National Merchant Alliance views data security as the single most important issue in the electronic payments industry today, and as such is focused on educating our merchants and partners about the impact of security rules. In all cases, NMA refers to the Payment Card Industry Data Security Standard (PCI-DSS) and the Payment Application Data Security Standard (PA-DSS) when discussing payment card security. Only the PCI council and Qualified Security Assessors can determine whether or not an application is in scope, requires an audit, or needs action. NMA offers products that are PA-DSS certified, but the method of integration by a developer and a host of other factors determine whether an application is within scope for an audit.
In broad terms, merchants are required to be PCI compliant per the rules of the PCI-DSS which applies to merchants. Being PCI compliant is a merchant's responsibility and a developer can only facilitate that compliance by providing a secure product. The PA-DSS defines what software must be validated and those steps that must be taken to validate the software. In short, the PA-DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties. A great first step is to contact NMA's Developer Sales team to discuss your point of sale application, your ideas concerning a payment integration, and the different options available given those variables. In the event that a PA-DSS audit is necessary, NMA has partnered with IGX Global and offers our developer partners discounted services as part of our Developer FIRST program.