Doug Payne, Chief Information Officer, Massage Envy Corporation
In response to a growing number of data security breaches, the major payment card brands have come together to form the Payment Card Industry Security Standards Council. Over the last few years, this council has developed a set of security requirements for all businesses that handle payment cards, including merchants, as well as software developers and manufacturers of applications used for payment card transactions.
Two of the major standards developed are the Payment Card Industry Data Security Standard (PCI DSS), for merchants and processors, and the Payment Application Data Security Standard (PA-DSS), for developers and integrators.
Several years ago, Visa developed the Payment Application Best Practices (PABP). The purpose of the program was to guide software vendors in creating secure applications. Another goal was to support merchants' overall compliance with PCI DSS.
Since its inception, however, there has been no widespread adoption of PABP. Without mandates or penalties, software vendors lacked a viable business case to justify the inordinate time and expense required to achieve compliance with PABP. All that changed on April 15, 2008, when the PCI Security Standards Council published the Payment Application Data Security Standard, PA-DSS. In doing so, Visa's PABP was effectively transitioned into an enforceable security standard.
PA-DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties.
PA-DSS requirements include:
1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data 2. Provide secure password features 3. Protect stored cardholder data 4. Log application activity 5. Develop secure applications 6. Protect wireless transmissions 7. Test applications to address vulnerabilities 8. Facilitate secure network implementation 9. Do not store cardholder data on a server connected to the Internet 10. Facilitate secure remote software updates 11. Facilitate secure remote access to application 12. Encrypt sensitive traffic over public networks 13. Encrypt all non-console administrative access 14. Maintain instructional documentation and training programs for customers, resellers and integrators
Software vendors must now successfully pass a PA-DSS review, performed by independent assessors known as PA QSAs. The Payment Card Industry Security Standards Council has published a list of PA-DSS compliant applications. Not being on that list could mean damage to a software provider's brand, financial liability or – perhaps worst – a loss of sales to merchants for whom PCI DSS compliance is essential.
Element offers two innovative solutions to help software providers become PA-DSS compliant. One is direct integration with Element's payment processing system, Element Express Processing Platform. The other is called Hosted Payments, which fully removes your application from the scope of PA-DSS compliance.
Key PA-DSS Deadlines:
To better understand what PA-DSS means for you, download our Guide to PCI Compliance for ISVs. You can also check out these top PA-DSS Blog Articles: