New payment application security standard on deck

The PCI Security Standards Council today said it intends to add a new standard to cover payment-application software.

The council, which defines the data-security standards required by businesses processing credit and debit cards, was formed two years ago by payment-card associations, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa. The council has already established the PCI Data Security Standard 1.1 that merchants and service providers must comply with as requested by their banks and the card associations. The new standard will be called the Payment Application Data Security Standard (PA-DSS) which will be largely based on Visa’s existing “Payment Application Best Practices.”

“We will ensure that payment-application providers and their products are subject to data-security requirements consistent with the current PCI Data Security Standard.”said Bob Russo, the council’s general manager.

Although Russo was not immediately available to discuss PA-DSS, the council published on its Web site a set of frequently-asked questions (FAQ) about what the new PA-DSS is intended to be.

“PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorization or settlement where these payment applications are sold or distributed by third parties,” the council said in its FAQ.

The council did not publish a draft of the proposed new standard, noting that it’s necessary to be a member of the council in order to see an advance copy of it.

In the FAQ on the council’s Web site, the council states, “Once the standard is finalized, the Council will be certifying PA-DSS specific Qualified Security Assessors (QSA) to validate the payment applications and the Council will ultimately publish a list of validated payment applications.”

There are already more than 60 QSAs that have been certified under the council’s procedures to perform audit reviews of businesses to determine whether they comply with the PCI DSS 1.1 standard of today. The FAQ indicates that the council is likely to establish a similar program to certify QSAs to review payment applications used by merchants.

“PA-DSS validated payment applications will minimize the potential of security breaches leading to compromise of full magnetic stripe data, card validation codes and values, PINs and PIN blocks,” the council stated in its FAQ.

To the theoretical question of “What happens if a QSA approves a payment application for PA-DSS that I am using and I am breached?, the council’s FAQ responds, “Events such as these should be accounted for in any service contract with a software vendor.”