Payment industry receives first version of application security standard
New controls address security concerns in payment apps
Computerworld - Delivering on a promise it made last fall, the PCI Security Standards Council yesterday announced the first version of the new Payment Application Data Security Standard.
The PA-DSS is a set of broad-based security controls that vendors of payment-application software will need to include in their products over the next few years.
Among other things, the controls are intended to prevent payment software from automatically storing certain types of cardholder data while encrypting other types of data, provide for strong password controls, protect wireless transactions and log transaction activity.
Starting this fall, the council will start publishing and maintaining a list of payment applications that have been validated against the standard. The PA-DSS does not apply to payment applications that were developed in-house.
The standards are designed to address security concerns related to third-party payment applications used by retailers and other companies that accept credit card transactions. Many of these applications are old and lack several of the security controls mandated by the credit card companies under the PCI data security standard (See related interview with PCI Council General Manager Bob Russo.).
For instance, older payment software products are designed to capture and store certain kinds of cardholder data by default, even though the practice is explicitly banned under PCI guidelines. Similarly, older payment applications seldom have the transaction-logging capabilities that are required by PCI.
The PA-DSS was originally developed by Visa Inc. and was formerly known as Payment Application Best Practices (PABP). The company has been urging merchants to migrate to or install payment software that met PABP guidelines for some time. The company has already validated several products against the standard. Those validated products will be transitioned to the council's list of approved products later this year.
Last October, Visa issued a set of mandates under which it gave companies until July 1, 2010, to make sure that all their third-party point-of-sale and payment applications complied with the PABP. By that date, all companies are required to have either upgraded their software to PABP-compliant versions or migrated to new software.
Shortly after Visa announced the mandates, the council revealed that it was making PABP the industrywide security standard for payment applications, meaning that it is now not just a Visa standard but also a standard for American Express, MasterCard Worldwide, Discover and JCB International. At that time, the council had said it would work with participating organizations, security auditors and vulnerability scanning vendors to work on adapting PABP into a broader industry standard.
Today's announcement marks the culmination of that effort.
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!