The Green Sheet Online Edition
December 26, 2007 • Issue 07:12:02
Visa, PCI council make security move
Editor's Note: A version of this article originally appeared in the December 2007 issue of Trusted News, a TrustWave publication.
Be prepared. Two major announcements made in recent months will send merchants scrambling to their payment application vendors and merchant level salesperson (MLS) for guidance and clarity.
Visa Inc. and the Visa's Payment Application Best Practices (PABP), it's likely that a great number of these compromises would not have occurred.
Visa created PABP to prevent payment card compromises by guiding software vendors in developing payment applications that support a merchant's compliance with the PCI Data Security Standard (DSS). The PCI SSC and Visa detail plans to unify a payment application security standard and begin enforcing the use of
The PCI SSC took over management of PABP in November, and renamed it the Payment Application Data Security Standard (PA DSS). New standards are expected to be released by the first quarter 2008. (For more information, see "Farewell PABP, hello PA DSS," The Green Sheet, Nov. 26, 2007, issue 07:11:02)
While the PA DSS is based on the PABP and remain similar, feedback received from various stakeholders may alter the PA DSS slightly. While these differences will impact software developers, merchants will not likely be affected.
Merchants will not need to look into the detailed requirements of the PA DSS or comply with it per se - applications developed for internal use only must still comply with the PCI DSS. Merchants only need to ensure that the payment applications they use are certified as PA DSS compliant. (For a list of validated, PABP-adherent payment applications, visit http://usa.visa.com/download/merchants/validated_payment_applications.pdf)
Once the transition is complete, the PCI SSC will maintain the list of validated applications. MLSs should ensure that the payment applications they offer are on this list. If not, MLSs should consider removing the offering from their portfolio of products.
As with the PCI DSS, the council will maintain its position as governing body of the PA DSS. Enforcement will continue to fall under the authority of the individual card brands.
While the transfer of the PABP standard to the PCI council will increase awareness of payment card security and increase adoption of secure payment applications, Visa's recent announcement will probably have a more immediate effect on your merchant customers.
Calendar of events
In October, Visa set forth a plan to mandate merchants' use of PABP-adherent (now PA DSS-adherent) applications. The plan entails a number of deadlines set by Visa to eradicate the use of vulnerable payment applications and payment applications that do not adhere to the PA DSS.
While the deadlines for the program are set for acquirers, VisaNet processors and agents because these organizations stand above merchants in the payment card acceptance process, the deadlines also apply to merchants.
Following are the specific mandates and deadlines Visa established:
- Jan. 1, 2008 - Merchants cannot use payment applications identified by Visa as vulnerable. For a list of these vulnerable payment applications, contact your acquirer.
- July 1, 2008 - VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified.
- Oct. 1, 2008 - Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications.
- Oct. 1, 2009 - Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network.
- July 1, 2010 - Merchants must use PA DSS-adherent applications to accept Visa transactions.
Field of queries
It's likely that a number of current customers or potential customers will have questions about the new requirements.
Here are talking points to remember during these discussions:
- The PA DSS does not supplant the PCI DSS.
- The PA DSS supplements the PCI DSS.
- The card brands will continue to require that merchants continue to comply with the PCI DSS.
- Visa is the only card brand thus far that will require the use of PA DSS-compliant payment applications, but other card brands are likely to follow.
Michael Petitti is Chief Marketing Officer of TrustWave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.