PCI DSS Council adding new standard for payment applications

By Bill Brenner, Senior News Writer 08 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

To force more security into the payment application development process, the Payment Card Industry Security Standards Council is adding a new provision to the PCI Data Security Standard (PCI DSS).

With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS. Bob Russo, general manager, PCI Security Standards Council

The council, which manages PCI DSS and the PCI PIN Entry Device (PED) security requirements, said Wednesday that the Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices (PABP). A preliminary draft of the standard has been distributed to the council's board of advisors, participating organizations, qualified security assessors and approved scanning vendors for feedback, which will be worked into the final version of PA-DSS in the first quarter of 2008.

"With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS," Bob Russo, general manager of PCI Security Standards Council, said in a statement. "As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud."

The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS. Internally developed applications by merchants and others are not currently subject to PCI PA-DSS but are subject to PCI DSS. PA-DSS is endorsed by all five global payment card brands: American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc.

PCI data security standards: Don't blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines. Banks neglect responsibility for data breaches, some say: TJX has become the poster child for bad data behavior, but some believe the bank and credit card companies aren't accepting enough responsibility for the data breach epidemic. How Chevron met the PCI DSS deadline: Layered defenses made PCI DSS compliance easy, but one expert sees a need for improved wireless standards.

The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.

Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data. NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information. Other experts have debunked that assessment, saying there's confusion over the storage rules and that merchants open themselves up to network break-ins by failing to institute well-rounded security policies. One PCI DSS auditor noted in an interview last week that merchants do not need to store a full credit card transaction record but that some banks mistakenly tell them they must. Also, many retailers purchased point-of-sale systems that store more data than necessary, the auditor said.

Since Visa created the PA-DSS to help software vendors and others develop payment applications that do not store prohibited data, the addition of the standard to PCI DSS may help to quell those concerns.

The new standard is also designed to address growing attacks against Web-based payment applications. Security experts have repeatedly warned that such applications are being developed and rushed into operation with no regard for security, making them easy targets for hackers. The standard is the council's attempt to address those who say developers must be better trained to work security into their applications.

The need for more security in the application development process has been a major theme at this week's Computer Security Institute (CSI) conference in Arlington, Va.

Tags: PCI Data Security Standard,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary