As a payment application vendor, your product offerings and development procedures impact the compliance and real-world security of your entire customer base. Like it or not, your customers' compliance and security could affect your bottom-line.
In order to help manage this risk, the Payment Card Industry Security Standards Council (PCI SSC) developed the Payment Application Data Security Standard (PA-DSS).
Any payment application developer who sells a non-customized application to multiple customers needs to have that application validated against the PA-DSS. Traditional PCI Data Security Standard (PCI DSS) compliance may not apply directly to payment application vendors since most vendors do not directly store, process or transmit cardholder data.
Since these payment applications are used by customers to store, process and transmit cardholder data, and customers are required to be compliant with the PCI DSS, payment applications should facilitate, and not prevent, customers' PCI DSS compliance.
Common ways payment applications prevent compliance include:
Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card verification codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks along with the damaging fraud resulting from these breaches.
“Thank you to everyone involved. We appreciate the personal attention and the dedication to the process. We know we are in a much better and more secure place having gone through this with your team.”– MJ Laliberte, General Manager, Twin Oaks Software
Partnering with Sikich, a leading Payment Application Qualified Security Assessment (PA-QSA) firm in the ever-changing PA-DSS market, allows you to leverage an experienced team with a vast knowledge base that will help you implement the practices of the PA-DSS in your real-word environment and become compliant with the standard.
Whether you have two customers or two million, a single developer or an international team, Sikich has the tools and experience to help you secure and validate your application so you and your customers can sell more and worry less.
Our assessment team evaluates your design and development practices in the creation and maintenance of your application. Our PA-DSS assessment process begins with a discovery process that provides a detailed gap analysis report as a benchmark of the PA-DSS requirements. As you work toward remediation of these gaps, our team guides your efforts along the way.
After you have remedied all gaps, Sikich performs an audit to validate all requirements are in place. Provided your policies and procedures, development practices and application meets all of the requirements, we will author and submit a detailed Report on Validation (ROV) along with a summarized Attestation of Validation (AOV) to the PCI Security Standards Council (PCI SSC) on your behalf.
Twin Oaks is a leader in the health club industry, providing clubs with state-of-the-art software that allows them to manage all facets of their business, from memberships to billing and collections. Since their software processes credit card payments, Twin Oaks came to Sikich for assistance with having their application validated against the Payment Application Data Security Standard (PA-DSS).
Twin Oaks had never been through the PA-DSS assessment before and needed the expert guidance that Sikich could provide. Sikich worked in an efficient manner to educate Twin Oaks on the standard, benchmark their application against the standard and also to consult with them throughout the auditing process in order to bring their application into compliance.
Sikich eased the PA-DSS burden that Twin Oaks faced. By not only auditing the Twin Oaks application against the PA-DSS, but also providing Twin Oaks with ongoing consulting and assistance to make the needed changes to their application for compliance, Sikich was able to speed up the time to compliance while also saving Twin Oaks internal costs as staff had defined direction and changes to make in order to achieve compliance.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.