The Green Sheet Online Edition
November 26, 2007 • Issue 07:11:02
Farewell PABP, hello PA DSS
The Payment Card Industry (PCI) Security Standards Council, which manages the PCI Data Security Standard (DSS) and the PCI PIN Entry Device Security Requirements, just took another step forward in ensuring protection of cardholder account information.
The council adopted the Payment Application Data Security Standard (PA DSS), based on Visa Inc.'s Payment Application Best Practices (PABP).
This new standard will give the council the ability to establish and promote criteria for secure applications in all payment card transactions.
Secure payment applications help promote merchant PCI DSS compliance. When implemented in a PCI DSS-compliant environment, PA DSS validated applications will minimize the potential for security breaches that lead to compromises of magnetic stripe data, card validation codes and values, PINs, and PIN blocks.
The PA DSS applies to all payment application providers, but individual payment brands will determine whether the standards will be mandatory.
"With the PA DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI Security Standards Council," said Bob Russo, General Manager of the council.
"As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud," he said.
Reinforcing data security
The PCI council's assumption of responsibility for the PA DSS brings certain benefits:
- The five major global payment brands - American Express Co., Discover Financial Services, JCB International Credit Card Co., MasterCard Worldwide and Visa - will cooperate in lending support.
- It will be easier to standardize security requirements, security assessor (QSA) testing and lab methodologies, and approval processes for payment applications.
- A single entity will oversee global standards and establish a common foundation for widespread adoption of secure payment applications.
A final version of the PA DSS will be published in the first quarter of 2008. Thereafter, the PCI council will
certify PA DSS specific QSAs to validate the payment applications.
A list of frequently asked questions about the PA DSS is available at www.pcisecuritystandards.org
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.