Payment industry receives first version of application security standard

Top Stories

Related

• Clues point to Jan. 13 release of Windows 7 beta
• Microsoft releases Vista SP2 beta
• Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
• IBM wants info from Apple execs in Papermaster case
• License server glitch exposes SonicWall users to e-mail security threats
• Report: Former AOL chief exec tries to raise funds to buy Yahoo

• TriCipher launches hosted identity federation service
• Sun goes commercial with OpenSSO
• Update: Microsoft, IBM, VeriSign propose Web services security standards
• Baltimore to release SelectAccess 5.0 with SAML
• OASIS approves new single sign-on standard for e-business

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

April 16, 2008 (Computerworld) Delivering on a promise it made last fall, the PCI Security Standards Council yesterday announced the first version of the new Payment Application Data Security Standard.

The PA-DSS is a set of broad-based security controls that vendors of payment-application software will need to include in their products over the next few years.

Among other things, the controls are intended to prevent payment software from automatically storing certain types of cardholder data while encrypting other types of data, provide for strong password controls, protect wireless transactions and log transaction activity.

Starting this fall, the council will start publishing and maintaining a list of payment applications that have been validated against the standard. The PA-DSS does not apply to payment applications that were developed in-house.

The standards are designed to address security concerns related to third-party payment applications used by retailers and other companies that accept credit card transactions. Many of these applications are old and lack several of the security controls mandated by the credit card companies under the PCI data security standard (See related interview with PCI Council General Manager Bob Russo.).

For instance, older payment software products are designed to capture and store certain kinds of cardholder data by default, even though the practice is explicitly banned under PCI guidelines. Similarly, older payment applications seldom have the transaction-logging capabilities that are required by PCI.

The PA-DSS was originally developed by Visa Inc. and was formerly known as Payment Application Best Practices (PABP). The company has been urging merchants to migrate to or install payment software that met PABP guidelines for some time. The company has already validated several products against the standard. Those validated products will be transitioned to the council's list of approved products later this year.

Last October, Visa issued a set of mandates under which it gave companies until July 1, 2010, to make sure that all their third-party point-of-sale and payment applications complied with the PABP. By that date, all companies are required to have either upgraded their software to PABP-compliant versions or migrated to new software.

Shortly after Visa announced the mandates, the council revealed that it was making PABP the industrywide security standard for payment applications, meaning that it is now not just a Visa standard but also a standard for American Express, MasterCard Worldwide, Discover and JCB International. At that time, the council had said it would work with participating organizations, security auditors and vulnerability scanning vendors to work on adapting PABP into a broader industry standard.

Today's announcement marks the culmination of that effort.