PCI Compliance: Are Your Customers PCI-Compliant?

If there's one phrase VARs, POS (point of sale) software developers, and payment merchants are going to hear a lot about this year, it's ‘PCI compliance.' This phrase generates a range of responses and an even greater amount of confusion in the channel. Because of the importance of this topic, I spoke with four industry experts who helped cut through PCI-compliance confusion and separate fact from hype.

"The PCI DSS is the result of the credit card data breaches that have occurred over the past several years," says Marc Katz, CEO of Mercury Payment Systems. "The big issue today is getting merchants [e.g. retailers] to invest money in hardening their networks and payment processing applications. VARs are having a hard time convincing merchants to pay for upgrades that include better security. We've seen success, however, when VARs take the time to talk about how the new software reduces the risk of a card breach by reducing the storage of card data."

Now that you have a brief overview of PCI DSS, you need to understand the Visa U.S.A. Payment Application Best Practices (PABP), which are derived from the PCI DSS but apply specifically to software vendors that develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement. "By October 2008, Visa has said that if a VAR/software developer does not meet PABP requirements, a merchant acquirer [i.e. payment processor] will not be allowed to process its payment transactions for any new customers," says Jamie Nonni, CEO of Nationwide Payment Solutions, LLC. "Many VARs have the false sense that they are not required to meet PABP requirements because they do not store cardholder data; however, this is false. PABP compliance is required even if the VAR only transmits payment data to the processor for approval."