So, which applications are acceptable for use under the terms of the PCI?

It's clear that there's a real need for Security Standards Council to come up with hardware and software standards for the applications and platforms that retailers and other card-accepting organizations use to process their payments. The council says it's soon going to issue its own PIN Entry Device (PED) standards, so that users won’t have to worry about the separate brand standards for payment terminals. Even so, we also need a cross-brand standard for payment software used by retailers, and so far, none exists. The only standard we have is Visa's Payment Applications Best Practices (PABP). While we're all waiting for cross-brand standards, don’t let your payment application software providers tell you they’re PCI compliant. They're not. Make it clear that what you're asking about is their actual software, not their internal organizational data protection practices.

Submit a Comment | Permalink

There is a lot of work going on in the industry on PCI certifications, and not just on payment processing applications. The PCI Security Vendor Alliance (disclaimer: Configuresoft is a founding member)has over 30 companies working with the PCI SSC and leading independent product testing organizations to bring an acceptable product validation strategy to the market.