PCI council to take over secure application standard

Share this article:

The body charged with managing and promoting the Payment Card Industry Data Security Standard (PCI DSS) announced today it will soon administer another set of merchant guidelines involving secure payment systems.

The PCI Security Standards Council is expected to take over the nearly three-year-old Payment Application Best Practices standard, formerly run by Visa, in the first quarter of next year. The program determines and lists which qualified security assessor (QSA)-approved software should be used by retailers to process credit card transactions and meet compliance requirements.

Under PCI Security Standards Council guidance, the benchmark will become known as the Payment Application Data Security Standard (PA DSS) and complement the existing 12-step PCI DSS standard that merchants must follow to safeguard credit card information.

"It will be one global standard, as opposed to just a Visa standard and not a MasterCard or a Discover or an AmEx standard," Bob Russo, general manager of the PCI council, told SCMagazineUS.com today.

The council will be responsible for training and validating QSAs who will analyze vendor point-of-sale systems to ensure they do not store prohibited data, such PIN and CVV2 numbers, he said.

"Anyplace that stores or transmits data in any way, shape or form could be a weak link in the system," Russo said.

Gordon Rapkin, president and chief executive officer of data security firm Protegrity, told SCMagazineUS.com today that the announcement indicates the council is taking a more proactive role in defining what specific solutions merchants should use to meet compliance.

"I think it's the first step toward the PCI Security Standards Council providing a definition of what technology products meet their standards," he said. "I think there's other emerging technology areas where the PCI standard is requiring things, but merchants are saying, ‘How do I know if [the solution] is a good one or if it will be satisfactory?'"

Share this article:

Sign up to our newsletters

More in News

HMRC offers shaky explanation on plans to sell taxpayer data

The UK revenue agency is considering selling anonymized taxpayer data to third parties.

Cyber gang that stole $2 million from Barclays sentenced to 24 years

Nine men were sentenced this week, with the group's leader getting five-and-a-half years.

DDoS attack almost crashes children's hospital website

Officials haven't confirmed a DDoS scheme, but noted the attackers hit the hospital's website with large attacks designed to overwhelm it with traffic.