Sunday, March 15, 2009

How to make your software application PCI compliant.

If your a developer who maintains a software application that accepts credit card payments you may be wondering how to make your program PCI compliant. Your not alone, every piece of software that accepts credit card payments or stores credit card numbers is now forced to become PCI complaint or be fined. PCI or the Payment Card Industry regulates the storing and transmission of credit card numbers.

Your options
There are two ways to become PCI compliant.
1. Subject your software application to a PCI audit. Representatives from the Payment Card Industry will review your application and make recommendations for the storage and transmission of credit card data. The audit will be intensive and costly and will need to be redone annually.
2. Rework your application to stop the storage and transmission of credit card numbers. At first this sounds foreign but read on.

Removing the storage and transmission of credit card numbers from your application.
Lets say for example you have a software application that accepts rent. Landlords use it on their desktop computers. They select a renter and charge their credit card.
We need to remove the portion that stores the credit card and replace it with a payment token. The token is generated when the landlord enters the credit card on a PCI certified site from your payment processor. Once you have the token you can store it in your application instead of the credit card number. When your ready to charge the renter you send the token along with the amount. Its that simple, your now PCI complaint.

PCI compliance in a few steps.
It doesn't have to cost a fortune to become PCI compliant just a small change your application can make all the difference. Often the change can be made in a way that your customers won't even notice.

1 comment:

Steve said...

If your choosing to become PCI compliant rather than outsource it then i'd suggest scanning for stored payment card numbers as a starting point. It seems to be something that's been commonly overlooked.

There's a few ways to do it however our company used a software app called Card Recon as part of it's PCI audit to scan desktops and servers for card storage. There's a free version which can be downloaded from www.groundlabs.com
or otherwise try using another program called Senf which is written by utexas. It's only downfall was that it wasn't as accurate.