Guest Column | June 11, 2009

ISVs: Are You Preventing Your Customers From Being PCI DSS Compliant?


Written by: Sean Kramer, CEO, Element Payment Services

Mid-April marked the one year anniversary since the Payment Application Data Security Standard, commonly known as the PA-DSS, was launched. Since that standard has now been in effect for over a year, we thought it would be a good time to pose the question: ISVs: Are you preventing your customers from being PCI compliant?

The goal of PA-DSS is to facilitate the development of secure payment applications by software vendors. Each vendor of a software application that stores, processes, or transmits payment cardholder data must follow the 14 PA-DSS requirements and successfully pass a PA-DSS review by an independent auditor (known as a PA-QSA).

In October 2008, StorefrontBacktalk founder Evan Schuman wrote an excellent article on how PA-DSS is remarkably misunderstood, both by merchants and software vendors. Schuman wrote:
Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved.

Eight months later, we are hearing that this is still the case. As of June 5, 2009 only 184 vendors representing 338 payment applications are PA-DSS validated. While this is progress, there are many vendors yet to become validated.

When we speak to non-validated software vendors, the reason most often cited for their non-compliance is that they don’t realize that PA-DSS applies to them. There is still a lot of education to be done regarding the scope of PA-DSS which states:
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization and settlement, where these payment applications are sold, distributed or licensed to third parties.
Simplified, if in a software application cardholder data is directly entered (this could be as simple as a text box input), then the application is a payment application and therefore, in scope.

Many software providers also don’t realize the relationship between PA-DSS and PCI DSS.

All software providers must meet PA-DSS requirements for their customers to comply with the mandated Payment Card Industry Data Security Standard (PCI DSS). As of October 1, 2008, acquiring financial institutions cannot approve merchants for processing that are using non-compliant software. Software providers with applications that don’t meet PA-DSS (PABP) compliance requirements are beginning to lose customers as a result.

About Element Payment Services, Inc. (
Headquartered in Phoenix, Arizona, Element Payment Services Inc. provides fully integrated PCI DSS compliant payment processing solutions to merchants through partnerships with leading business management software providers. Focused primarily on helping ISVs navigate through the requirements of PA-DSS compliance, our expert solutions greatly simplify PA-DSS validation, or remove the cost and burden entirely. Through our Compliance Relief Program, Element will cover part, if not all, of the PA-DSS assessment for qualified ISVs. Alternatively, for those who prefer to eliminate the need for compliance, Element's Hosted Payments solution removes ISVs from the scope of PA-DSS, while still enabling a fully integrated payment solution.

For more information about Element, visit