The PCI Conundrum: What’s an ISV to do?
Even though handling payments may not be at the center of your business application, the moment the functionality is added, payment rules and regulations – including PCI compliance – come into play. The result can be a struggle for resources as you balance the need to meet and maintain PCI compliance with business objectives to advance application software.
So, what’s a developer to do?
Established more than 10 years ago by the Payments Card Industry (PCI) Security Standards Council – a global group formed to promote payment card security – PCI Digital Security Standard (PCI DSS) is a set of rules designed to safeguard customer data and ensure secure transactions. All businesses accepting card-based payments are expected to meet them and must confirm their compliance on a yearly basis.
ISVs must comply with PCI if their software processes, transmits or stores card data. Many larger ISVs maintain dedicated employees on staff to ensure compliance, including staying on top of updates and changes to the regulations. Others maintain compliance by hiring outside PCI consultants.
A newer solution to the PCI conundrum takes a hybrid approach. Within this method, ISVs shift the bulk of PCI compliance to a payments provider, and handle the remaining regulatory work in house. Also known as a semi-integrated approach, the ISV’s payments provider takes on the heavy lifting of PCI compliance through the use of new technology. Card data never touches the ISV’s application, reducing the compliance scope for the developer.
This is the approach TSYS Merchant Solutions<sup>SM</sup> offers its ISV partners; allowing them to focus on their applications, while we handle customer payments – safely and reliably while meeting industry requirements.
Our unique semi-integrated solution helps remove business applications (and a merchant’s POS system) from PCI scope by managing payment switching via a POS device. The solution supports chip card transactions, end-to-end encryption (E2EE), tokenization and NFC. Through incorporation of TSYS Guardian<sup>SM</sup> Tokenization and Encryption, the POS terminal (with built-in PIN device) acts as a payment switch, taking merchant systems untouched by the payment flow out of PCI scope.