You were probably never asked (or never expected) to become payment processing and security experts as an application developer, yet the chances are ever increasing you'll be asked to integrate commerce components into your applications that satisfy the new security standards of numerous credit card and payment processing companies. In this new world order, your applications will be demanded to accommodate various payment types, connect with new, old, open and proprietary payment processing systems, all while complying with standards like Payment Applications Best Practices (PABP) and Payment Card Industry Data Security Standard (PCI-DSS) guidelines. Your customers demand such protection, and credit card processing companies do too.

The challenge lies in the plethora of credit card processing providers which all have different formats used to accept payments from customers. In an ideal world, you should be able to write one credit card acceptance application that communicates with many different processing companies' systems. Software developers need a platform and toolkit that simplifies the process of developing credit card acceptance workflows, while adhering to the latest security standards.

As of January 2008, stiff penalties come with noncompliance to the above-mentioned standards, so where do developers (and their managers, because it's their problem, too) start in making their commerce applications comply with new security standards as they relate to credit card processing? What tools can help simplify commerce application development while guarding against today's security threats?

First, developers, their managers, and really everyone involved in the software development lifecycle of a commerce-based company, must become educated regarding the latest standards, at least at a 50,000-foot level. More importantly, they should implement tools that make the learning curve minimal. Further, developers should not be required to learn a new development language and skill set just to enable their existing programs to be able to speak to a multitude of payment processing platforms. Ultimately, it is necessary to ensure that applications are flexible enough to support whichever payment processor your customers already use.

Let's start with a PCI-DSS and PABP 101 primer to make the education side a bit easier. Then, let's examine some tools developers can use to enable their commerce applications to communicate with most of today's payment processing platform.

PCI DSS and PABP 101
The leading payment card companies (Visa, MasterCard, Discover, American Express, and JCB International), joined forces in 2004 by combining their individual cardholder data protection programs. The result was the Payment Card Industry Security Standards Council (PCI SSC), which provides an industry-wide framework for individual security programs, giving merchants and payment service providers a common framework to help keep cardholder information safe.

PCI-DSS specifies the operational and security controls required to protect cardholder data throughout transaction processing. Taking the operational controls specified by the PCI-DSS a step further, Visa's PABP program, which is a voluntary validation program born out of the requirements from the PCI-DSS, is designed to help software companies create security-enhanced payment applications.

PABP consists of a set of 14 best practices that payment application developers should follow if their applications are to maintain a high level of security. Developers could spend hours in training, learning how to comply with PABP guidelines, as a certain level of security expertise is required. As of July 1, 2008 any new software application that will be processing Visa transactions must be PABP-compliant in order to be accepted by Visa partners. By October 1, 2008 all new merchants must either be PCI-compliant or be using a PABP-compliant application or face the possibility of stiff fines and suspension of credit card processing privileges.

Until now, PABP has been a recommendation, not a mandate. However, the PCI Security Standards Council recently adopted the PABP guidelines and has released a new set of requirements called Payment Applications Data Security Standards (PA-DSS). All PABP compliant applications will be grandfathered into the PA-DSS but by setting PA-DSS standards, the industry is letting software companies know that the days of developing non-compliant payment applications are numbered.

To ease this transition into the roles of security and payment component developer, Microsoft independent software vendor IP Commerce has enhanced its Commerce Toolkit for Applications with components designed to help developers meet these PABP requirements. Developers with core competencies like business logic and software workflows can rely on the Toolkit to simplify the process of meeting the demanding standards of PABP. Every vertical market to which developers are writing payment-enabled applications require different functionality, so developers can focus on the software workflows and business needs instead of the learning curve that PABP compliance could require.

Further, the requirements and new standards by credit card companies to have commerce applications certified becomes easier. When one application can communicate with many credit card processing service providers and their unique technologies, developers and their applications no longer must go through separate certifications for each application developed for each processing system. One certification process is sufficient to reach multiple providers, using a "write once, use many," approach.