Payment industry receives first version of application security standard
New controls address security concerns in payment apps
Computerworld - Delivering on a promise it made last fall, the PCI Security Standards Council yesterday announced the first version of the new Payment Application Data Security Standard.
The PA-DSS is a set of broad-based security controls that vendors of payment-application software will need to include in their products over the next few years.
Among other things, the controls are intended to prevent payment software from automatically storing certain types of cardholder data while encrypting other types of data, provide for strong password controls, protect wireless transactions and log transaction activity.
Starting this fall, the council will start publishing and maintaining a list of payment applications that have been validated against the standard. The PA-DSS does not apply to payment applications that were developed in-house.
The standards are designed to address security concerns related to third-party payment applications used by retailers and other companies that accept credit card transactions. Many of these applications are old and lack several of the security controls mandated by the credit card companies under the PCI data security standard (See related interview with PCI Council General Manager Bob Russo.).
For instance, older payment software products are designed to capture and store certain kinds of cardholder data by default, even though the practice is explicitly banned under PCI guidelines. Similarly, older payment applications seldom have the transaction-logging capabilities that are required by PCI.
The PA-DSS was originally developed by Visa Inc. and was formerly known as Payment Application Best Practices (PABP). The company has been urging merchants to migrate to or install payment software that met PABP guidelines for some time. The company has already validated several products against the standard. Those validated products will be transitioned to the council's list of approved products later this year.
Last October, Visa issued a set of mandates under which it gave companies until July 1, 2010, to make sure that all their third-party point-of-sale and payment applications complied with the PABP. By that date, all companies are required to have either upgraded their software to PABP-compliant versions or migrated to new software.
Shortly after Visa announced the mandates, the council revealed that it was making PABP the industrywide security standard for payment applications, meaning that it is now not just a Visa standard but also a standard for American Express, MasterCard Worldwide, Discover and JCB International. At that time, the council had said it would work with participating organizations, security auditors and vulnerability scanning vendors to work on adapting PABP into a broader industry standard.
Today's announcement marks the culmination of that effort.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!