PCI-Certified Doesn't Mean Guaranteed Security

By Rob Bertke, senior VP for R&D, Sage Payment Solutions

What should ISVs be looking for from a security/PCI perspective when evaluating prospective processing companies/payment gateways?

First, ISVs need to separate security from Payment Card Industry (PCI) certification. PCI certification is extremely important, and provides a level of confidence and assurance that a processor has followed and passed a robust set of best practices; however, PCI doesn't guarantee security. PCI-compliant merchants and PCI-certified gateways and processors get breached, and the PCI badge does not offer any insurance or protections.

So, with that in mind, ISVs should first verify their providers are Service Level Provider (SLP) 1 compliant. That's the badge and should be viewed as a mandatory requirement. Second, get into the weeds with your processor's technical support team to understand their level and breadth of encryption and use of tokens or GUIDs in lieu of passing sensitive data — and understand how encryption and tokenization is applied in all environments (e.g. retail POS, phone, web, and mobile). Lastly, challenge your processor to offer PCI assistance, including literature and consulting. How your processor reacts to these three areas should offer you a sense of confidence in them, or a feeling of doubt.