The PCI Security Standards Council today said it intends to add a new standard to cover payment-application software.

The council, which defines the data-security standards required by businesses processing credit and debit cards, was formed two years ago by payment-card associations, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa. The council has already established the PCI Data Security Standard 1.1 that merchants and service providers must comply with as requested by their banks and the card associations. The new standard will be called the Payment Application Data Security Standard (PA-DSS) which will be largely based on Visa’s existing “Payment Application Best Practices.”

“We will ensure that payment-application providers and their products are subject to data-security requirements consistent with the current PCI Data Security Standard.”said Bob Russo, the council’s general manager.

Although Russo was not immediately available to discuss PA-DSS, the council published on its Web site a set of frequently-asked questions (FAQ) about what the new PA-DSS is intended to be.

“PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorization or settlement where these payment applications are sold or distributed by third parties,” the council said in its FAQ.

The council did not publish a draft of the proposed new standard, noting that it’s necessary to be a member of the council in order to see an advance copy of it.

In the FAQ on the council’s Web site, the council states, “Once the standard is finalized, the Council will be certifying PA-DSS specific Qualified Security Assessors (QSA) to validate the payment applications and the Council will ultimately publish a list of validated payment applications.”

There are already more than 60 QSAs that have been certified under the council’s procedures to perform audit reviews of businesses to determine whether they comply with the PCI DSS 1.1 standard of today. The FAQ indicates that the council is likely to establish a similar program to certify QSAs to review payment applications used by merchants.

“PA-DSS validated payment applications will minimize the potential of security breaches leading to compromise of full magnetic stripe data, card validation codes and values, PINs and PIN blocks,” the council stated in its FAQ.

Whitepapers

• The Trend from UNIX to Linux in SAP(r) Data Centers
• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology

View more SECURITY whitepapers

Webcasts

• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports