Small Tech Firms Pursue Level 1 Service Provider PCI Compliance

Sunday, July 01, 2012

Stacey Holleran


Small technology companies are finding themselves in a unique business situation as prospective clients increasingly request software applications and hosting solutions that can accommodate secure mobile payment transactions.

The surge in smartphone use, accompanied by a strong push for secure mobile payment solutions, is bringing these technology companies to the forefront as “merchant service providers.”

Consider the example of Velocitor Solutions, a mobile and wireless software development firm that found itself redefining its business strategy when a large service-based company requested an application for field associates to accept payments remotely.

By taking on this mobile payment project, the Velocitor Solutions leadership team recognized that they would now be held accountable for the security of the data being passed through the application; any holes or breaches would impact their credibility as the developer behind it.

In addition, they identified a strategic opportunity to position Velocitor Solutions as a Level 1 PCI Compliant Service Provider, which would give them an edge over the competition.                                                              

What’s PCI DSS got to do with it?

The Payment Card Industry Data Security Standard (PCI DSS) is a well-established set of requirements designed to ensure that all companies processing, storing or transmitting credit card information maintain a secure environment. While most people think of merchants or credit card processors in relation to PCI compliance, merchant service providers are also within its regulatory scope.

Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. (Source:

Because most businesses accepting credit cards are intimately familiar with the PCI DSS and the steps their own organization takes to maintain compliance, merchant service providers who are also validated as PCI DSS compliant will garner more favor.

After all, if you’ve buttoned up the security of your processes and systems, chances are you don’t want to create a potential hole by choosing to work with a risky service provider.                                    

How is P2PE contributing?

Last month the PCI Security Standards Council (SSC) published a fact sheet to offer guidance for merchants evaluating technology to accept mobile payments using a smartphone or iPad/tablet (i.e., a Mobile Payment Acceptance Application Category 3).

Though these payment acceptance solutions are still not eligible for Payment Application Data Security Standard (PA-DSS) validation, the new fact sheet explains how a point-to-point encryption (P2PE) solution can be leveraged to secure mobile payments. (In essence, P2PE enables data to be encrypted at the point of interaction so that the mobile device itself never interacts with card data “in the clear.”)

Technology companies offering mobile payment solutions will want to get on board with P2PE for its data security merits, but also because merchants will be utilizing the PCI SSC guidance to make informed decisions regarding the service providers they will engage.

Why? If the provider/solution the merchant is evaluating is validated under the P2PE program(certified solutions will be listed on the PCI SSC website later this year), the payment data the merchant accepts via their mobile device will be outside the scope of the PCI DSS.

Who stands to gain?

When technology companies do their due diligence by validating and maintaining Level 1 Service Provider PCI Compliance, there is a domino effect of benefits:

  • The technology company itself is more secure, its development processes are systematized, and the company and its solutions are highly attractive to PCI-savvy merchants;
  • The merchant the technology company serves is more secure and their process of validating and maintaining PCI compliance is greatly simplified; and
  • The everyday customer the merchant serves is protected from their sensitive data being compromised during the payment process.

In my earlier Velocitor Solutions example, not only did the firm successfully meet the requirements of its immediate client, but it also established internal processes and policies to guide it toward future success in developing secure mobile payment solutions for clients to come.

In addition, the company’s PCI DSS validation as a Level 1 Service Provider serves as a feather in its cap when being evaluated by a prospective client. (Read more about the Velocitor Solutions story here.)

Of course, technology companies aren’t the only merchant service providers recognizing the many benefits of Level 1 Service Provider PCI Compliance—franchise organizations as well as merchants who have grown their operations to provide services to other merchants are also actively pursuing compliance.

Is your company serving as a merchant service provider? If so, the time to evaluate your strategy with regard to mobile payment business development is now.

Stacey Holleran is Sr. Public Relations Manager for ControlScan, a provider of Payment Card Industry (PCI) Compliance and Security services headquartered in Atlanta, Georgia.

Possibly Related Articles:
PCI DSS Infosec Island
Information Security
Encryption PCI DSS Compliance Application Security Mobile Devices PCI SSC Mobile Payments Merchants Application Service Providers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.