Defining Out of Scope

Interview with Chris Donahue, Director of Product Management

There is some great news about the latest version updates of both the SMS|Host property management system and SpaSoft spa management system. These latest version releases have been validated as out of PA-DSS scope. This certainly sounds like a good status update, but what does it mean, why should you care, and how might it affect current SMS|Host and SpaSoft users?

The world of PCI Compliancy and PA-DSS Validation can be confusing. In addition, requirements are always changing. Most PMS and spa management system providers are not supplying products that are “out of scope” and so the term is unfamiliar to many people.

We talked to Springer-Miller’s Director of Product Management, Chris Donahue, to get the details on what this out of scope assessment means.

Q:  What does “out of PCI scope” mean?

“Out of PCI scope” is a bit of a misnomer. SMS has recently validated that their applications are out of PA-DSS scope. This means that we have removed all exposure to cardholder data from within our application’s environment. There is no point within a payment transaction’s lifecycle where SMS|Host, SMS|Retail POS, SMS|Touch or SpaSoft are exposed to decryptable cardholder data.

A Merchant is never truly out of PCI scope so long as they are taking credit cards for the payment of goods and services. A Merchant always has to validate their compliancy under the PCI DSS.

By eliminating cardholder data from our application environments our customers, the merchants, benefit because they can remove / lower their own PCI scope – such as PCs, networks etc. The fact being if cardholder data does not touch a PC then that PC effectively comes out of scope.

Q: How is SMS|Host being out of PA-DSS scope different from Springer-Millers’ Secure Payments Solution (SPS)?

Secure Payments Solution (SPS) is our tool for removing SMS|Host and SpaSoft from PA DSS scope. SPS is the integrated solution that utilizes P2PE, tokenization, web proxies and payment pages from or Payment Gateway partners to fully isolate our applications from exposure to cardholder data.

Q: Why did Springer-Miller go out of PA-DSS scope?

Going out PA DSS scope simplifies our business as well as our customers. For the past 10 to 12 years our Software Development Life Cycles have been weighed down by the PA DSS validation process. Each and every major release had to have complex QSA assessments and the time and effort that process took limited our ability to focus on developing the features we want to bring to market. Now that we have removed our applications from scope our validation process is dramatically lowered and we should be able to reinvest those hours back into our solutions.

Q: What are the benefits to SMS|Host and SpaSoft users?

Our clients benefit from SPS in a multitude of ways. Lower exposure equates to lower cost and liabilities. Eliminating sensitive data means that there is no cardholder data compromised in the event of a network breach. As an example a network breach that exposed 50,000 payment cards could potentially cost a Merchant in excess of 1,000,000 dollars. If no CHD was exposed there would be no associated PCI breach costs.

Aside from limiting liabilities, SPS lowers PCI related costs by reducing the Cardholder Data Environment (CDE). A CDE is defined as the computer system or networked group of IT systems that processes, stores and / or transmits CHD. A CDE also includes any component that directly connects to or supports this network. So, if the SMS|Host solution and supporting network is no longer exposed to CHD then this entire network can be identified as out-of-scope. Less scope equates to less overhead and management costs. All PCs, servers, routers, switches, firewalls, access points etc. can be validated as out-of-scope. Additionally, the process for validation (typically SAQ submission) becomes simplified – particularly when a payment gateway is PCI P2PE validated.

Q: Does this only work with specific payment gateway processing partners? What if my current payment processor isn’t one of the partners?

SMS works with multiple Payment Gateway partners to deliver SPS solutions. On the SMS|Host side we integrate with Shift4 and FreedomPay. On the SpaSoft side we work with Shift4, FreedomPay, Elavon and MerchantLink to support our out-of-scope efforts.

Gateway interfaces are costly to develop / certify and the fact is they are not all created equal. We believe that we work with the four best solutions available in the hospitality industry today therefore we’d recommend that our clients assess these solutions as go-forward options for their business.

Q: Does this eliminate PCI Compliance for hotels using SMS|Host or spas using SpaSoft?

As mentioned a Merchant will always need to validate their PCI compliance. Springer-Miller Systems SPS solutions helps to dramatically simplify this process.

Q: How can I prove that SMS|Host or SpaSoft is out of scope for our PCI Audit?

Beginning with version 21 of SMS|Host and version 6 of SpaSoft, these applications will no longer be listed on the PCI website as being PA-DSS validated – because they are now out of scope. If you require proof, Springer-Miller is happy to supply the official letters from our QSA.

Prior versions of Springer-Miller software retain their PA-DSS validations and are listed under the “approved for existing deployments tab of the PCI website.

Thanks Chris for helping us better understand what it means for Springer-Miller’s applications to be out of PA-DSS scope. If you have any questions about how SMS can help your organization reduce the complexity of your PCI Compliance efforts, contact us and we’ll be happy to help.