Payment industry receives first version of application security standard
New controls address security concerns in payment apps
Computerworld - Delivering on a promise it made last fall, the PCI Security Standards Council yesterday announced the first version of the new Payment Application Data Security Standard.
The PA-DSS is a set of broad-based security controls that vendors of payment-application software will need to include in their products over the next few years.
Among other things, the controls are intended to prevent payment software from automatically storing certain types of cardholder data while encrypting other types of data, provide for strong password controls, protect wireless transactions and log transaction activity.
Starting this fall, the council will start publishing and maintaining a list of payment applications that have been validated against the standard. The PA-DSS does not apply to payment applications that were developed in-house.
The standards are designed to address security concerns related to third-party payment applications used by retailers and other companies that accept credit card transactions. Many of these applications are old and lack several of the security controls mandated by the credit card companies under the PCI data security standard (See related interview with PCI Council General Manager Bob Russo.).
For instance, older payment software products are designed to capture and store certain kinds of cardholder data by default, even though the practice is explicitly banned under PCI guidelines. Similarly, older payment applications seldom have the transaction-logging capabilities that are required by PCI.
The PA-DSS was originally developed by Visa Inc. and was formerly known as Payment Application Best Practices (PABP). The company has been urging merchants to migrate to or install payment software that met PABP guidelines for some time. The company has already validated several products against the standard. Those validated products will be transitioned to the council's list of approved products later this year.
Last October, Visa issued a set of mandates under which it gave companies until July 1, 2010, to make sure that all their third-party point-of-sale and payment applications complied with the PABP. By that date, all companies are required to have either upgraded their software to PABP-compliant versions or migrated to new software.
Shortly after Visa announced the mandates, the council revealed that it was making PABP the industrywide security standard for payment applications, meaning that it is now not just a Visa standard but also a standard for American Express, MasterCard Worldwide, Discover and JCB International. At that time, the council had said it would work with participating organizations, security auditors and vulnerability scanning vendors to work on adapting PABP into a broader industry standard.
Today's announcement marks the culmination of that effort.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts