ICVERIFY® Software FAQs
Get answers to frequently asked questions about Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was created by the five major credit card companies as a guideline to help business owners implement the necessary hardware, software and other procedures to guard sensitive credit card and personal information. PCI DSS is a set of requirements for enhancing payment account data security. The five major credit card companies that developed the PCI Security Standards Council are American Express®, Discover® Financial Services, JCB International, MasterCard® and Visa®.
What does PCI compliance mean?
PCI compliance means that your business is exhibiting best practices to prevent cardholder information or data security breaches. While PCI compliance is not a guarantee of security, it is an important step in prevention. Please check with your Payment Compliance representative or your processor to ensure you are meeting the PCI compliance guidelines set by the card associations (Visa, MasterCard, AMEX, and Discover).
Will I need to upgrade my equipment or software to become PCI compliant?
As part of becoming PCI compliant, you may be required to upgrade your equipment and/or software to a PCI Data Security Standard certified version. You will need to contact your equipment and/or software vendor to discuss what options may be available and the costs associated with those options.
What is PA-DSS and how does it relate to PCI DSS?
The Payment Application Data Security Standard (PA-DSS) is a program that was formerly known as Payment Application Best Practices (PABP). This program is managed by the same council that manages PCI DSS and was created to assist software programmers in creating secure payment applications that would meet the requirements of PCI DSS. The requirements to meet PA-DSS are derived from the same standards for PCI DSS. All POS applications must be PA-DSS certified by July 1 of 2010.
I’m already using a PCI-compliant terminal/gateway. Why does my business need to be certified for PCI compliance?
The PCI Security Standards Council has various requirement programs. The Payment Application Data Security Standard (PA-DSS) is a set of requirements to help software vendors and others develop secure payment applications. These applications do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI Data Security Standard.
Use of a terminal/gateway that runs PA-DSS certified software is one of many components that are evaluated in the assessment of an account’s PCI DSS compliance.
Is ICVERIFY PA-DSS compliant?
Yes, the ICVERIFY Software is fully PA-DSS certified and listed on the PCI Security Standards Council website. Visit the PCI Security Standards Council website to see our listing. Click on “Validated Payment Applications” on the left-hand side. Once you read and agree to their disclaimer, you will be able to search by either Company name (First Data) or application name (ICVERIFY).
What changes were made to ICVERIFY in order to become PA-DSS compliant?
The specific change requirements can be found in Appendix A to the PA-DSS Implementation Guide that is included with every copy of ICVERIFY. You may also find the PA-DSS Implementation Guide here on our website. Appendix A of the Implementation Guide may be found here.
What is the PA-DSS Implementation Guide?
The PA-DSS Implementation Guide was created to assist merchants in understanding the importance of the latest security regulations and what those changes mean for them as well as their customers. Specifically, the guide goes through the various components of ICVERIFY and describes how each meets the latest standards for security as outlined by PA-DSS. Furthermore, it contains the requirements that ICVERIFY, and any application that integrates with ICVERIFY, need to adhere to. And it provides guidelines for the vendors/integrators as to what requirements would be their responsibility.
I have never heard of PCI compliance before. Is this new?
No. Business owners began taking the PCI Self-Assessment Questionnaire (SAQ) to identify potential security risks to achieve PCI compliance starting in 2005. You may be more familiar with the payment brands’ programs that promote the implementation of the PCI DSS:
- MasterCard: Site Data Protection (SDP) Program
- Visa: Cardholder Information Security Program (CISP)
- Discover Network: Discover Information Security & Compliance (DISC)
- American Express: Data Security Operating Policy
What am I required to do to become PCI compliant?
The minimum requirement is to complete a Payment Card Industry Data Security Standard Self-Assessment Questionnaire (SAQ) on an annual basis and achieve a passing score. If you electronically store cardholder information or if your processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is also required. Please check with your Payment Compliance representative or your processor to ensure you are meeting the PCI compliance guidelines set by the card associations (Visa, MasterCard, AMEX, and Discover).
If you have additional questions about how payment software helps you in securing your payment transactions, please contact us at firstname.lastname@example.org.