Friday, January 15, 2010

Desktop Application PCI Compliance

As PCI rules and regulations get tougher and tougher desktop applications that accept credit card payments are finding it difficult to comply. Lately we have worked with several clients to bring their desktop application up to PCI DSS standards. There are a couple of options to consider when faced with this problem.



Option 1

Rewrite the software in accordance with the PCI DSS rules and regulations. This usually entails going through the cost of an audit, and then making the necessary changes to the software. By the way this will have to be repeated every year. Usually the changes are not minor, but are time consuming, invasive changes, that require manpower and know how to complete.



Option 2

Divorce the credit card payments section of the application and have it use a vendor service. For example gym membership software that has three sections, Payments, Members, and Reports. The Payments tab allows payments to be made for members. This Payments section would actually load an SSL encrypted web page that is already PCI secured. See the screen shot below, the area within the red box is actually a web page embedded into the desktop application.




The best part about this solution is that after the transaction is complete a token is sent back to the desktop application which can be used in place of a credit card number for next time. When the customer needs to make another payment simply send the token (saved in the desktop application) along with the amount.
Since the desktop application no longer stores or transmits credit card data directly PCI scope is greatly reduced, allowing for a easy way to comply. This is a great service that saves software companies large and small a great deal of money and headache.

1 comment:

Samant said...

hi Avani,

Option 2 seems easy and interesting.. however, there seems to be a disconnect in the data flow for me.. if u could help - Once the secure webpage is opened by the desktop application. The user enters the payment details in that web page . The webpage then contacts the gateway to tokenize the card and get a reference number. How is this token sent by to the desktop application from the browser ? OR Do you mean, that the browser should be loaded from within the desktop app. and then it internally communicates with the desktop app via applet or objects ?