PCI standards body moves ahead on payment-application cert

PCI formally launches its payment-application security program

The PCI Security Standards Council, which establishes requirements for the payment-card industry, Tuesday formally launched its payment-application security program.

The Council announced the Payment Application Data Security Standard (PA-DSS) as an effort distinct from its older Data Security Standard 1.1 (DSS 1.1).

DSS 1.1 comprises a list of 12 broad-based security requirements that the payment-card associations and banks, which enforce compliance mandates, ask any business handling credit or debit cards to follow or face consequences, which could include fines or higher fees.

In contrast, the PA-DSS program is intended to cover testing and certification requirements for payment applications sold, distributed or licensed to third parties and installed off-the-shelf without much customization. The Council has published a frequently-asked questions document emphasizing that payment applications developed in-house by merchants or service providers are not subject to the PA-DSS requirements.

PA-DSS entails the Council assuming responsibility for Visa's Payment Application Best Practices program, with the Council's payment-brand membership, American Express, Discover Financial Services, JCB International and MasterCard, backing what had been only a Visa requirement for vendor-developed payment applications.

But more is on tap from the PCI Security Standards Council, says Bob Russo, its general manager. "Later this year we'll be rolling out a new version of the DSS," says Russo, noting this is expected to be in the September timeframe, with a possible 2.0 version.

Russo points out that the revised DSS will basically seek to clarify the 12-point DSS guidelines to answer questions that have come up, which are impacting decisions that businesses are making to comply with DSS 1.1

And there are many.

One security manager for a large US-based bank, who asked he not be named, says it's not clear whether a requirement for "segmentation" of the network for purposes of protecting card data means you have to use a LAN.

In another instance, the DSS 1.1 requirement for firewalls is subject to question. The Jericho Forum, an international organization of about 60 large multi-national companies dedicated to finding innovative e-commerce security methods, believes network firewalls may not be the best approach in all situations involving online collaboration.

Russo says he would be happy to open a dialog on the question of firewalls in order to hear about what could be viable alternatives. He said the Council is receiving input now to grasp the major questions about DSS.

Another change already envisioned for DSS entails making the so-called "6.6 requirement" for application security, now a voluntary process that calls for either buying a Web application gateway or performing a code review, mandatory this June.

Russo said the Council will issue guidance on this in the form of a White Paper next month. It will cover the topics of requirement for application security and explain how "payment application qualified security assessors" (PAQSA) will be named through an accreditation process.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?