Blog

The latest thinking from Eckoh

PCI DSS and PA DSS – busting the myths
Tuesday, 22 January 2019

At Eckoh we speak to hundreds of customers and suppliers in the secure payment industry. As a result, we come across a number of misbeliefs surrounding compliance to PA and PCI Data Security Standards (DSS).

Facts myths 900

First let’s spell out what these standards both mean…

PCI Data Security Standard (PCI DSS)

If you are a merchant or service provider that accepts or processes payment cards, then PCI DSS applies to you. This is the PCI Council’s standard for all organizations that store, process, and/or transmit cardholder data. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

Payment Application Data Security Standard (PA DSS)

If you are a software vendor or someone who develops payment applications that store, process or transmit cardholder data then PA DSS applies to you. Only software applications or products are included in the PA DSS list it does not include services.

Here are the top 5 erroneous statements that Eckoh hear from organisations around PA DSS and PCI DSS, and a clarification…

1. I’ve got my certificate so I’m compliant and our customer data is secure:, PCI DSS certification is not a guarantee of data security. It’s a baseline standard based on one moment in time. Compliance one day does not necessarily equate with compliance a day, a week or a year later. Maintaining compliance 24/7/365 is the real challenge and achieving this distinguishes the reputable payment services providers from the rest. The good news is that almost nobody who maintains compliance has suffered a data breach

2. I’ve got PA DSS certification so I don’t need PCI DSS too. PA DSS is not the same as PCI DSS. There are some shared requirements but both standards have their own criteria for compliance. PA (Payment Application as defined by the PCI Council) covers only the actual application that you use and does not take into account the entire Cardholder Data Environment (CDE). Your customers’ data may be exposed in other parts of the transaction process, so you do need to consider PCI DSS compliance to address this. Only a product can be PA DSS compliant, and only an organization can be PCI DSS compliant.

3. The PA DSS ‘Approved Suppliers List’ doesn’t show Eckoh: There is no ‘approved suppliers list’. There is a list of ‘validated payment applications’ where you can check that the application you’re buying is approved. However, the de-scoping achieved by Eckoh’s CallGuard approach is provided as a service through our secure environment. Services are different to the ‘off-the-shelf’ products which require PA DSS compliance. Eckoh hosted services are covered separately by our annual QSA-audited PCI DSS Report on Compliance (ROC).

4. Eckoh should have a PA DSS certificate: PA DSS does not apply to Eckoh, because we are a service provider, not a payment application vendor. Our secure payment solutions are always tailored to the client’s needs, so they cannot be certified as a static “plug and play” application for PA DSS. Instead, Eckoh complies with the stringent requirements of PCI DSS, and removes card data from the client environment to reduce risk.

5. We only take payments for our clients, not for ourselves, so we don’t need PCI DSS compliance: This is not actually true. While the client may be ultimately responsible for their own compliance, they cannot be compliant unless their 3rd party suppliers are also compliant. Increasingly we see clients demanding PCI DSS compliance from their outsourced contact centres, BPOs and other suppliers. Failure to become compliant can mean a huge risk of reputational damage as well as any contractual consequences.

Now we’ve cleared that up, what’s the easiest way to achieve PCI DSS compliance?

By far and away the most sensible strategy for securing cardholder data is to remove the data from your environment completely.

If there is no data to steal within your systems and environment, then rogue agents and hackers will not pose any sort of risk to your organization or your customers.

With the right third-party partner such as Eckoh it’s possible for all sensitive data to bypass your systems and people completely.

How Eckoh technology works: Tackling the issue at source

Here’s what happens with an Eckoh solution. Every time a customer makes a card payment over the phone, using the web, live chat or a using mobile app, your systems register each transaction. However, the cardholder data bypasses your environment. Nothing enters your screens, recordings or systems. Instead, the actual payment acceptance and processing happens through a hosted, secure platform provided by Eckoh. All sensitive data is handled securely, and deleted as soon as possible, minimising the risk of any data loss. Eckoh solutions mean peace of mind for our clients.

For deeper insight download the PCI DSS Definitive Guide. Alternatively give us a call on 08000 630 730 or drop us an email at This email address is being protected from spambots. You need JavaScript enabled to view it.

About the Author

Cam Ross

Cam Ross

Director of Payments Strategy

Over the last 20 years’ service with Eckoh, Cameron has led the Intellectual Property portfolio and R&D team to determine which new payment products we will launch to the market. He also works closely with clients and prospects to determine their compliance needs and fraud exposure risks where his ability to explain the complex so that our clients really understand what will be delivered has proved invaluable over the years. Cameron helped create Eckoh’s patented CallGuard.

Connect with us on LinkedIn

Latest Blog Items

Tweets by @Eckoh

Eckoh (@Eckoh)

Eckoh (@Eckoh)

Extend the life of your trusty legacy #Aspect® systems with expert third-party support from Eckoh. bit.ly/2YqhzMp
Eckoh (@Eckoh)

Eckoh (@Eckoh)

The Eckoh team are set-up and ready to meet you at the PCI North America Community Meeting. Come and say hello to the team at Booth #6. We would love to share insights and knowledge with you around secure payment solutions for your contact center. #PCISSC
Eckoh (@Eckoh)

Eckoh (@Eckoh)

We are looking for a qualified Senior Software Engineer to lead a team of developers in Hemel Hempstead. You need to have expert knowledge of Linux server systems, web development, and famiarity with HTML, PHP, JavaScript, jQuery and more. Apply: bit.ly/2YOFq89 #careers

  • icon facebook
  • icon twitter
  • icon linkedin
  • icon youtube