PCI DSS and PA DSS - busting the myths
22 Jan 2019
22 Jan 2019
At Eckoh we speak to hundreds of customers and suppliers in the secure payment industry. As a result, we come across a number of misbeliefs surrounding compliance to PA and PCI Data Security Standards (DSS).
First let's spell out what these standards both mean...
If you are a merchant or service provider that accepts or processes payment cards, then PCI DSS applies to you. This is the PCI Council's standard for all organizations that store, process, and/or transmit cardholder data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.
If you are a software vendor or someone who develops payment applications that store, process or transmit cardholder data then PA DSS applies to you. Only software applications or products are included in the PA DSS list it does not include services.
Here are the top 5 erroneous statements that Eckoh hear from organizations around PA DSS and PCI DSS, and a clarification...
1. I've got my certificate so I'm compliant and our customer data is secure: PCI DSS certification is not a guarantee of data security. It's a baseline standard based on one moment in time. Compliance one day does not necessarily equate with compliance a day, a week or a year later. Maintaining compliance 24/7/365 is the real challenge and achieving this distinguishes the reputable payment services providers from the rest. The good news is that almost nobody who maintains compliance has suffered a data breach.
2. I've got PA DSS certification so I don't need PCI DSS too: PA DSS is not the same as PCI DSS. There are some shared requirements but both standards have their own criteria for compliance. PA (Payment Application as defined by the PCI Council) covers only the actual application that you use and does not take into account the entire Cardholder Data Environment (CDE). Your customers' data may be exposed in other parts of the transaction process, so you do need to consider PCI DSS compliance to address this.Only a product can be PA DSS compliant, and only an organization can be PCI DSS compliant.
3. The PA DSS 'Approved Suppliers List' doesn't show Eckoh: There is no 'approved suppliers list'. There is a list of 'validated payment applications' where you can check that the application you're buying is approved. However, Eckoh don't provide payment applications because our payment solution is hosted in our secure environment and provided as a service. So, Eckoh don't need PA DSS compliance.
4. Eckoh should have a PA DSS certificate: PA DSS does not apply to Eckoh, because we are a service provider, not a payment application vendor. Our secure payment solutions are always tailored to the client's needs, so they cannot be certified as a static "plug and play" application for PA DSS. Instead, Eckoh complies with the stringent requirements of PCI DSS, and removes card data from the client environment to reduce risk.
5. We only take payments for our clients, not for ourselves, so we don't need PCI DSS compliance: This is not actually true. While the client may be ultimately responsible for their own compliance, they cannot be compliant unless their 3rd party suppliers are also compliant. Increasingly we see clients demanding PCI DSS compliance from their outsourced contact centers, BPOs and other suppliers. Failure to become compliant can mean a huge risk of reputational damage as well as any contractual consequences.
By far and away the most sensible strategy for securing cardholder data is to remove the data from your environment completely.
If there is no data to steal within your systems and environment, then rogue agents and hackers will
Not pose any sort of risk to your organization or your customers.
With the right third-party partner such as Eckoh it's possible for all sensitive data to bypass your systems and people completely.
Here's what happens with an Eckoh solution. Every time a customer makes a card payment over the phone, using the web, live chat or a using mobile app, your systems register each transaction. However, the cardholder data bypasses your environment. Nothing enters your screens, recordings or systems. Instead, the actual payment acceptance and processing happens through a hosted, secure platform provided by Eckoh. All sensitive data is handled securely, and deleted as soon as possible, minimizing the risk of any data loss. Eckoh solutions mean peace of mind for our clients.