Amie Jackson, Leader Merchant and Partner Compliance for Vantiv, repeatedly fields questions from developers on anything PCI DSS or PA DSS. It would be reckless to assume that everyone in our space understands all the standards and guidelines and also keeps up with the ever-changing landscape. It’s worth noting, however, that it takes more than just knowledge of what these standards entail to implement them in your application.
Seeking a PA DSS validation is not only complex but also expensive and can range anywhere from $15,000 up to $45,000. These validations are provided by an independent auditor called a ‘Payment Application Qualified Security Assessor’ (PA-QSA), and cost is determined by the complexity of the application and payment implementation. Then, there’s a $1,250 fee required to list your validated application on the PCI Council website.
After that, there are several re-validations that must be done over time. First, a re-validation is required each time a significant change is made to your application that deals with cardholder data and payment functionality. Then, there is an annual re-validation even if there were no changes to the payment application. Cost for re-validation depends on the number of software versions and supported operating systems.
Beyond all of these fees, the biggest cost you’ll incur is simply building and/or modifying your application to meet all of the PCI and PA DSS compliance requirements in the first place. Building and maintaining all of this can take anywhere from a couple man-months to several man-years.
All of this explains why we’ve developed solutions that help reduce developers from the scope of PA-DSS compliance. Vantiv Integrated Payments, not you, handles sensitive cardholder information, which can reduce the number of PA DSS requirements you have to consider. And keep in mind, our implementation consultants are always on standby willing to work with you to understand your requirements and help alleviate some of the stress.