GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

A roadmap to GS Online


Industry Update

The PA DSS deadline looms

Global anti-fraud tool on the horizon

First Data charts the rise of fraud as a service

Feedback from CAPP exercise proves informative


Guiding merchants toward honest processing partners

Research Rundown

Selling Prepaid

Prepaid in brief

Prepaid's relevancy for mass transit reaffirmed

Perspective on the 'gift' economy

Thom Aldredge
World Gift Card


Could the future of micropayments be Square?

Patti Murphy
The Takoma Group

Margin compression: What's goin' on?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
What does a merchant get for a PCI fee? - Part 2

Ken Musante
Eureka Payments LLC

Beyond professional courtesy

Dale S. Laszig
Castles Technology Co. Ltd.

Succeeding at PCI compliance - Part 2: Executing an effective pilot program

Dawn M. Martinez
First Data Corp.

Training to go global

Caroline Hometh

Eight keys to a great first impression

Nicholas Cucci
Network Merchants Inc.

Company Profile

Retail Cloud

New Products

Check guarantee on the go


Easy to use, hosted gateway

Elavon Inc.


Dig for gold, revisit your portfolio


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 28, 2010  •  Issue 10:06:02

previous next

The PA DSS deadline looms

The importance of the July 1, 2010, deadline for businesses to comply with the Payment Application (PA) Data Security Standard (DSS) should not be underestimated, according to industry experts who spoke with The Green Sheet. The PA DSS, which is primarily intended to guide software vendors in the development of secure payment applications that do not store cardholder data, also applies to ISOs.

"I think it's critical that they are aware of it," said Ross Federgreen, founder of payments industry consultancy CSRSI, The Payment Advisors. "And it is reflected in what Visa does to audit the member banks, and therefore the processors, is that the audit is now going through to the level of the ISOs."

It is therefore incumbent on ISOs to ensure their merchants are using PA DSS compliant software, Federgreen added. And ISOs seem to understand that. "I really think that in this day and age the ISOs are very circumspect about selling terminals that do not have compliant software in it," he said. "They don't want to risk the liability. "None of the ISOs that I have spoken to are interested in putting something on the street right now that is not compliant."

Federgreen said he knows of no defined penalty if merchants, processors or vendors are found noncomplaint after the July 1 deadline passes. But the card brands could impose fines, and ISOs could lose their registration, he noted.

Shrink-wrapped solutions

The PCI Security Standards Council (PCI SSC) authorizes PA QSAs (qualified security assessors) to perform assessments on payment applications to ensure compliancy. One such PA QSA is Trustwave.

Keith Swiat, Director, Payment Application Practice, Global Compliance Services at Trustwave, said software vendors represent 99 percent of the clients Trustwave performs application assessments for.

He said the software itself must meet two basic sets of criteria in order to fall under the PCI SSC's guidelines: it must be involved in the authorization or settlement functions of electronic transactions and it must also be considered an "off-the-shelf, shrink-wrapped application," such as one an ISO would buy from a third-party vendor as part of a POS terminal set-up.

According to Swiat, a normal assessment for a functional application could take five to six weeks and another month for the PCI SSC to grant its approval, so it is unrealistic for vendors just recognizing the approaching deadline to expect to get applications through the process in under two weeks.

Like Federgreen, Swiat does not know what is going to happen to noncompliant vendors and merchants once the deadline passes. But he believes the presence of a deadline forces businesses to be aware of whether their software is compliant. "Unless you impose a deadline, people aren't really going to take it seriously," he said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios