If you're using payment software that hasn't been validated against PCI standards, here's how to protect your business:
Payment software that hasn't been validated against the PCI DSS Software Security Framework can create serious security vulnerabilities and makes compliance much more difficult to achieve. Unvalidated software puts you at higher risk of data theft and can create costly compliance gaps that are expensive to remediate.
Essential steps to reduce your risk:
1. Verify your current software validation status
- Check if your payment software is PCI Software Security Framework validated
- Request validation documentation from your software provider
- This requirement applies to any software that stores, processes, or transmits card data
- Don't assume your software is compliant without proper documentation
2. Work with validated software providers
- Choose payment software that has completed PCI DSS Software Security Framework validation
- Request proof of current validation status before installing or purchasing
- Ensure validation covers the specific version and features you're using
- Verify that validation is current and hasn't expired
3. Understand your responsibilities based on your role
- If you're a software provider: Ensure your product meets all PCI Software Security Framework requirements
- If you use payment software: Verify compliance before installation and regularly confirm ongoing validation
- For custom software: Ensure any internally developed payment applications undergo proper security validation
4. Maintain ongoing compliance
- Monitor for software updates that might affect validation status
- Regularly verify that your software provider maintains current validation
- Update to validated versions when security patches are released
- Document all software validation status as part of your compliance records
5. Red flags that increase your risk
- Payment software with no PCI validation documentation
- Software providers who can't provide current validation certificates
- Outdated software versions that are no longer supported or validated
- Custom-built payment applications without proper security assessment
- Software that handles card data but hasn't undergone security framework validation
- Mixing validated and non-validated software components in your payment process
The bottom line
Using non-validated payment software creates significant security vulnerabilities and compliance challenges. Validated software provides essential security protections and makes your overall compliance much easier to achieve and maintain.
Contact your software providers immediately to verify current PCI DSS Software Security Framework validation. If your current software isn't validated, work with your payment processor to identify compliant alternatives that meet your business needs.