PCI SSC adds PA-DSS
April 15th, 2008 by admin Posted in PCI SSC, Payment Applications, pa-dssToday the PCI SSC added a new standard to the running list of standards and documents it manages (PCI DSS, SAP, SAQ). We reported this was going to happen back in November of last year. The Payment Application Data Security Standard (PA-DSS) is now formally a standard that the Council manages. Check out the press release here.
PA-DSS is the Council-managed program formerly managed by Visa Inc. and known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the PCI DSS. PA-DSS requirements apply to payment applications that are sold, distributed or licensed to third parties. PA-DSS requirements do not apply to in-house payment applications developed by merchants or service providers that are not sold to a third party, but these applications must still be secured in accordance with the PCI DSS.
In addition to the standard itself the Council has also released a frequently asked questions for the PA-DSS.
Will the PCI SSC accept applications that have been previously validated under the existing Visa PABP program?
PCI SSC will recognize PABP validated payment applications and list them with the appropriate PABP version that they were validated against. For payment applications validated against pre-PABP version 1.3, they must undergo a PA-DSS assessment within twelve (12) months after the initial publication of the PCI SSC list otherwise they will expire and will no longer be accepted for new deployments. For payment applications validated against PABP version 1.3, they must undergo a PA-DSS assessment within eighteen (18) months after the initial publication of the PCI SSC list. For payment applications validated against PABP version 1.4, they must undergo a PADSS assessment within twenty-four (24) months after the initial publication of the PCI SSC list. Please refer to the table in the Grandfathering PABP Applications section of the PA-DSS Program Guide for more details.
How will the migration to PA-DSS impact vendors previously validated under PABP? Read the FAQ!
Check out the full FAQ documentation for all the fine details. I’m happy there is so much infomation being released surrounding every document released by the Council!
Check out all the documents online:
- PA-DSS Security Audit Procedures
- Summary of PABP to PA-DSS Changes
- PABP to PA-DSS Transition
- QSA Validation Requirements - PA-QSA
- Program Guide
- PCI PA-DSS FAQs
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
3 Responses to “PCI SSC adds PA-DSS”
By Tyler Hannan on Apr 16, 2008
Michael,
Thanks for the links and detail. It is good to see this being codified.
As I mention on my blog, this is a major step in transitioning from certification being a “feature” to a necessity.
-tyler hannan
By Claude Bregeon on Dec 3, 2008
Morning,
is there any mandate regarding PA-DSS?
- has PCI-SSC the capacity (rights) to initiate mandates or is this right still attached to VISA, MCI?
Thanks.
CB, Paris, France
By Michael Dahn on Dec 9, 2008
The PCI SSC has adopted and rolled out the PA-DSS requirements. Remember the Council manages the standard while the Card Brands manage enforcement.