Q&A: PCI Compliance: There's No Getting Around It
Experts give both VARs and ISVs (independent software vendors) advice on how to handle upcoming PCI compliance deadlines.
Business Solutions, September 2009
Jeff Wakefield, VP of marketing, VeriFone: While VARs and dealers generally understand PCI programs and requirements, their customers most often do not. Focused on running their businesses in a challenging economy, these merchants often eschew PCI-related expenses for many reasons, including: lack of capital, no understanding of the impact of noncompliance, and the belief that a breach will never happen to them. This becomes a significant issue to a VAR when its customer is breached. In the case of a breach, the VAR is often sued by the merchant for improper installation or not telling them they needed a software upgrade for PA-DSS (Payment Application Data Security Standard).
What is the most important trend in card processing that ISVs should be aware of?
James Surber, VP — POS Division, United Bank Card: As ISVs develop relationships with merchant services providers, many of them are seeing big dollar signs and taking part of the residual revenue stream away from dealers. I think that in the long term this is a practice that will hurt the ISV’s ability to generate revenue. The merchant services industry was built on receiving pennies from a large volume of transactions. Trying a “money grab” is not the best way to operate in this arena.
Sean Kramer, president and CEO, Element Payment Services: Until recently, ISVs didn’t have to be too concerned about the level of data security within their applications. However, the newly adopted PA-DSS compliance mandates have completely changed this reality for ISVs.
ISVs now must ensure that their integrated payment processing solutions are compliant with the rigorous standards of PA-DSS. This leaves ISVs with two options: contract with a Payment Application Qualified Security Assessor (PA-QSA) to achieve and maintain PA-DSS compliance, or select a payment processor that can provide them with the tools to remove the risk and burden associated with card acceptance, thereby eliminating the need for PA-DSS compliance altogether.
By shifting the responsibility of storing, transmitting, and processing cardholder data to a PCI DSS-compliant payment processor, ISVs can offer their customers processing solutions that exceed compliance requirements. Such solutions solve two business problems. First, they remove the need for PA-DSS compliance for ISVs. Second, they greatly simplify PCI DSS compliance for their customers (merchants).
Bryan Daughtry, VP of sales and marketing, United Merchant Services: While PCI compliance should be the main focus of ISVs for their software, remote merchant access is one trend that software developers cannot ignore. In leveraging the Internet and the prevalence of mobile devices, remote access of real-time (store-level) information is now possible. The power to access a business anytime and anywhere gives owners peace of mind while they are away from their day-to-day operation. Furthermore, remote access and its value are magnified to a much higher degree in the franchise environment.
Are there any common misconceptions surrounding card processing?
Surber: The most prevalent misconception is that rates always have to be as low as possible to win the deal. A VAR needs to use every tool at its disposal to win and keep deals. VARs have a real advantage over the rest of the merchant processing industry in that they have already built a relationship with the merchant, and that relationship is built on trust. It is important to cultivate that relationship in order to create value for your customer. As you propose an entire solution to your customer, don’t be afraid to go outside the box with your pricing models. For instance, perhaps you can give them a lower rate on a maintenance contract if they use your merchant services. Or, perhaps you can reduce the price of the POS system if they use your merchant services. In any event, make sure that you build a trust-based relationship and sell on value, not price.
Kramer: The most important and potentially most damaging misperception is the scope of PA-DSS and its relevance to the ISVs. That is, many ISVs do not realize that PA-DSS applies to them. In fact, many ISVs do not realize that PA-DSS even exists, let alone that their software applications are in scope of the Standard. According to the Payment Card Industry Security Standards Council (PCI-SSC), PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization and settlement, where these payment applications are sold, distributed or licensed to third parties. Simply put, if an application handles cardholder data in any way, then the application is in scope for PA-DSS.
Which area of PCI compliance causes VARs the most trouble?
Wakefield: Many VARs are not aware of their responsibility to protect the integrity of PIN entry devices in their vans, repair facilities, and warehouses. These devices need to be locked up at all times and properly accounted for to prevent criminals from gaining access to them in an attempt to install a bug to steal cardholder data.
Daughtry: Gaining a detailed understanding of, and comfort level with, PCI compliance continues to cause VARs trouble. Payment integration has come a long way in a relatively short period of time. Dealing with PCI compliance is no easy or quick task and has forced VARs to dedicate time, knowledge, and resources to an area of their business not previously required. The PCI Security Standards Council, on a regular basis, continues to provide educational opportunities to further increase the awareness and understanding of compliance requirements in our market.
Which area of PCI compliance causes ISVs the most trouble?
Surber: Every ISV in the market today wants to keep enhancing its software and creating value for its customer base. The problem with PCI is that, in many cases, enhancements to the software require a recertification of the software suite. This can become a very expensive and arduous process for the software company and takes away from its mission of developing the best software on the market.
What do ISVs need to know about PCI compliance programs?
Kramer: All merchants must be PCI DSS-compliant. To become compliant, a merchant must, among other things, use a PA-DSS-compliant payment application. As of Oct. 1, 2008, merchant acquirers and processors cannot approve merchants for processing if they are using noncompliant software.
The PCI vise will continue to tighten as the dates for approaching deadlines target merchants that have originally been grandfathered in. To explain further, PA-DSS was launched with a two-pronged approach, one targeting new merchants (or merchants that switch processors) and the other targeting merchants that have been processing on the same platform before the adoption of PA-DSS (these are the merchants that were grandfathered in). On Oct. 1, 2009, processors will be required to decertify all noncompliant payment applications. By July 1, 2010, merchants will be required to use only PA-DSS-compliant applications.
With these fast-approaching deadlines and the effort required to achieve compliance, ISVs are finding themselves faced with major resource constraints. It’s tough enough for ISVs to keep up with the competition and customer demand to build feature-rich functions, much less plan for unexpected compliance mandates requiring significant development time and effort. However, ISVs that don’t take these deadlines seriously or remove their applications from the scope of compliance will lose customers that they worked hard to get.