How a Security Mandate Could Force Software Vendors out of Payments

The steady march toward more secure payment-processing software is likely to force many?possibly thousands?of small software vendors out of the market of serving merchants and card processors. These vendors will find it too expensive to upgrade their existing point-of-sale and related applications to meet specifications set forth in the new Payment Application data-security standard, or PA-DSS, according David Taylor, founder of the Stamford, Conn.-based PCI Knowledge Base consulting firm. Taylor held a Webinar on Wednesday about the impact of PA-DSS on vendors, merchants, and the payments market in general. PA-DSS is the name of Visa Inc.'s former Payment Application Best Practices (PABP), a set of guidelines for protecting data that flow through software in POS terminals and other card-processing settings. The PCI Security Standards Council adopted PABP in October, renaming the guidelines PA-DSS and applying them to the other major card networks?MasterCard Inc., Discover Financial Services, American Express Co., and JCB. The Wakefield, Mass.-based PCI Council administers the Payment Card Industry data-security standard, or PCI, the overarching set of rules for securing credit and debit card data. Merchant acquirers must ensure by July 1, 2010 that their merchants and third-party processors are using only applications that meet PA-DSS specifications. That deadline is one reason vendors are furiously developing new applications or trying to fortify existing versions. But that task costs a lot of money. Getting an application validated as PA-DSS-compliant can easily cost $10,000 to $30,000 per version, according to Taylor. “But for older applications, needed restructuring and added security features can run 10 times that amount,” he said. “This is more than some smaller developers can afford.” Thus, Taylor predicts many small software firms will exit payments or even go out of business if merchants or payments-industry companies are their main customers. Nobody knows how many such firms exist, he says. About 100 software applications from 25 vendors are on an industry list of applications with known vulnerabilities. Conversely, approximately 300 applications from about 200 vendors have been validated as meeting Visa's PABP and will be on the list of programs that meet PA-DSS. In the middle are a much larger number of payment applications in the market that haven't yet been validated. Taylor tells Digital Transactions News that these applications come from “tens of thousands” of vendors, most of them small. While the coming of PA-DSS will likely prove detrimental to many small businesses, the departure of some from the payments space may be a good thing, according to Taylor. “A lot of these development shops are very small; that's where some of these vulnerabilities are coming from,” he says. “They may not be missed.” On the other side of the fence, merchants are beginning to complain about higher payment software costs because what they thought was a purchase that could be amortized over about five years is now being compressed down to about two as vendors come out with PA-DSS versions. Taylor based his comments on 280 hours of anonymous interviews with merchants, PCI security assessors, application vendors, banks, processors, and others. He says that in the last three months, more than half of PCI Knowledge Base's interviews have included discussions about PA DSS.