Essential Guide

PCI 3.0 special report: Reviewing the state of payment card compliance

A comprehensive collection of articles, videos and more, hand-picked by our editors

PCI DSS Council adding new standard for payment applications

The Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices. It's designed to bolster security during application development.

To force more security into the payment application development process, the Payment Card Industry Security Standards Council is adding a new provision to the PCI Data Security Standard (PCI DSS).

With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS.
Bob Russo,
general managerPCI Security Standards Council

The council, which manages PCI DSS and the PCI PIN Entry Device (PED) security requirements, said Wednesday that the Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices (PABP). A preliminary draft of the standard has been distributed to the council's board of advisors, participating organizations, qualified security assessors and approved scanning vendors for feedback, which will be worked into the final version of PA-DSS in the first quarter of 2008.

"With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS," Bob Russo, general manager of PCI Security Standards Council, said in a statement. "As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud."

The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS. Internally developed applications by merchants and others are not currently subject to PCI PA-DSS but are subject to PCI DSS. PA-DSS is endorsed by all five global payment card brands: American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc.

PCI data security standards:
Don't blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines.

Banks neglect responsibility for data breaches, some say: TJX has become the poster child for bad data behavior, but some believe the bank and credit card companies aren't accepting enough responsibility for the data breach epidemic.

How Chevron met the PCI DSS deadline: Layered defenses made PCI DSS compliance easy, but one expert sees a need for improved wireless standards.

The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.

Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data. NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information. Other experts have debunked that assessment, saying there's confusion over the storage rules and that merchants open themselves up to network break-ins by failing to institute well-rounded security policies. One PCI DSS auditor noted in an interview last week that merchants do not need to store a full credit card transaction record but that some banks mistakenly tell them they must. Also, many retailers purchased point-of-sale systems that store more data than necessary, the auditor said.

Since Visa created the PA-DSS to help software vendors and others develop payment applications that do not store prohibited data, the addition of the standard to PCI DSS may help to quell those concerns.

The new standard is also designed to address growing attacks against Web-based payment applications. Security experts have repeatedly warned that such applications are being developed and rushed into operation with no regard for security, making them easy targets for hackers. The standard is the council's attempt to address those who say developers must be better trained to work security into their applications.

The need for more security in the application development process has been a major theme at this week's Computer Security Institute (CSI) conference in Arlington, Va.

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

PCI 3.0 special report: Reviewing the state of payment card compliance

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close