PA-DSS
Encyclopedia
The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC).
PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN
.
In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS
).
Creation and enforcement of these standards currently rests with PCI SSC via Payment Application-Qualified Security Assessor
s (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.
’ Committee on Homeland Security
convened to discuss the current PCI DSS
requirements.
Representatives such as Yvette Clark (D-NY) expressed interest in increasing the strength of standards while others, such as Bennie Thompson
(D-Miss.) expressed doubt that industry created standards would be sufficient in the future.
While Congressional attention was focused largely on PCI DSS
, the criticism of card-issuer standards could eventually bring Congressional or legal focus on PA-DSS and on PCI SSC as an entity.
Regardless, meeting standards can prove expensive and time consuming for software vendors, with the current expense of PA-DSS certification outpacing other methods of compliance. Given the cost of compliance and certification, current or as of yet undetermined alternatives could emerge in the PCI standards compliance market.
Visa USA announced a more aggressive push into such technology (pin and chip) in Aug 2011. Visa Press Release
PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
.
In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
).
Requirements
For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following 14 protections:| Requirements: |
| 1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data. |
| 2. Protect stored cardholder data. |
| 3. Provide secure authentication features. |
| 4. Log payment application activity. |
| 5. Develop secure payment applications. |
| 6. Protect wireless transmissions. |
| 7. Test payment applications to address vulnerabilities. |
| 8. Facilitate secure network implementation. |
| 9. Cardholder data must never be stored on a server connected to the internet. |
| 10. Facilitate secure remote software updates. |
| 11. Facilitate secure remote access to payment application. |
| 12. Encrypt sensitive traffic over public networks. |
| 13. Encrypt all non-console administrative access. |
| 14. Maintain instructional documentation and training programs for customers, resellers, and integrators. |
Governance & Enforcement
PCI SSC has compiled a list of payment applications that have been validated as PA-DSS compliant, with the list updated to reflect compliant payment applications as they are developed.Creation and enforcement of these standards currently rests with PCI SSC via Payment Application-Qualified Security Assessor
Qualified Security Assessor
The Payment Card Industry Qualified Security Assessor designation is conferred by the to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an , and will be performing PCI...
s (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.
History
Governed originally by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS then became retroactively distinguished as “version 1.1” and “version 1.2”.Congressional Attention
On March 31, 2009, the United States House of RepresentativesUnited States House of Representatives
The United States House of Representatives is one of the two Houses of the United States Congress, the bicameral legislature which also includes the Senate.The composition and powers of the House are established in Article One of the Constitution...
’ Committee on Homeland Security
Homeland security
Homeland security is an umbrella term for security efforts to protect states against terrorist activity. Specifically, is a concerted national effort to prevent terrorist attacks within the U.S., reduce America’s vulnerability to terrorism, and minimize the damage and recover from attacks that do...
convened to discuss the current PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
requirements.
Representatives such as Yvette Clark (D-NY) expressed interest in increasing the strength of standards while others, such as Bennie Thompson
Bennie Thompson
Bennie G. Thompson, is the U.S. Representative for , serving since 1993, and the ranking member of the Committee on Homeland Security since 2011. He is a member of the Democratic Party....
(D-Miss.) expressed doubt that industry created standards would be sufficient in the future.
While Congressional attention was focused largely on PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
, the criticism of card-issuer standards could eventually bring Congressional or legal focus on PA-DSS and on PCI SSC as an entity.
Future
The future of these standards is somewhat vague, with Congressional attention giving rise to the possibility of governmental intervention.Regardless, meeting standards can prove expensive and time consuming for software vendors, with the current expense of PA-DSS certification outpacing other methods of compliance. Given the cost of compliance and certification, current or as of yet undetermined alternatives could emerge in the PCI standards compliance market.
Visa USA announced a more aggressive push into such technology (pin and chip) in Aug 2011. Visa Press Release
Supplemental Information
The PCI SSC has published additional materials that further clarify PA-DSS, including the following:- PA-DSS Requirements and security assessment procedures.
- Changes from past standards.
- General program guide for QSAs.