“We’ve stopped trying to certify for PA-DSS 3.0,” lamented one software company executive. “It’s a frustrating process, and last time it cost us six figures plus a ton of resource time just to chase what seems to be a moving target.”
It’s a similar refrain we’ve heard time and again from many other software providers. The problem is, if you handle payment data through your platform, you need PA-DSS certification – which means lots of expense and pain. Unless, of course, you can keep yourself out of scope.
There are two ways to get out of scope – the easy way and the hard way.
Let’s start with easy. You’re in the software business, not the payment business, so the easiest and quickest path out of scope for PA-DSS certification is to get help from a payment expert. (Sounds a little self-serving, I know. But it is absolutely true.)
Yes, Wind River is one of those experts, and yes we are well-versed on the ins and outs of compliance and certification. And, yes we navigate software companies out of scope quite often. But getting you out is not a templated solution. There is a definite process that needs to be followed.
Below are those high level steps that need to take place to get you and your customers out of scope for PA-DSS certification:
Is your environment mostly ecommerce? Call Center? Brick and mortar POS? What is the payment channel breakout of your customer base using payments? The answers to these questions will help identify the most important priorities and bring focus to the scope of the solution.
For example, we were recently working with a software company whose environment was 80% ecommerce and call center. Focusing on those two channels first allowed this company to make the majority of its customers more secure and out of scope right away.
There are different strategies for getting you out of scope – depending on the method and channel the payment is received. Others may advise you that the answer is to encrypt everything. But that may not be a practical solution for everyone. There are various paths to get out of scope for PA-DSS certification. It’s not a one size fits all solution.
This is where working with an expert really pays off. PA-DSS rules change, and to quote the software executive I referenced above, “it is a moving target.”
We’ve found that customers of software companies are often operating in a non-compliant environment and are getting charged non-compliance fees as a result. First of all, it’s important that their payment environment is secure and getting them out of scope will facilitate that. Secondly, getting charged a monthly non-compliance fee is frustrating for customers and reflects poorly on your payment solution, so you’ll want to get them out from under that burden as soon as possible.
An important path to consider is how the change in environment fits your strategy and business model. One customer we worked with is aligning the new out-of-scope payment solution with its maintenance philosophy. Customers pay to be on maintenance and if they do, they get the “current release” which includes the more secure and out-of-scope payment solution. If they do not move to the current release, they not only miss out on the benefits, but are subject to time and material rates. This has been a successful approach to get customers to make the transition.
The hard way to get out of scope for PA-DSS certification is to try to do those three steps yourself.
As noted earlier, you’re not a payment expert. You’re a software expert. As such, charting your course out of scope will be a long, frustrating process for you.
Plus, if your payment environment supports multiple processors, getting out of scope gets even more complicated. There are different nuances and requirements across payment processors. Do you really want to navigate that complexity without an expert guiding you?
Back to my original example, you can continue to spend hundreds of thousands on PA-DSS certification and invest tons of resources chasing that moving target if you’d like. I suspect your preferred approach will be to turn off that money and time spigot and get out of scope.
Imagine what it would mean to say to a prospective customer, “Our solution will deliver a more secure payment environment with no need to complete network scans or pay non-compliance fees, and you will only have to complete a very simple SAQ” (PCI Self-Assessment Questionnaire). Those are pretty compelling reasons to sign with you versus a competitor. And, an even more compelling reason to stay with you versus going elsewhere.
Whether Wind River is helping you or some other payment expert, the only way to get relief from the P-A-I-N of PA-DSS is for you and your customers to get out of scope. The sooner the better!
It’s a game changer for software companies. If you have questions or if I can help you in any way, please drop me a note.