PCI (PAYMENT CARD INDUSTRY) COMPLIANCE
After gaining Official PCI accreditation in February 2010 CEO and founder of Digital Rez – Ken Lahoda - commented...
“We understand the effort it takes to achieve and maintain PCI standards. We began the process with one of our largest clients in the UK three years ago and understand it would become a matter-of-course for all software vendors shortly thereafter. These ever changing standards will present particular technology hurdles for the smaller software vendors to overcome and for businesses in general to understand the possible ramifications of not having accredited PCI compliant software - Quite simply, the risks are too great.”
Some software vendors have simply stated that the costs are too great to pursue certification for their software products. This leaves their clients open to potential risks moving forward and the possibility of being denied credit car processing services.
The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding credit cardholder information for all credit card brands.
With the introduction of PCI III DigitalRez decided to make sure that RezExpert became "out-of-scope" for PCI Compliance. Which means that nowhere in our systems do we store or process credit card information. We have integrated with third party gateways and processors to ensure that the transactions are PCI Compliant.
PCI Compliant Software
The PCI Data Security Standard (PADSS) requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. This includes the software systems from development companies such as DigitalRez.
The list of requirements changes regularly. DigitalRez systems are constantly updated to comply with the latest PCI standards.
What does all this mean to you?
If you are a company buying compliant certified software you only have part of the puzzle. The software is only part of your PCI declaration. The rest of your declaration is regarding how you use the software.
You must follow the standards and procedures for securing access to the system and adhere to other PCI procedures as laid out by the PCI council.
What could happen?
More of the mainstream banking institutions are requiring businesses to declare their PCI compliance, this also includes verifying that their in-house software has been independently verified as being compliant. Any processor can turn off credit card processing to any merchant using software not listed on the PCI councils website but claim to be compliant. Banks and processors are required to ensure their merchants are PCI compliant, If they are not, they have the power to suspend the merchants account.