount of PA-DSS compliance validation work from payment application developers.  This trend clearly verifies that merchants are improving security infrastructure more quickly than payment applications are being updated to comply with the Payment Application Data Security Standard (PA-DSS).

As a result, processors and merchants are facing critical deadlines to verify that payment application vendors comply with PA-DSS or force merchants to switch applications to a version that is already compliant.  This change is disruptive to many merchants since the updated applications typically require changes to platforms or infrastructure.

The problem cascades through the payment ecosystem because payment application vendors are having trouble finding a PA-QSA with resource availability to complete pre-audit testing or final validation testing on a timetable that will enable merchants to fully deploy PA-DSS compliant applications prior to the July 2010 deadline.

Can you walk us through a brief step-by-step process that you go through with your clients in the area of PCI compliance?
Our process is consistent across all product areas to include ROC, SAQ and PA-DSS test and reporting.  The following example is provided to outline the payment application validation process.

1.    Prospects enroll in an online audit preparation and self assessment tool called Navis.  The Navis platform has RapidPA-DSS, RapidSAQ and RapidROC modules.
2.    Prospects enter evidence that they meet specific controls in a “Turbo Tax” styled online questionnaire and data collection portal.
3.    Once the prospect data is entered and indicates that the payment application is ready to test, Coalfire’s staff reviews the data entered into the online platform and advises the prospect on the process to complete PA-DSS validation testing.
4.    After a contract is signed, Coalfire performs PA-DSS validation testing and provides a final gap analysis report to the developer to complete program modifications required to comply with PA-DSS standards.
5.    Final testing is completed and a PA-DSS reporting is submitted to the PCI Council.
6.    To become registered on the PCI Council PA-DSS list, each payment application vendor must sign a compliance agreement and pay a registration fee to the PCI Council.

What’s the area of greatest confusion for your customers? (ISVs or merchants)
The biggest area of confusion that we typically see is the separation of compliance responsibility between the ISV and their merchant clients.  Many clients think that the payment application vendor is solely responsible for PCI compliance.

Another common misconception among some merchants is that if they use PA-DSS-compliant payment applications, the merchant itself has met its obligations for PCI validation.  Coalfire works with payment application developers to help them guide their customers through a process to meet the full PCI standard and reduce the merchants’ risk of fines and penalties for non-compliance.  At the same time, this helps mitigate the payment application developer’s risk from civil claims from merchants using their technologies. 

There is perhaps no greater concern for merchants and software vendors than the cost of PCI DSS and PA-DSS compliance. How do you see the costs of PCI compliance weighing out against the cost of non-compliance?
How does the old Carpenters’ song go? … “We’ve only just begun.”

While the amount of investment in data security is growing at a breath taking rate, so is the investment being made in the personal injury litigation market.  We are seeing a dramatic increase in the amount of litigation being pursued to recover costs associated with identity theft and data breach, including credit card compromise.

In the last 3 years, over 40 states have passed aggressive new data breach legislation that will enable even more litigation.  Most breached merchants contact us with fears that they will be fined by VISA.  This is the least of their concerns.  I see most of the losses associated with litigation, fraud recovery costs, breach notice and post-breach system remediation.

Coalfire is not a law firm, but we see the damage caused by data breach up close.  This has taught us that the cost of compliance is really the investment to defend your organization from growing claims of negligence.  In the retail sector, the PCI Data Security Standard is the reasonable standard being used to determine negligence.

The trade off that we have experienced from our support of compromised merchants is that a dollar of compliance investment will save $10 of potential breach costs. Accordingly, we see the card brands like VISA moving into a secondary role.  We see state data privacy laws and the liability attorneys driving the need to validate compliance in the future.

How aggressive do you foresee credit card companies like MasterCard and Visa being with the new fines for non-compliance? What about specifically for smaller businesses?
For level 1 and 2 merchants, fines for non-compliance have become commonplace.  For level 3 and 4 merchants, enforcement has been “spotty” due to the various levels of tracking performed by the merchant processor.  We expect this random review of merchant compliance to change in 2010 since every processor must understand the status of merchants using only validated payment applications. 

Processors are making significant investments in their ability to track compliance of their level 3 and 4 merchants as a part of the process to inventory all payment applications to the PA-DSS requirement.  Accordingly, we expect fines for level 3 and 4 merchants to grow starting later in 2010.

Again, the fines are secondary.  We see the bigger risk that software vendors are offering non-compliant payment applications to customers who use them after July 2010 as a reason for the liability attorneys to pursue claims of negligence in the case of a data breach.  The PCI Council set the standard for reasonableness and now the attorneys have a clear path to collect huge sums for negligence on the part of merchants, processors and software developers who continue to use non-validated payment applications.

With PCI standards evolving, how do you stay at the forefront of the industry?
Unfortunately, the demands for more secure payments are driving investment in evolving PCI requirements at a time when merchants want their software developers to help them provide higher quality and more focused service to consumers. 

It is clear that the PCI standards that are being used today are not yet adequate to mitigate all risks to the payment processes.  The PCI Security Standards Council is providing leadership for a number of “next-generation” controls that will likely be included in future PCI Data Security Standards at both the application and infrastructure levels.

Many larger payment application vendors are removing payment modules from other merchant application services in order to contain the cost of data security.  By removing payment modules from commerce platforms and installing a shared payment service (managed by the application or by a third party), payment application developers can release updates to other non-payment modules without the expense associated with PA-DSS testing.  For the payment modules, application developers can focus more effort on enhancing controls when the platform is shared.  As a result, we see the trend for payment application developers continuing to move towards shrinking the payment environment and continuing to remove payment modules from other commerce functions.  Over the next few years, we would expect that the number of payment modules to shrink by a significant percentage.

Where do you see this industry in five years?
The payment industry is maturing.  Merchants and payment application vendors are faced with the market demand to simplify the PCI-compliance process and to reduce the cost of compliance.

Over the next 5 years, I expect that this overwhelming market demand will be met with solutions like centralized management of payment data to dramatically reduce the amount of data that is placed at risk in a distributed commerce environment.  The industry will have to keep innovating to allow consumers to get in and out of a retail environment more quickly while receiving higher quality and inherently more secure service.

The sophistication of payment processes will also have to continue developing at a rapid pace to keep up with online, mobile, in-store and unattended commerce opportunities.  Accordingly, only a few players will be able to make the investment in these dramatically shifting payment solutions to embed more encryption and continuous monitoring.

By Jeff Gross, Element Payment Services

We speak with software vendors all day long about their applications and what the payment industry security standards mean to them. The questions they ask are very insightful, so we thought we’d share the top ten most common questions we receive.

Hope this helps you understand the PA-DSS and the complex issues surrounding it on a deeper level.  Feel free to pose any other questions you have about PA-DSS in the comment section. We’d be happy to answer them.

1. Q: PA what?

A: We still get responses like “PA-what?” when mentioning PA-DSS for the first time to software providers. There clearly needs to be more education around this security standard. 

PA-DSS stands for the Payment Application Data Security Standard. It was created by the major credit card brands (under the umbrella of the Payment Card Industry Security Standards Council) to combat the growing number of credit and debit cardholder data breaches. Seventy five percent of all data security attacks are against software applications. The PA-DSS mandates all payment applications that store, process or transmit payment cardholder data as part of authorization or settlement be certified on a continuous basis using an approved Payment Application Quality Security Assessor (PA-QSA).  The PA-DSS applies to applications that are sold, distributed or licensed to third parties.

Learn more about the PA-DSS requirements.

2. Q: What is the difference between PA-DSS and PCI DSS?

A: The PA-DSS applies to software applications that store, transmit or process credit card data, whereas the PCI DSS applies to merchants that accept payment cards.  Both were created to protect consumer cardholder data.

Learn more about PCI DSS requirements.

3. Q: I’m confused. I thought the credit card brands had their own security standards, like Visa’s PABP.

A:  In September 2006, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed the Payment Card Industry (PCI) Data Security Standard, an independent council designed to improve payment account security. 

The PCI Security Standards Council serves as an advisory group and manages the underlying PCI security standards; however, each payment card brand is responsible for its own compliance programs.  Even though the PCI Security Standards Council developed these standards, each payment card brand is responsible for its own compliance programs and has different deadlines for PCI compliance for merchants and software providers.

4. Q: How serious is this PA-DSS stuff?  We haven’t seen anything as far as fines or anything for non-compliance.

A: All payment applications have to be compliant by July 1, 2010 (Visa’s Final Security Deadline) or risk their customers not being able to process Visa credit cards at all.  And as of October 1, 2009, VisaNet processors must decertify all vulnerable payment applications.  While non-compliance with PA-DSS hasn’t yet been addressed with fines, the card brands are addressing the issue by removing the ability to process payments entirely. 

If it is any indication, MasterCard has begun fining merchants for non-PCI DSS compliance. 

5. Q: How much does the PA-DSS assessment cost?

A:  To achieve PA-DSS compliance, software providers must undergo the process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs generally range between $10,000 to $30,000.  Some software providers also have the option of going out of scope for PA-DSS certification, which cuts down on PA-DSS compliance costs. 

6. Q:  Could our merchants just stop taking credit cards? 

While merchants could stop taking credit cards, customers using credit cards tend to spend 2 to 3 times more than customers who only carry cash or check.  And since the major credit card brands are accepted worldwide, you expose your business to customers from all around the globe, instead of just locally.

7. Q: If we are PA-DSS-compliant, does that mean my merchants are compliant? 

A: PA-DSS and PCI DSS are still two separate compliance standards.  All merchants must still meet the PCI DSS requirements.  Using a PA-DSS compliant application does not remove this requirement.  At a minimum, the appropriate PCI Self-Assessment Questionnaire and network scan should be completed by all merchants.  However, since PA-DSS is a part of PCI compliance standards, new merchants or merchants that change processing providers cannot meet PCI requirements if they are using non-compliant applications.  And, the requirements are only getting tougher.  As of 7/1/2010, all merchant account providers are required to ensure that their merchants use only PA-DSS compliant applications.

8. Q: "Ok, here’s my PCI network scan.  We’ve been confirmed compliant.  Please set us up so that our merchants can process payment cards.”

A: Vulnerability scans are required by the PCI DSS, not the PA-DSS.  Software vendors must pass a PA-DSS review performed by a Payment Application QSA, as well as fulfill all of the PA-DSS requirements.  

9. Q: If I’m just passing card numbers to the merchant, but not storing card numbers, then why do I have to have a PA-DSS assessment?

A: If your software application comes in contact with sensitive cardholder data, the application is in scope of PA-DSS. 

10. Q: Is there anything I can do to get around the requirement of a PA-DSS assessment?

A: The only way this could be done is to have your application not store, process or transmit sensitive cardholder data AT ALL.  Element’s Hosted Payments solution takes software providers entirely out of scope of PA-DSS.   

This month marks the one year anniversary since the Payment Application Data Security Standard,  commonly known as the PA-DSS, was launched.  So we thought now would be a good time to pose the question:

software vendors, are you preventing your customers from being PCI compliant?

The goal of PA-DSS is to facilitate the development of secure payment applications by software vendors.  Each vendor of a software application that stores, processes, or transmits payment cardholder data must now follow the 14 PA-DSS requirements and successfully pass a PA-DSS review by an independent auditor (known as a PA-QSA). 

Back in October, StorefrontBacktalk founder Evan Schuman wrote an excellent article on how PA-DSS is remarkably misunderstood, both by merchants and software vendors.  Schuman wrote:

Most merchants and application vendors seriously underestimate both the scope and the force of the  Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved.

Six months later, we are hearing that this is still the case.  As of March 27^th only 153 vendors representing 264 payment applications are PA-DSS validated.  While this is progress, there are many vendors yet to become validated. 

When we speak to non-validated software vendors, the reason most often cited for their non-compliance is that they don’t realize that PA-DSS applies to them.  There is still a lot of education to be done regarding the scope of PA-DSS which states:

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization and  settlement, where these payment applications are sold, distributed or licensed to third parties. 

Simplified, if in a software application cardholder data is directly entered (this could be as simple as a text box input), then the application is a payment application and therefore, in scope. 

Many software providers also don’t realize the relationship between PA-DSS and PCI DSS. 

All software providers must meet PA-DSS requirements for their customers to comply with the mandated Payment Card Industry Data Security Standard (PCI DSS requirements). As of October 1, 2008, acquiring financial institutions cannot approve merchants for processing that are using non-compliant software. Software providers with applications that don’t meet PA-DSS (PABP) compliance requirements are beginning to lose customers as a result.

Related Posts and Pages:

How to Become PCI Compliant

PA-DSS Implementation