Software Development Impact of PCI Compliance

Vendors must consider PCI Compliance standards for themselves and hosting providers of their software


PA-DSS

If your software touches cardholder data, it falls under PA-DSS requirements. The way to avoid these requirements is to use InstaMed’s recommended PCI compliant options which avoid touching cardholder data.

Options

  • Maintain Your Own PCI Validation
    You are fully responsible for all PA-DSS requirements, including initial development and assessment costs and ongoing annual assessments.

Maintaining Your Own PCI Compliance

Impact of PA-DSS from distributing software that touches unencrypted card numbers:

  • Every year, you have to pay to have a 3rd party QSA – qualified security assessor to review your software and make sure its secure – 20-50k/year
  • Every time you make a change to your software that affects payment, you need to have the 3rd party to review it – 5k-20k/year
  • Make sure your application handles OWASP TOP 10 and best coding practices

PA-DSS Requirements

  1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
  2. Protect stored cardholder data
  3. Provide secure authentication features
  4. Log payment application activity
  5. Develop secure payment applications
  6. Protect wireless transmissions
  7. Test payment applications to address vulnerabilities and maintain payment application updates
  8. Facilitate secure network implementation
  9. Cardholder data must never be stored on a server connected to the Internet
  10. Facilitate secure remote access to payment application
  11. Encrypt sensitive traffic over public networks
  12. Encrypt all non-console administrative access
  13. Maintain a PA-DSS Implementation Guide for customers, resellers and integrators
  14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers and integrators

Read full PA-DSS requirements