GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Payments under the radar no more

News

Industry Update

FTC bites YMA

NACHA clarifies ACH rules

W.net spreads the mentoring net

VeriFone vows to fix faulty accounting

Fifth Third banks on gift card kiosks

PayPal eyeing more merchants

Free terminals are thorny

Features

New ATM security measures tackle fraud

Uwe Krause
ATMMarketplace.com

Views

Rock, paper, electronics

Patti Murphy
The Takoma Group

Run from mean streets to clean streets

Steve Schwimmer
Renaissance Merchant Services

Education

Street SmartsSM:
New year, new plan

Dee Karawadra
Impact PaySystem

MLS or ISO: Which one are you?

Adam Atlas
Attorney at Law

Visa, PCI council make security move

Michael Petitti
TrustWave

E-mail: It takes a plan

Nancy Drexler
Marketing Moguls

Receipts still reveal too much

David Mertz
Compliance Security Partners LLC

Company Profile

Credomatic USA

Barclay Square Leasing Inc.

New Products

Dialing for digital content

Bill2Phone
BSG Clearing Solutions

Card printer of a different stripe

Zebra P100i
Zebra Card Printer Solutions

Inspiration

Before you move on

Miscellaneous

AstroloGS

POScript

Departments

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

December 26, 2007  •  Issue 07:12:02

previous next

Visa, PCI council make security move

By Michael Petitti

Editor's Note: A version of this article originally appeared in the December 2007 issue of Trusted News, a TrustWave publication.

Be prepared. Two major announcements made in recent months will send merchants scrambling to their payment application vendors and merchant level salesperson (MLS) for guidance and clarity.

Visa Inc. and the Visa's Payment Application Best Practices (PABP), it's likely that a great number of these compromises would not have occurred.

Visa created PABP to prevent payment card compromises by guiding software vendors in developing payment applications that support a merchant's compliance with the PCI Data Security Standard (DSS). The PCI SSC and Visa detail plans to unify a payment application security standard and begin enforcing the use of adherent applications.

Total takeover

The PCI SSC took over management of PABP in November, and renamed it the Payment Application Data Security Standard (PA DSS). New standards are expected to be released by the first quarter 2008. (For more information, see "Farewell PABP, hello PA DSS," The Green Sheet, Nov. 26, 2007, issue 07:11:02)

While the PA DSS is based on the PABP and remain similar, feedback received from various stakeholders may alter the PA DSS slightly. While these differences will impact software developers, merchants will not likely be affected.

Merchants will not need to look into the detailed requirements of the PA DSS or comply with it per se - applications developed for internal use only must still comply with the PCI DSS. Merchants only need to ensure that the payment applications they use are certified as PA DSS compliant. (For a list of validated, PABP-adherent payment applications, visit http://usa.visa.com/download/merchants/validated_payment_applications.pdf)

Once the transition is complete, the PCI SSC will maintain the list of validated applications. MLSs should ensure that the payment applications they offer are on this list. If not, MLSs should consider removing the offering from their portfolio of products.

As with the PCI DSS, the council will maintain its position as governing body of the PA DSS. Enforcement will continue to fall under the authority of the individual card brands.

While the transfer of the PABP standard to the PCI council will increase awareness of payment card security and increase adoption of secure payment applications, Visa's recent announcement will probably have a more immediate effect on your merchant customers.

Calendar of events

In October, Visa set forth a plan to mandate merchants' use of PABP-adherent (now PA DSS-adherent) applications. The plan entails a number of deadlines set by Visa to eradicate the use of vulnerable payment applications and payment applications that do not adhere to the PA DSS.

While the deadlines for the program are set for acquirers, VisaNet processors and agents because these organizations stand above merchants in the payment card acceptance process, the deadlines also apply to merchants.

Following are the specific mandates and deadlines Visa established:

Field of queries

It's likely that a number of current customers or potential customers will have questions about the new requirements.

Here are talking points to remember during these discussions:

Michael Petitti is Chief Marketing Officer of TrustWave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at mpetitti@atwcorp.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services