× Globe

We notice that you’re on our UK site, the version that serves your region is the US Eckoh site.

Go to US site. Stay on UK site


The latest thinking from Eckoh

PCI DSS and PA DSS – busting the myths
Tuesday, 22 January 2019

At Eckoh we speak to hundreds of customers and suppliers in the secure payment industry. As a result, we come across a number of misbeliefs surrounding compliance to PA and PCI Data Security Standards (DSS).

Facts myths 900

First let’s spell out what these standards both mean…

PCI Data Security Standard (PCI DSS)

If you are a merchant or service provider that accepts or processes payment cards, then PCI DSS applies to you. This is the PCI Council’s standard for all organizations that store, process, and/or transmit cardholder data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

Payment Application Data Security Standard (PA DSS)

If you are a software vendor or someone who develops payment applications that store, process or transmit cardholder data then PA DSS applies to you. Only software applications or products are included in the PA DSS list it does not include services.

Here are the top 5 erroneous statements that Eckoh hear from organisations around PA DSS and PCI DSS, and a clarification…

1. I’ve got my certificate so I’m compliant and our customer data is secure:, PCI DSS certification is not a guarantee of data security. It’s a baseline standard based on one moment in time. Compliance one day does not necessarily equate with compliance a day, a week or a year later. Maintaining compliance 24/7/365 is the real challenge and achieving this distinguishes the reputable payment services providers from the rest. The good news is that almost nobody who maintains compliance has suffered a data breach

2. I’ve got PA DSS certification so I don’t need PCI DSS too. PA DSS is not the same as PCI DSS. There are some shared requirements but both standards have their own criteria for compliance. PA (Payment Application as defined by the PCI Council) covers only the actual application that you use and does not take into account the entire Cardholder Data Environment (CDE). Your customers’ data may be exposed in other parts of the transaction process, so you do need to consider PCI DSS compliance to address this. Only a product can be PA DSS compliant, and only an organization can be PCI DSS compliant.

3. The PA DSS ‘Approved Suppliers List’ doesn’t show Eckoh: There is no ‘approved suppliers list’. There is a list of ‘validated payment applications’ where you can check that the application you’re buying is approved. However, the de-scoping achieved by Eckoh’s CallGuard approach is provided as a service through our secure environment. Services are different to the ‘off-the-shelf’ products which require PA DSS compliance. Eckoh hosted services are covered separately by our annual QSA-audited PCI DSS Report on Compliance (ROC).

4. Eckoh should have a PA DSS certificate: PA DSS does not apply to Eckoh, because we are a service provider, not a payment application vendor. Our secure payment solutions are always tailored to the client’s needs, so they cannot be certified as a static “plug and play” application for PA DSS. Instead, Eckoh complies with the stringent requirements of PCI DSS, and removes card data from the client environment to reduce risk.

5. We only take payments for our clients, not for ourselves, so we don’t need PCI DSS compliance: This is not actually true. While the client may be ultimately responsible for their own compliance, they cannot be compliant unless their 3rd party suppliers are also compliant. Increasingly we see clients demanding PCI DSS compliance from their outsourced contact centres, BPOs and other suppliers. Failure to become compliant can mean a huge risk of reputational damage as well as any contractual consequences.

Now we’ve cleared that up, what’s the easiest way to achieve PCI DSS compliance?

By far and away the most sensible strategy for securing cardholder data is to remove the data from your environment completely.

If there is no data to steal within your systems and environment, then rogue agents and hackers will not pose any sort of risk to your organization or your customers.

With the right third-party partner such as Eckoh it’s possible for all sensitive data to bypass your systems and people completely.

How Eckoh technology works: Tackling the issue at source

Here’s what happens with an Eckoh solution. Every time a customer makes a card payment over the phone, using the web, live chat or a using mobile app, your systems register each transaction. However, the cardholder data bypasses your environment. Nothing enters your screens, recordings or systems. Instead, the actual payment acceptance and processing happens through a hosted, secure platform provided by Eckoh. All sensitive data is handled securely, and deleted as soon as possible, minimising the risk of any data loss. Eckoh solutions mean peace of mind for our clients.

For deeper insight download the PCI DSS Definitive Guide. Alternatively give us a call on 08000 630 730 or drop us an email at This email address is being protected from spambots. You need JavaScript enabled to view it.

About the Author

Cam Ross

Cam Ross

Director of Payments Strategy

Over the last 20 years’ service with Eckoh, Cameron has led the Intellectual Property portfolio and R&D team to determine which new payment products we will launch to the market. He also works closely with clients and prospects to determine their compliance needs and fraud exposure risks where his ability to explain the complex so that our clients really understand what will be delivered has proved invaluable over the years. Cameron helped create Eckoh’s patented CallGuard.

Connect with us on LinkedIn

Latest Blog Items

  • What if your contact centre was a car?

    Wednesday, 19 February 2020 What if your contact centre was a car?

    Imagine, you buy a car and you buy a three-year care plan so all your servicing and repairs are covered. After three years you opt for an extended care plan for another two years - it's a bit more expensive, but the car is doing just what you need and you don't want to change.
  • Contact Centre of the Future Part 4 - Payments

    Tuesday, 18 February 2020 Contact Centre of the Future Part 4 - Payments

    How will customers make purchases via the Contact Centre of the Future? In the fourth part of our series, Ashley Burton, Head of Product at Eckoh, examines what's ahead for payments.
  • Challenge #5: Help when purchasers wobble at the checkout

    Tuesday, 11 February 2020 Challenge #5: Help when purchasers wobble at the checkout

    Are your online customers getting cold feet on the final payment screen — and giving up? If so, there's an effective tool you can use to get them over line.

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

In the fourth part of our 'Contact centre of the future' series, Ashley Burton, Head of Product at Eckoh, reveals how customers will make purchases via the Contact Centre in our latest blog. Click the link and find out more.. eckoh.com/resources/blog… #payments
Eckoh (@Eckoh)

Eckoh (@Eckoh)

In the third part of our 'Contact centre of the future' series, Ashley Burton, Head of Product at Eckoh, reveals what you need to know about the Contact Centre Managers of the future in our latest blog. Click the link and find out more.. eckoh.com/resources/blog… #contactcentre

Eckoh (@Eckoh)

Join us today for a joint 20-minute webinar introducing our new Pay by Bank app with @Mastercard. Sign up and find out about the new way for customers to pay without using their card. Thurs 30 Jan 2020 @ 14:00 GMT. Follow the link and sign up insights.eckoh.com/acton/media/63… #PCIDSS

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube