The Green Sheet Online Edition
June 28, 2010 • Issue 10:06:02
The PA DSS deadline looms
The importance of the July 1, 2010, deadline for businesses to comply with the Payment Application (PA) Data Security Standard (DSS) should not be underestimated, according to industry experts who spoke with The Green Sheet. The PA DSS, which is primarily intended to guide software vendors in the development of secure payment applications that do not store cardholder data, also applies to ISOs.
"I think it's critical that they are aware of it," said Ross Federgreen, founder of payments industry consultancy CSRSI, The Payment Advisors. "And it is reflected in what Visa does to audit the member banks, and therefore the processors, is that the audit is now going through to the level of the ISOs."
It is therefore incumbent on ISOs to ensure their merchants are using PA DSS compliant software, Federgreen added. And ISOs seem to understand that. "I really think that in this day and age the ISOs are very circumspect about selling terminals that do not have compliant software in it," he said. "They don't want to risk the liability.
"None of the ISOs that I have spoken to are interested in putting something on the street right now that is not compliant."
Federgreen said he knows of no defined penalty if merchants, processors or vendors are found noncomplaint after the July 1 deadline passes. But the card brands could impose fines, and ISOs could lose their registration,
The PCI Security Standards Council (PCI SSC) authorizes PA QSAs (qualified security assessors) to perform assessments on payment applications to ensure compliancy. One such PA QSA is Trustwave.
Keith Swiat, Director, Payment Application Practice, Global Compliance Services at Trustwave, said software vendors represent 99 percent of the clients Trustwave performs application assessments for.
He said the software itself must meet two basic sets of criteria in order to fall under the PCI SSC's guidelines: it must be involved in the authorization or settlement functions of electronic transactions and it must also be considered an "off-the-shelf, shrink-wrapped application," such as one an ISO would buy from a third-party vendor as part of a POS terminal set-up.
According to Swiat, a normal assessment for a functional application could take five to six weeks and another month for the PCI SSC to grant its approval, so it is unrealistic for vendors just recognizing the approaching deadline to expect to get applications through the process in under two weeks.
Like Federgreen, Swiat does not know what is going to happen to noncompliant vendors and merchants once the deadline passes. But he believes the presence of a deadline forces businesses to be aware of whether their software is compliant. "Unless you impose a deadline, people aren't really going to take it seriously," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.