Payment Payment Data Standards (PA-DSS), formerly referred to as Payment Application Best Practices (PABP), is a global security standard created by the Payment Card Industry Security Standards Board (PCI SSC). PA-DSS is implemented in an effort to provide a definite data standard for software vendors that develop payment applications. This standard aims to prevent payment applications developed for third parties from storing prohibited data safely including magnetic lines, CVV2, or PIN. In the process, the standard also determines that software vendors develop payment applications that comply with the Payment Card Industry Data Security Standard (PCI DSS).
Video PA-DSS
Requirements
In order for payment applications to be considered PA-DSS compliant, software vendors should ensure that their software includes the following fourteen safeguards:
- Do not retain full track data, card verification codes or values ââ(CAV2, CID, CVC2, CVV2), or PIN block data.
- Protect stored cardholder data.
- Provide a secure authentication feature.
- Payment payment app activity.
- Develop secure payment apps.
- Protect wireless transmission.
- Test payment apps to resolve vulnerabilities and keep payment app updates up-to-date.
- Facilitate the deployment of secure networks.
- Cardholder data may not be stored on a server connected to the Internet.
- Facilitate secure remote access to payment applications.
- Encrypt sensitive traffic to the public network.
- Secure all non-console administrative access.
- Manage PA-DSS Implementation Guide for customers, retailers, and integrators.
- Set PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, retailers, and integrators.
Maps PA-DSS
Governance and enforcement
PCI SSC has compiled a list of payment applications that have been validated as PA-DSS compliance, with an updated list to reflect the appropriate payment applications when developed. The creation and enforcement of these standards is currently on PCI SSC through the Quality Assurance Quality Assurance (PA-QSA) Application. PA-QSAs reviews payment applications that help software vendors ensure that the application complies with PCI standards.
History
Regulated initially by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS later became retroactively distinguished as "version 1.1" and "version 1.2".
In October 2009, PA-DSS v1.2.1 was released with three changes noted:
- Under "PA-DSS Coverage", align the content with the PA-DSS Program Guide, v1.2.1, to clarify applications implementing PA-DSS.
- Under Laboratory Requirements 6, the corrected spelling of "OWASP."
- In Validation Validation, Section 2a, update the "Payment Application Function" to be consistent with the types of applications listed in the PA-DSS Program Guide, and clarify the annual re-validation procedure in Section 3b.
In October 2010, PA-DSS 2.0 was released, showing: Update and apply small changes from v1.2.1 and align with the new PCI DSS v2.0. For details, please see PA-DSS - Summary of Changes from PA-DSS Versions 1.2.1 through 2.0.
In November 2013, PA-DSS 3.0 was released, showing: Updates from PA-DSS v2. For details of the changes, please see PA-DSS - Change Summary from PA-DSS Versions 2.0 through 3.0.
In May 2015, PA-DSS 3.1 was released which showed: Updates from PA-DSS v3.0. See PA-DSS - Summary of Changes from PA-DSS Version 3.0 to 3.1 for details of the change.
In May 2016, version 3.2 of the PA-DSS Program and Standard Guides was released. For details, see Summary of Changes from PA-DSS Versions 3.1 to 3.2.
Congressional Concern
On March 31, 2009, the United States House of Representatives' Committee on Homeland Security convened to discuss the current PCI DSS requirements. Representatives such as Yvette Clark (D-NY) have expressed an interest in increasing standard strength while others, such as Bennie Thompson (D-Miss.) Expressed doubts that the industry-made standard would be enough in the future. While Congress's attention is focused on PCI DSS, criticism of card issuer standards can ultimately bring the focus of Congress or law on PA-DSS and on PCI SSC as an entity.
Future
The future of these standards is somewhat vague, with Congressional attention increasing the likelihood of government intervention. Regardless, meeting standards can prove costly and time consuming for software vendors, with the cost of current PA-DSS certification going beyond other compliance methods. Given the compliance and certification costs, current or undetermined alternatives may appear in the PCI compliance market standard. Visa USA announced a more aggressive push to the technology (chip and pin) in August 2011.
Additional information
PCI SSC has published additional materials that further clarify PA-DSS, including the following:
- PA-DSS requirements and security assessment procedures.
- Changes from the previous standard.
- General program guide for QSAs.
References
Source of the article : Wikipedia