Feature

Secure Configuration of Windows XP Desktops

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Everything you need to know about today's information security trends."

Download it now to read this article plus other related content.

KNOW WHO'S WHO
The first step to tackling PCI DSS compliance is to understand who's who in the PCI accountability chain; an organization may be surprised to learn who actually does what. The five card brands that constitute the payment card industry are American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. Each brand had its compliance program before PCI DSS, and each continues to maintain those programs and exert final decision control over compliance. However, all of the PCI brands have agreed to use the PCI DSS as a baseline for compliance evaluation to simplify the process for members.

In December 2004, the card brands issued the first version (1.0) of the Data Security Standard. The standard is not intended to replace the individual brand compliance programs; rather, it is meant to be a single set of guidelines for entities that store, process or transact credit card data. The assumption is that if an organization receives a successful PCI DSS RoC, it's compliant with any of the card brand programs.

So that there would be one central point of contact for PCI DSS matters, the five brands formed the PCI Security Standards Council (PCI SSC) in September 2006. The council is led by a five-member executive committee (one from each brand) and owns the official document repository

    Requires Free Membership to View

for all things PCI DSS. This includes the standard, as well as collateral such as the self-assessment questionnaire, audit procedures, and since April, the Payment Application Data Security Standard (PA DSS) (see "App Lockdown," below). The council also maintains governance over training and approval for QSAs and Approved Scanning Vendors (ASVs).

App Lockdown
New standard focuses on commercial payment applications.

Released in April, the first version of the Payment Application Data Security Standard outlines requirements that payment applications, such as point-of-sale systems, must adhere to. For those familiar with Visa's Payment Application Best Practices (PABP) program, which provides guidance on how to create payment applications that protect cardholder data in accordance with the PCI DSS, there won't be many surprises in the PA DSS.

The majority of changes were renumbering and wording clarifications. However, some notable enhancements have been added such as listing code-analysis tools as an alternative option for testing.

Compliance to the PA DSS applies to COTS payment applications that are sold to more than one customer and don't receive significant customization. At this point, the payment card brands still hold final determination on whether the PA DSS is mandatory for all payment applications. However, Visa has announced a phased PA DSS compliance program that will require its merchants and processors to use only PABP-compliant applications.

Single customer payment applications and applications developed in-house aren't subject to the PA DSS, though they must meet the PCI DSS. The wealth of information in the PA DSS can help any team develop more secure payment applications, even if those applications aren't required to be PA DSS compliant.

--DIANA KELLEY

This was first published in July 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: