We've seen how major companies have been harmed by the theft of and misuse of customer data. That's why PCI DSS compliance is so important to us. If we can't securely handle payment cards, we're out of business."

Doug Payne,
Chief Information Officer,
Massage Envy Corporation

In response to a growing number of data security breaches, the major payment card brands have come together to form the Payment Card Industry Security Standards Council. Over the last few years, this council has developed a set of security requirements for all businesses that handle payment cards, including merchants, as well as software developers and manufacturers of applications used for payment card transactions.

Two of the major standards developed are the Payment Card Industry Data Security Standard (PCI DSS), for merchants and processors, and the Payment Application Data Security Standard (PA-DSS), for developers and integrators.

PA-DSS Compliance and PABP

Several years ago, Visa developed the Payment Application Best Practices (PABP). The purpose of the program was to guide software vendors in creating secure applications. Another goal was to support merchants' overall compliance with PCI DSS.

Since its inception, however, there has been no widespread adoption of PABP. Without mandates or penalties, software vendors lacked a viable business case to justify the inordinate time and expense required to achieve compliance with PABP. In 2008 the PCI Security Standards Council published the Payment Application Data Security Standard, PA-DSS. In doing so, Visa's PABP was effectively transitioned into an enforceable security standard.

PA-DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties.

PA-DSS requirements include:

• Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data
• Provide secure password features
• Protect stored cardholder data
• Log application activity
• Develop secure applications
• Protect wireless transmissions
• Test applications to address vulnerabilities
• Facilitate secure network implementation
• Do not store cardholder data on a server connected to the Internet
• Facilitate secure remote software updates
• Facilitate secure remote access to application
• Encrypt sensitive traffic over public networks
• Encrypt all non-console administrative access
• Maintain instructional documentation and training programs for customers, resellers and integrators

Software vendors must now successfully pass a PA-DSS review, performed by independent assessors known as PA QSAs. The Payment Card Industry Security Standards Council has published a list of PA-DSS compliant applications. Not being on that list could mean damage to a software provider's brand, financial liability or – perhaps worst – a loss of sales to merchants for whom PCI DSS compliance is essential.

Element offers two innovative solutions to help software providers become PA-DSS compliant. One is direct integration with Element's payment processing system, Element Express Processing Platform. The other is called Hosted Payments, which fully removes your application from the scope of PA-DSS compliance.

Key PA-DSS Deadlines:

• Effective July 1, 2010 - Any ISV submitting a report of PA-DSS validation after December 31, 2010 must comply with PA-DSS Version 2.0. In October 2010, the PCI SSC released PA-DSS Version 2.0, which included existing requirement clarifications, additional guidance and minor changes to evolving requirements.

To better understand what PA-DSS means for you, download our Guide to PCI Compliance for ISVs. You can also check out these top PA-DSS Blog Articles:

• PA-DSS in 2010 – Are you Prepared?
• PA-DSS Implementation
• Top 10 Questions About PA-DSS By ISVs