Vendors must consider PCI Compliance standards for themselves and hosting providers of their software
PA-DSS
If your software touches cardholder data, it falls under PA-DSS requirements. The way to avoid these requirements is to use InstaMed’s recommended PCI compliant options which avoid touching cardholder data.
Options
- Use InstaMed Recommended PCI Compliant Options
Follow the guidelines of the InstaMed whitepaper and use the Recommended PCI Compliant Options. Reduce initial costs and eliminate annual reassessment costs if no impactful changes are made.
- Maintain Your Own PCI Validation
You are fully responsible for all PA-DSS requirements, including initial development and assessment costs and ongoing annual assessments.
Maintaining Your Own PCI Compliance
Impact of PA-DSS from distributing software that touches unencrypted card numbers:
- Every year, you have to pay to have a 3rd party QSA – qualified security assessor to review your software and make sure its secure – 20-50k/year
- Every time you make a change to your software that affects payment, you need to have the 3rd party to review it – 5k-20k/year
- Make sure your application handles OWASP TOP 10 and best coding practices
PA-DSS Requirements
- Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
- Protect stored cardholder data
- Provide secure authentication features
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities and maintain payment application updates
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the Internet
- Facilitate secure remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain a PA-DSS Implementation Guide for customers, resellers and integrators
- Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers and integrators