13 Feb PCI Compliance: How Security Standards Impact Software Vendors
PCI DSS stands for Payment Card Industry Data Security Standards. The PCI Compliance standards were incepted by the credit card associations—Visa, Mastercard, and American Express—to help merchants establish credit card processing environments where data is processed, transmitted, and stored securely.
PA-DSS stands for Payment Application Data Security Standards. These standards apply to software vendors and other entities that develop secure payment applications and confirm that these applications don’t store prohibited data.
For software vendors, the first step in the PCI journey will be determining what level of compliance your solution needs to meet. If your company sells a software solution that processes credit or debit cards, you’ll be subject to the PA-DSS requirements. Becoming PA-DSS certified requires a lot of extra legwork. First, your organization must complete this 55-page questionnaire. Next, you’ll face a required application audit from a PA-DSS Qualified Security Assessor (QSA).
Incorporating payment processing within your software provides value for customers and new revenue streams for your organization. However, expanding into the payments sector greatly increases risk of both the financial and reputational varieties. For software vendors concerned about the burden of processing, transmitting, and storing sensitive payment information, there is another option: integrated payments.
How integrated payments reduce PCI scope for ISVs and SaaS providers
Integrated payments allow customers of your software company to accept payments within a payment gateway. This gateway is accessible within your software, but card data is processed, transmitted, and stored by your payment processing provider. That means your payment processing provider is able to:
1. Handle some or all of your payment processing requirements
2. Eliminate security concerns that stem from payment processing
In this way, integrated payments deliver software vendors the customization, branding capabilities, and functionality of developing their own payment gateway, without any of the risk. To confirm that sensitive payment information will be safe with your payment processing provider, make sure they are PA-DSS certified. That certification verifies that you’re with a reputable processor that utilizes the following technology to keep cardholder information secure:
Point-to-point encryption (P2Pe)
P2Pe protects card data as it is transmitted. This technology is a combination of secure devices, applications, and processes that encrypt data from the point of entry (swipe, dip, manual entry, etc.) until it reaches the payment processing provider’s secure customer vault.
Tokenization protects card data at rest. If a user keeps card data for subscription billing, a software vendor’s payment processing provider should keep that data stored in a secure vault. The data outside the vault will then be tokenized or replaced with a “token”—a random set of numbers, letters, and symbols. During a transaction, the vault matches the token to the correct customer’s actual information, then presents the token instead. This data has no exploitable value. If a malicious party were to intercept it, it would be useless. Tokenized data has the added benefit of allowing recurring billing without giving end-users access to full payment information.
Partnering with the right payment processing provider will ensure your software environment is secure. That means you can have confidence that sensitive payment information is safe, which—in turn—safeguards your hard-earned reputation.
Here at BASYS, we take the security of our partners and their merchants seriously. Our payment gateway is PA-DSS certified, and we provide numerous other security features. If you’re looking to make payment acceptance convenient, safe, and affordable for your customers, contact us today!
BASYS Processing as a business partner
If your processor doesn’t offer seamless integration, an industry-leading revenue share, and personal service for your users, please call BASYS Processing at (800) 386-0711. Let’s talk about creating a business partnership that will help you meet and exceed your goals.
BASYS Processing features:
• User-friendly API allowing for seamless integration into your software.
• Competitive revenue share, and easy-to-read revenue share reports tracking growth.
• Personalized customer solutions including automated recurring billing, secure customer vault, and more!
• A friendly, live voice will answer the phone when you or your customers call; no automated phone systems.
• In-house PCI Compliance team to walk your customers through the process step-by-step, improving security and reducing costs.
• Access to our marketing department, plus a full suite of marketing materials, blogs and videos
About BASYS Processing
BASYS Processing provides credit card and debit card processing services, plus solutions that include terminals, virtual terminals, e-commerce, mobile, and point-of-sale, customized to fit any need. Banks, associations, and software partners depend on us to strengthen their reputations and relationships with their customers by providing remarkable service paired with ultimate flexibility and pricing. Merchants depend on us to make accepting credit cards and debit cards convenient, safe and affordable. BASYS was founded in 2002 on one philosophy: to take care of our merchants, partners, and employees so they never want to leave. We are dedicated to working one-on-one with our customers to design the perfect solution. BASYS is Personal Payment Processing.
Learn more at basyspro.com, and connect with us online at: