Start by getting familiar with the compliance standard: the Payment Application Data Security Standard (or PA-DSS for short). PA-DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties.

PA-DSS requirements include:

1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or
2. PIN block data
3. Provide secure password features
4. Protect stored cardholder data
5. Log application activity
6. Develop secure applications
7. Protect wireless transmissions
8. Test applications to address vulnerabilities
9. Facilitate secure network implementation Do not store cardholder data on a server connected to the Internet
10. Facilitate secure remote software updates Facilitate secure remote access to application
11. Encrypt sensitive traffic over public networks
12. Encrypt all non-console administrative access
13. Maintain instructional documentation and training programs for customers, resellers and integrators

Most ISVs then have two options from here: achieve PA-DSS compliance by undergoing an audit by a Qualified Security Assessor (QSA) or go out of scope of PA-DSS.

To stay in scope of PA-DSS, software vendors must undergo the process of validating their application or applications. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA), as well as any development changes needed to bring the application into compliance. ISVs are required to pay $1,250 annually (per software application) to have their solution listed as a validated PA-DSS-compliant solution.

Each payment card brand has unique terms for PA-DSS compliance. Check the different PCI compliance deadlines for each payment card brand, along with their different PCI compliance requirements.

To go out of scope of PA-DSS, ISVs need to transfer the responsibility of handling sensitive cardholder data to a third party. Some payment processing companies offer hosted solutions where sensitive credit and debit card data bypasses your software all together and are transmitted directly to the payment processor.

Some additional resources to fulfill PA-DSS requirements: