To force more security into the payment application development process, the Payment Card Industry Security Standards Council is adding a new provision to the PCI Data Security Standard (PCI DSS).
The council, which manages PCI DSS and the PCI PIN Entry Device (PED) security requirements, said Wednesday that the Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices (PABP). A preliminary draft of the standard has been distributed to the council's board of advisors, participating organizations, qualified security assessors and approved scanning vendors for feedback, which will be worked into the final version of PA-DSS in the first quarter of 2008.
"With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS," Bob Russo, general manager of PCI Security Standards Council, said in a statement. "As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud."
The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS. Internally developed applications by merchants and others are not currently subject to PCI PA-DSS but are subject to PCI DSS. PA-DSS is endorsed by all five global payment card brands: American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc.
The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.
Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data. NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information. Other experts have debunked that assessment, saying there's confusion over the storage rules and that merchants open themselves up to network break-ins by failing to institute well-rounded security policies. One PCI DSS auditor noted in an interview last week that merchants do not need to store a full credit card transaction record but that some banks mistakenly tell them they must. Also, many retailers purchased point-of-sale systems that store more data than necessary, the auditor said.
Since Visa created the PA-DSS to help software vendors and others develop payment applications that do not store prohibited data, the addition of the standard to PCI DSS may help to quell those concerns.
The new standard is also designed to address growing attacks against Web-based payment applications. Security experts have repeatedly warned that such applications are being developed and rushed into operation with no regard for security, making them easy targets for hackers. The standard is the council's attempt to address those who say developers must be better trained to work security into their applications.
The need for more security in the application development process has been a major theme at this week's Computer Security Institute (CSI) conference in Arlington, Va.