This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
4. - Bonus content: Events in PCI DSS history: Read more in this section
- Lack of guideline uniformity puts Visa merchants in quandary
- Swiping back: Praise for PCI Data Security Standard
- New PCI Council details changes to Data Security Standard
- TJX breach worse than originally feared
- PCI DSS assessors see lessons in TJX data breach
- First Data CISO calls for PCI DSS changes
- PCI DSS: The bar should not be lowered
- PCI Council adds new standard for payment applications
- In FTC settlement, TJX agrees to 20 years of audits
- PCI SSC launches assessor quality assurance program
- Expert predicts PCI DSS problems for retailers
- Heartland breach highlights PCI DSS limitations
- TJX, Heartland hacker sentenced to 20 years in prison
- PCI DSS 2.0 addresses secure coding, key management
- PCI DSS risk assessment methodology unique to each company
Explore other sections in this guide:
To force more security into the payment application development process, the Payment Card Industry Security Standards Council is adding a new provision to the PCI Data Security Standard (PCI DSS).
The council, which manages PCI DSS and the PCI PIN Entry Device (PED) security requirements, said Wednesday that the Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices (PABP). A preliminary draft of the standard has been distributed to the council's board of advisors, participating organizations, qualified security assessors and approved scanning vendors for feedback, which will be worked into the final version of PA-DSS in the first quarter of 2008.
"With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS," Bob Russo, general manager of PCI Security Standards Council, said in a statement. "As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud."
The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS. Internally developed applications by merchants and others are not currently subject to PCI PA-DSS but are subject to PCI DSS. PA-DSS is endorsed by all five global payment card brands: American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc.
The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.
Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data. NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information. Other experts have debunked that assessment, saying there's confusion over the storage rules and that merchants open themselves up to network break-ins by failing to institute well-rounded security policies. One PCI DSS auditor noted in an interview last week that merchants do not need to store a full credit card transaction record but that some banks mistakenly tell them they must. Also, many retailers purchased point-of-sale systems that store more data than necessary, the auditor said.
Since Visa created the PA-DSS to help software vendors and others develop payment applications that do not store prohibited data, the addition of the standard to PCI DSS may help to quell those concerns.
The new standard is also designed to address growing attacks against Web-based payment applications. Security experts have repeatedly warned that such applications are being developed and rushed into operation with no regard for security, making them easy targets for hackers. The standard is the council's attempt to address those who say developers must be better trained to work security into their applications.
The need for more security in the application development process has been a major theme at this week's Computer Security Institute (CSI) conference in Arlington, Va.