By Scott Henry, director of product marketing, North America, VeriFone
1. Don't Overlook The Basics
VARs absolutely need to understand what PCI encompasses, understand their own limitations, and persuade their merchants to take it seriously. Many — probably most — small merchants have limited knowledge of PCI, and may think it doesn't apply to them or don't take it seriously. They just want someone to help them fill out a SAQ and consider themselves compliant. But if a merchant is lax in their compliance and is breached and fined, they may turn around and blame their POS VAR, and any software vendor behind that VAR. You can help your merchants and protect yourself by acting in a consultative role to help merchants understand PCI and comply.
2. Know What To Look For
When Evaluating Processing Companies To begin with, of course any solution provided by the processing company must be PCI compliant. All software products have to be PA-DSS validated, and any gateway or other services have to be PCI DSS validated; furthermore, PIN pads and terminals must meet PIN Transaction Security (PTS) requirements. That's a lot for any company to become proficient in, so it's important for any VAR to assess what they can master and manage internally and where they need outside services to ensure their solutions remain compliant.
Beyond that, the processing company should understand the technologies they sell or recommend, and provide training and consultation to help VARs and ISOs provide merchants with solutions that minimize their PCI scope to make compliance and validation easier. For instance, end-to-end encryption (also known as point-to-point encryption) and tokenization can help to prevent breaches and reduce PCI scope.