American Medical Collection Agency (AMCA), a 3rd-party healthcare debt collection firm servicing 7.7 million consumers, recently experienced a massive data breach, exposing consumers’ personal data and payment information. AMCA subsequently filed for bankruptcy, as a result of fall out from the data breach. This event is a stark reminder of how crucial it is to abide by PCI compliance requirements and to understand if your software partners and providers are compliant.
- Definition of PCI Scope
- The Costs to be PCI Compliant
- Does Your Business Fall Within the Scope of PCI Compliance Requirements?
Payscout is a PCI Level 1 and PA-DSS certified Service Provider, and we have recently been reviewing our new and existing technology partnerships to ensure that our mutual customers are fully protected. We have integration solutions that, as our partner, can reduce your PCI scope, regardless of whether you offer an online application (PCI DSS requirement) or a distributed application (PA DSS requirement).
PCI Scope is established by the presence of a credit card number (PAN). If the PAN is ever transmitted, processed, or stored by your software, then it is a payment industry requirement to comply with PCI DSS and complete a rigorous compliance validation facilitated by an authorized QSA (Qualified Security Assessor) Company. Organizations that do not comply with PCI DSS face potentially serious consequences, which can include the following:
- Increased transaction fees
- Fines from the acquiring bank and/or card brands
- Responsibility for fraud loss in the event of a breach or other security incident
- Loss of ability to accept credit cards as a form of tender
- Reputational damage in the event of a breach
- Inability to claim safe harbor should a serious security incident impact cardholder data security
For a Software Company to become a PCI Compliant Service Provider, in addition to rigorous and time consuming annual audits, typical costs for QSA audits are as follows:
- PCI DSS $25k+ Annually
- PA DSS $30k+ every 3 Years + PCI DSS Annual Cost
In the event of a breach, the cost to resolve a security incident is $7 – $15 per credit card number. These costs could rise to $70k – $150k for 10,000 credit card numbers. Many software vendors and merchants have the potential to impact the security of many more than 10,000 card numbers, and so fraud loss could be astronomical. Following AMCA’s data breach, AMCA’s largest clients immediately terminated their relationships, further impacting AMCA’s ability to bear these expenses and consequently rendering them bankrupt. These consequences not only affect the software company, but additionally put all customers using the software at risk.
We can work with you to identify the best solution for your situation, based on your type of application and how it is distributed. In addition, we work with a QSA who can attest to your out of scope status and provide a letter certifying that status for your customer’s compliance audits.
There are many layers to PCI Compliance requirements. If you facilitate electronic payments within your software application, how you capture card details (card number, expiration date, and CVV) could put you in the scope of PCI Compliance.
According to current PCI Requirements, here’s how it works:
- If you capture payment card information directly within input fields in your application for transmission to a payment gateway via an API, you are in PCI Scope
- If you capture payment card information using a payment gateway’s hosted payment page, presented in either an iFrame or Modal window (Popup, Lightbox, etc), you are out of PCI Scope
- If you capture payment card information as a full redirect to a payment gateway’s hosted payment page, you are out of PCI Scope
- If you capture payment card information via some other method, requirements will vary.
How is your Product/ Software deployed?
- If your Product/ Software is deployed online as a Web Application, you are required to comply with PCI DSS requirements
- If your Product/ Software is distributed within a Client’s network (via either Desktop or Web Applications), you are required to comply with both PCI DSS and PA DSS requirements
Interested in learning more? Payscout’s Fran Fisher will be discussing PCI Compliance Scope in further detail at Ontario Systems’ 2019 PowerUp Conference.
Wondering if your Business falls within PCI Scope? Contact firstname.lastname@example.org so we can help you find out.