Secure Payments, PCI DSS, Regulatory Compliance Blog

PCI SSC adopts PABP as PA-DSS

November 7th, 2007 by admin Posted in Card Brands, Merchant, PCI PIN, Payment Applications, Point of Sale, pa-dss

eftpos.jpgIn early September the PCI SSC added the PIN Entry Device (PED) standard to its dossier of oversight items. Then at the end of September they announced the success of the first ever Community Meeting for Participating Organizations.

Now in early November they start the transition of the Payment Application Best Practices (PABP) from Visa and rename it the Payment Application Data Security Standard (PA-DSS). This follows the heals of the recently released Visa Payment Application Security Mandates.

It is important to focus on this area as it shows a strong push towards the security of smaller merchants (i.e. Level 2-4). It is widely known that many small merchant use similar point of sale (POS) technology and that the greatest risk to those merchants is from the compromise of those systems that store sensitive authentication information.

By turning the best practice document into a standard and then enforcing it with hard deadlines for compliance, the industry is delivering a 1-2 punch to the insecure systems and helping eliminate fraud in the smaller merchant arena.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 4 Responses to “PCI SSC adopts PABP as PA-DSS”

  2. By PG on Nov 8, 2007

    I think the biggest part of this announcement (assuming its most relevant to software developers) is that the PA-DSS only applies to commercial or redistributed software. Inhouse (non-distributed) apps only fall under the requirements of PCI-DSS.

    With the expectation that PA-DSS is going to require recertification for every new build of the software I can tell you this is a huge relief to me as a developer in a PSP.

  3. By Michael Dahn on Nov 8, 2007

    @PG, you are correct that the PA-DSS only applies to software that is resold, while all inhouse developed software will fall under the requirements of the PCI DSS (section 6).

    The aspect of when a software vendor would need to recertify their payment application requires a little more conversation as it is more art than science and may differ per application. The intent is only on major builds, because there are requirements in the PA-DSS that address patch management and update.

  1. 2 Trackback(s)

  2. Nov 8, 2007: PCI DSS application standard will boost security — Security Bytes
  3. Apr 15, 2008: PCI Blog - Compliance Demystified » Blog Archive » PCI SSC adds PA-DSS

Sorry, comments for this entry are closed at this time.