PCI Council Strengthens Data Security

Visa's Payment Application Best Practices program migrates to Council

WAKEFIELD, Mass. -- The PCI Security Standards Council, an open standards body providing management of the global PCI Data Security Standard (PCI DSS) and PCI PIN Entry Device (PED) Security Requirements, today announced that it is adding a new standard for payment application software.

The new standard called Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices (PABP). A preliminary draft of this standard has been distributed to the Council's Board of Advisors, participating organizations, Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) for their feedback. The Council will incorporate this feedback and publish a final version of the PA-DSS in the first quarter of 2008.

Visa created the PABP to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS.

Internally developed applications by merchants and others are not subject to PCI PA-DSS but are subject to PCI DSS. Approximately 200 products used by a large number of merchants around the globe have already been validated against Visa's PABP and this number is expected to continue growing with the Council's adoption of PA-DSS. Payment applications adhering to the PA-DSS will minimize the potential for security breaches and the resultant fraud.

"With the PA-DSS managed by the Council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI Data Security Standard," said Bob Russo, general manager, PCI Security Standards Council. "As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud."

PCI Security Standards Council LLC