Merchants: Are Your Vendors PCI Compliant?

Are Your Vendors PCI Compliant?  vendors

Visa, who has always been the strictest association regarding PCI compliance, data security, and cardholder protection, has set the pace again. Merchants who accept multiple card types are required to follow the strictest card operating guidelines to become PCI compliant which usually come from Visa. They issued series of mandates requiring its acquirers to ensure that their U.S. merchants, VNPs, and agents use only PA-DSS compliant payment applications and that PIN pads connected to Visa’s network use triple DES (triple data encryption standard technology). The final mandate in this series went into effect on July 1.

A Little History

In 2005, Visa established the Payment Application Best Practices (PAPB), “to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS)”. In 2008, the Security Standards Council (PCI SSC) adopted Visa’s PAPB and released it as the Payment Application Data Security Standard (PA-DSS). The PA-DSS relates to vendors who develop secure payment applications and its goal is to ensure that the applications are PCI compliant and do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data. The standard requires vendor software applications to be validated for compliance on an annual basis.

On January 1, 2008, Visa implemented a series of mandates that requires its acquirers to ensure that its merchants and agents only use third-party payment software that is compliant with the PA-DSS. The mandates, in line with Visa’s Cardholder Information Security Program (CISP), intent is to eliminate “vulnerable payment applications from the Visa payment system”. Failure to do so could result in financial penalties for acquirers. Since the mandates were established over two years ago, and there have been 4 prior checkpoints, acquirers have had plenty of time to get their merchants geared up for this final mandate and July 1 deadline.

Visa’s global merchants have until July 1, 2012. MasterCard has also set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, under their Site Data Protection (SDP) program. According to their SDP update issued in June, MasterCard will also establish new PA-DSS compliance validation requirement for Level 1, 2, and 3 merchants and Level 1 and 2 Service Providers.

However, Visa is not completely rigid on the July 1 date. According to an article in ISO & Agent Weekly, Visa intends to work with merchants who do not meet the July 1 deadline. The exception to this assistance will be for merchants who are purposely avoiding compliance. (Visa welcomes information regarding merchants who are not in compliance.)

What Merchants Need to Do

Merchants need to be proactive from the gate. To avoid non-compliance, and subsequent data security risks, they should not wait to hear the news of new policies from their processors. They need to stay ahead of the pack by checking the PCI SSC site, as well as staying abreast of any pertinent news from the card companies. Most importantly, they should always ensure they are using vendors who are PCI compliant. How can they do that? For starters, and for the purpose of Visa’s security mandates, they should only use vendors who are on the list of PCI SSC validated payment applications, which have been assessed for compliance with the PA-DSS. Merchants should also only use vendors who use Payment Application Qualified Security Assessors (PA-QSAs), who are certified by the PCI SSC. Even if a vendor states their payment application is PA-DSS qualified or have been evaluated by a PA-QSA, merchants should check the PCI SSC site for its validation. Vendors are on the list for one year for only the software version which has been evaluated. If a vendor has released a new version, a merchant should only consider using the compliant version and never use a beta version. The PA-DSS never validates beta versions.

If a merchant discovers that their vendor is non-compliant with the PA-DSS, it should either switch to a PCI compliant vendor (which many not be as easy as it sounds) or assist the vendor in gaining compliance. That’s not to mean that the merchant should assist them financially but guide them if they can. By working together, they can build a stronger relationship, resulting in secure data protection for their customers and cardholders.

So, what happens if a merchant uses non-compliant vendor? Aside from the risk of compromising cardholder data, if a breach occurs, the merchant can be fined by the card associations and/or forced to undergo a forensic audit, which is not free. Merchants are having a tough enough time in this economy and should not jeopardize their business further by using non-compliant third-party payment processing vendors, nor risk adding costs that can be otherwise avoided.

Contact us Now or Call Us Now at 855-204-3838 and see how we can help you!  Do it Now!


Information regarding PCI SSC Validated Payment Applications and Payment Application Qualified Security Assessors (PA-QSAs) can be found at

Visa CISP –

MasterCard SDP –