By Michael Petitti
Editor's Note: A version of this article originally appeared in the December 2007 issue of Trusted News, a TrustWave publication.
Be prepared. Two major announcements made in recent months will send merchants scrambling to their payment application vendors and merchant level salesperson (MLS) for guidance and clarity.
Visa Inc. and the Visa's Payment Application Best Practices (PABP), it's likely that a great number of these compromises would not have occurred.
Visa created PABP to prevent payment card compromises by guiding software vendors in developing payment applications that support a merchant's compliance with the PCI Data Security Standard (DSS). The PCI SSC and Visa detail plans to unify a payment application security standard and begin enforcing the use of adherent applications.
The PCI SSC took over management of PABP in November, and renamed it the Payment Application Data Security Standard (PA DSS). New standards are expected to be released by the first quarter 2008. (For more information, see "Farewell PABP, hello PA DSS," The Green Sheet, Nov. 26, 2007, issue 07:11:02)
While the PA DSS is based on the PABP and remain similar, feedback received from various stakeholders may alter the PA DSS slightly. While these differences will impact software developers, merchants will not likely be affected.
Merchants will not need to look into the detailed requirements of the PA DSS or comply with it per se - applications developed for internal use only must still comply with the PCI DSS. Merchants only need to ensure that the payment applications they use are certified as PA DSS compliant. (For a list of validated, PABP-adherent payment applications, visit http://usa.visa.com/download/merchants/validated_payment_applications.pdf)
Once the transition is complete, the PCI SSC will maintain the list of validated applications. MLSs should ensure that the payment applications they offer are on this list. If not, MLSs should consider removing the offering from their portfolio of products.
As with the PCI DSS, the council will maintain its position as governing body of the PA DSS. Enforcement will continue to fall under the authority of the individual card brands.
While the transfer of the PABP standard to the PCI council will increase awareness of payment card security and increase adoption of secure payment applications, Visa's recent announcement will probably have a more immediate effect on your merchant customers.
In October, Visa set forth a plan to mandate merchants' use of PABP-adherent (now PA DSS-adherent) applications. The plan entails a number of deadlines set by Visa to eradicate the use of vulnerable payment applications and payment applications that do not adhere to the PA DSS.
While the deadlines for the program are set for acquirers, VisaNet processors and agents because these organizations stand above merchants in the payment card acceptance process, the deadlines also apply to merchants.
Following are the specific mandates and deadlines Visa established:
It's likely that a number of current customers or potential customers will have questions about the new requirements.
Here are talking points to remember during these discussions:
Michael Petitti is Chief Marketing Officer of TrustWave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next