6

Is a commercial software vendor who sells software for use in the United States, subject to, or legally required to implement PCI-DSS if their software includes a feature which will allow the collection and storage of credit card information, but which does not do payment processing itself as part of the software's features?

Said software vendor would NOT be processing payment using this software but simply encrypting and storing the credit card information for the purposes of simplification of manual payment processing using software from another vendor. That is, this hypothetical software vendor is simply producing software which can communicate to other payment systems, but which is not a software based payment system itself. (For instance, perhaps communicates to Digital River or other online payment processing systems, and stores credit card information in a database, in encrypted form.)

Warren P
  • 163
  • 4

2 Answers2

8

First off - PCI-DSS applies to environments, not products.
In other words, it would apply to your website, but not the packaged product you sell to your customers.
On the other hand, it could apply to your customers, who would then need your product to fit in with their compliance.

To this end, the PCI fellows introduced PA-DSS - this applies to products, which can be installed in customer environments (which would then be required to comply with PCI).

Now, regarding your specific product - PA-DSS would absolutely apply, since you store or process card data (even without processing payment).

From the PA FAQ:

For the purposes of PA-DSS, a payment application eligible for review and listing by the PCI SSC is defined as an application that:
a) stores, processes, or transmits cardholder data as part of authorization or settlement;
and
b) is sold, distributed, or licensed to third parties

AviD
  • 73,317
  • 24
  • 140
  • 221
3

Is a commercial software vendor who sells software for use in the United States, subject to, or legally required to implement PCI-DSS if their software includes a feature which will allow the collection and storage of credit card information, but which does not do payment processing itself as part of the software's features?

NO. They are not legally required to implement PCI-DSS. In fact, NOBODY is "legally required" to implement PCI-DSS. That implies that there is a law which mandates it. There is not. PCI-DSS is a CONTRACTUAL requirement if you have a merchant account.

The customers who use the software to take credit card info would be required to be PCI compliant. And they may be required to use only PA-DSS compliant software. If they have a home-grown shopping cart it isn't required to be PA-DSS compliant. If they use a third party app which is sold/distributed (such as yours, presumably) it must be PA-DSS compliant. "PA-DSS does NOT apply to payment applications offered by application or service providers only as a service (unless such applications are also sold, licensed, or distributed to third parties." -- https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf (You should read this doc)

But that is their problem, not yours unless they make it yours by refusing to buy your software (which is entirely possible).

If you don't have a merchant account and the contract that goes with it PCI is not your problem. Not unless you agree to make it your problem for a customer.

Tracy Reed
  • 628
  • 4
  • 5
  • +1 Hey, an actual answer to the actual bottom line question I asked. Of course, asking if something is Legally Required might be (oops, sorry) off-topic for this site now. It seems SE sites shy away from these subjects, especially since the jurisdiction in my question (USA) may not be the jurisdiction of many international readers around the world. – Warren P May 10 '13 at 18:11