By Lisa Guerriero
Independent software vendors (ISVs) pride themselves on a sophisticated understanding of technology and its impact on modern business. Yet even for ISVs, attaining payment card industry (PCI) compliance presents challenges.
The payment card industry established the PCI Data Security Standard (PCI DSS) less than a decade ago, and has updated it multiple times since. It is now on the third generation of the DSS, which is nearly 30 percent larger than version 2.0, according to Gartner. The PCI retired version 3.0 on June 30, in favor of an amended version, 3.1.
There are 12 points in the DSS that address aspects of accepting, processing, transmitting, and storing sensitive cardholder data. All companies must satisfy the 12 points if they accept card payments, but proof of compliance varies. The requirements are more stringent for companies dealing with high volumes of card payments.
ISVs are ahead of many enterprises when it comes to certain areas of the DSS, like protecting against malware. Satisfying other elements—like restricting and monitoring access to cardholder data—requires careful and thorough response to the DSS.
Numerous solutions help ISVs comply with PCI standards. These include end-to-end solutions as well as modular options that address one or two aspects of compliance, such as redirecting card data.
The Benefits of Outsourcing Compliance
PCI standards segment four merchant tiers with different compliance requirements. The four levels are based on how many card transactions the company processes annually, with adjustments for ecommerce transactions.
Software vendors must comply with the DSS if they process, transmit, or store cardholder data. The standard is applicable for any ecommerce transaction, including applications (apps) that involve the use of payment cards. The DSS also applies any time an ISV accepts a customer’s card payment for its products or services.
While larger ISVs may have an in-house PCI compliance employee on staff, many lack the specialized knowledge and processes needed to ensure compliance.
“The first major challenge of PCI compliance is that most app developers don’t have access to true security experts to help them understand how to analyze their card data environment and apply the proper controls to achieve compliance,” explains Steve Robb, SVP of products and marketing, ControlScan.
As a regulated area—and one that’s more heavily monitored with time—the payments space can frustrate even savvy companies. Compliance entails complications and costs, which drive many to seek an outside solution.
“ISVs are primarily concerned with keeping up with government regulations, the costs associated with required changes to meet various regulations, payments security, and PCI compliance—including PCI audits—and just generally keeping up with an ever-changing industry,” explains Don Weary, VP of product management, Sage Payment Solutions, a division of Sage North America.
Compliance solutions come in all shapes and sizes. Some focus on one or several requirements, such as access control measures, while others offer a complete solution. Often, the focus is either securing cardholder data or ensuring it never reaches the ISV in the first place. “The primary challenge is to remove cardholder data from their apps,” notes Coy Christensen, VP, product management at Element, a Vantiv company.
Tokenization is a popular method of securing cardholder data ecommerce transactions, as are point-to-point encryption (P2PE) offerings. A P2PE solution eliminates clear-text cardholder data from the ISV’s environment, minimizing the company’s risk by removing their access.
With some solutions, especially the more comprehensive ones, the vendor assumes responsibility for handling changes to PCI standards. The customer isn’t responsible for staying abreast of changes, or figuring out how to stay compliant—the vendor assumes the burden.
ISVs that don’t sell their apps—but include them as part of a service—don’t need to have the app Payment Application Data Security Standard certified, observes Kurt Hagerman, chief information security officer, FireHost.
“Some take the approach that they don’t need to pay attention to these requirements. However, their development of the app will still be reviewed as part of their assessment as a service provider and they will have to demonstrate that the app does not have any vulnerabilities and was developed in accordance with DSS controls 6.3 through 6.5,” he explains. He advises that ISVs ensure these apps are also reviewed by a qualified PCI solution provider.
These solutions address components like network testing, system and app security, and access controls. As a result, they often have benefits in addition to PCI compliance. They can offer a fresh approach to areas that ISVs may have thought were already covered.
“When developing apps, ISVs need to take into account requirements of regulatory compliance, which may go beyond the boundaries of their own apps. ISVs will have to move away from a ‘black box’ approach of managing users independently from the operating system users and take app users from the pool of system users,” says Arjon Cohen, VP, channel management, Enforcive Systems.
PCI Compliance Solutions
ControlScan offers PCI compliance offerings for companies with varying PCI statuses. For ISVs that warrant a full compliance report under PCI regulations, the company offers assessment and penetration testing services. With the assessment product, ControlScan acts as an advisor performing an in-depth review. It works with the ISV’s staff to ensure they’ve taken all the necessary steps and have all the evidence in order. The process yields a report that serves as the ISV’s proof of compliance. ControlScan’s layer penetration test simulates a real-world attack against the company’s network and information systems, which must be protected under PCI.
The company also offers scanning services, in which a PCI-approved scanner provides automated vulnerability scans. The program is one of multiple managed security services that ControlScan offers to help companies maintain compliance. For ISVs that develop products with ecommerce functionality, the Hosted Payment Service embeds a payment form or page that redirects payment card information. The data is rerouted to ControlScan’s PCI-compliant facility, so that it never enters the ISV’s network infrastructure.
ControlScan also has options for ISVs that are allowed to self-attest to their compliance, usually smaller companies. The PCI 1-2-3 program has a tool for identifying the correct level of self-assessment, and tracking compliance across all relevant DSS requirements. It also features a self-service solution for scheduling and processing PCI-approved vulnerability scans.
Dell leverages numerous tools from its arsenal to provide an end-to-end compliance solution. It utilizes network resources to see who has access to cardholder and other sensitive data. It reveals how and when users access data, as well as how and when they receive access.
The solution reduces instances of inappropriate access in the first place. When incidents do occur, authorized staff can take measures instantly. “Administrators and compliance officers can be notified in real-time when changes and inappropriate access occurs and they can intervene from smartphones and tablets,” says Tom Crane, manager, product management, Dell Software Windows Management.
Dell designed the solution to be flexible and scalable to environments of any size. “The software is deployed on the hardware of choice by the customer to fit their needs,” notes Crane.
Enforcive Systems offers a set of security and system management tools for multiple server platforms and databases, including IBM i, Windows, AIX, Linux, IBM Mainframe, MS SQL Server, Oracle, and DB2. Known collectively as the Enforcive Cross Platform Security suite, these tools ensure a PCI-compliant IT environment.
The company’s tools can be categorized to correspond to many of the DSS segments. For example, password encryption and authentication measures are examples of how it addresses the first DSS standard—building and maintaining a secure network. Functions like session timeout and authority management address the DSS standard for access controls, while multiple audit programs help a company comply with the requirement for regular monitoring and testing.
For cardholder data protection, the Enforcive Systems solution includes a variety of field encryption methods and security tools. In addition, the Policy Compliance Manager aids compliance in multiple ways. It helps companies satisfy several DSS standards and it also addresses the final requirement—maintaining an information security policy.
FireHost offers a secure cloud hosting service that features multiple layers of security, which the company calls Intelligent Security Model (ISM). The ISM entails numerous default services, including IP reputation management, denial of service/distributed denial of service mitigation, Web app firewall, intrusion detection, hardened base OS, hypervisor-based network firewall, OS layer patching, and anti-malware.
Optional services include two-factor authentication, log management, data-at-rest encryption, vulnerability management—including internal and external scanning, and SSL/TLS certificates. FireHost constantly manages and monitors both default and optional services, and offers a PCI DSS responsibility matrix for proof.
The company believes its ISM—and the shared perimeter security services—is unique. Hagerman says every customer receives the same level of coverage under the ISM. An ISV may opt to take advantage of the optional services or not, but aside from that, the protections and mitigations are the same for all.
Sage Payment Solutions designs its Sage Exchange platform to put customers in a “PCI avoidance zone,” distancing ISVs from the demands, risk exposure, and cost of PCI certification requirements. The company offers extensible Integration as a Service solutions for the payments domain. Weary says a truly integrated platform must automate all forms and methods of payments, and incorporate data and processes into the ISV’s core business system.
The Sage Exchange platform includes tokenization and Trustwave services. Sage offers customized apps that address specific business challenges, as well as plug-and-play apps that integrate with key ecommerce, accounting, and technology providers. ISVs determine how closely they interact with their customers, from white-labeling under their own brand to leveraging the Sage brand.
A payment services provider for nearly 25 years, Sage works with customers of all sizes. It tailors technical support services for the needs of the developer community. This includes direct consultations, access to online forums, and partner programs.
Vantiv offers several options for ISVs of all sizes, removing cardholder data from their apps. Its specialty is a P2PE solution that encrypts cardholder data at the entryway and doesn’t decrypt the data until it reaches the processor—ensuring cardholder information is encrypted while it comes in contact with the ISV’s environment. Vantiv has an additional P2PE offering through its Element product lines. The PCI-validated solution reduces the PCI burden even further by providing a significant selling point.
The company aims its tokenization product at ISVs that provide solutions with a monthly billing program as well as ecommerce ISVs that entail keeping a card on file. Tokens replace cardholder data, so the company can handle analytics, recurring billing, and card-on-file processes without seeing or storing the cardholder’s information. Web-based ISVs also have the option of a hosted payments page. A Vantiv page collects cardholder data and the ISV only “calls” the hosted payment page when access is needed. The ISV’s scope is reduced or eliminated, depending upon how the solution is implemented.
triPOS is one of Vantiv’s comprehensive products, providing P2PE, tokenization, and EMV chip functionality. It prevents the ISV from having to enact an EMV certification to a processor. The solution interfaces to the point-of-sale PIN pad and processor. A support team is provided by Vantiv for any questions before, during, or after integration.
Compliance Capabilities
Compliance is an important consideration for ISVs tasked with accepting payment through applications.
PCI compliance solutions vary from comprehensive services to toolsets with a narrower focus. The common thread is how they simplify a complicated set of regulations and shift some of the burden off of the ISV.
Depending on its own resources and capabilities, an ISV can choose how much responsibility they want to assume when it comes to PCI compliance and how insulated they want to be from these issues. SW
Jul2015, Software Magazine
