PCI council unveils payment application standard
The council announced on Tuesday that it is making available version 1.1 of the PA-DSS (Payment Application Data Security Standard) to complement two other standards it already administers -- the well-known PCI-DSS, a 12-step mandate for safeguarding credit card information, and the PCI PIN Entry Device (PED) standard, which governs devices that accept Visa or MasterCard PINs.
All five major card brands have agreed to the new payment application standard, which lays out 14 separate requirements for software developers that build programs that process credit card payments, said Bob Russo, general manager of the PCI Security Standards Council.
"It's the weakest link out there," Russo told SCMagazineUS.com on Wednesday. "The application is always the way they get in, and if they don't get in that way they always try to get in that way."
By taking over control of the standard, the council will be responsible for training qualified security assessors (QSAs), who will be tasked with vetting and approving payment applications that live up to the requirements.
The guidelines include protecting wireless transmissions and prohibiting the retention of magnetic strip data, Russo said.
Currently, Visa is the only card brand that requires its member merchants to deploy applications that comply with the standard, he said. That may change now that the council is taking the lead role.
A Visa spokesman said the company could not comment on the announcement, but planned to post information related to the standard on its website this week.
Even though the council oversees all three standards related to credit card security, the card brands are responsible for penalizing any offenders.