Payment industry receives first version of application security standard

Computerworld - Delivering on a promise it made last fall, the PCI Security Standards Council yesterday announced the first version of the new Payment Application Data Security Standard.

The PA-DSS is a set of broad-based security controls that vendors of payment-application software will need to include in their products over the next few years.

Among other things, the controls are intended to prevent payment software from automatically storing certain types of cardholder data while encrypting other types of data, provide for strong password controls, protect wireless transactions and log transaction activity.

Starting this fall, the council will start publishing and maintaining a list of payment applications that have been validated against the standard. The PA-DSS does not apply to payment applications that were developed in-house.

The standards are designed to address security concerns related to third-party payment applications used by retailers and other companies that accept credit card transactions. Many of these applications are old and lack several of the security controls mandated by the credit card companies under the PCI data security standard (See related interview with PCI Council General Manager Bob Russo.).

For instance, older payment software products are designed to capture and store certain kinds of cardholder data by default, even though the practice is explicitly banned under PCI guidelines. Similarly, older payment applications seldom have the transaction-logging capabilities that are required by PCI.

The PA-DSS was originally developed by Visa Inc. and was formerly known as Payment Application Best Practices (PABP). The company has been urging merchants to migrate to or install payment software that met PABP guidelines for some time. The company has already validated several products against the standard. Those validated products will be transitioned to the council's list of approved products later this year.

Last October, Visa issued a set of mandates under which it gave companies until July 1, 2010, to make sure that all their third-party point-of-sale and payment applications complied with the PABP. By that date, all companies are required to have either upgraded their software to PABP-compliant versions or migrated to new software.

Shortly after Visa announced the mandates, the council revealed that it was making PABP the industrywide security standard for payment applications, meaning that it is now not just a Visa standard but also a standard for American Express, MasterCard Worldwide, Discover and JCB International. At that time, the council had said it would work with participating organizations, security auditors and vulnerability scanning vendors to work on adapting PABP into a broader industry standard.

Today's announcement marks the culmination of that effort.

Read more about Security in Computerworld's Security Topic Center.