Chief Information Officer,
Massage Envy Corporation
In response to a growing number of data security breaches, the major payment card
brands have come together to form the Payment Card Industry Security Standards Council.
Over the last few years, this council has developed a set of security requirements
for all businesses that handle payment cards, including merchants, as well as software
developers and manufacturers of applications used for payment card transactions.
Two of the major standards developed are the Payment Card Industry Data Security
Standard (PCI DSS), for merchants and processors, and the Payment Application Data
Security Standard (PA-DSS), for developers and integrators.
Several years ago, Visa developed the Payment Application Best Practices (PABP).
The purpose of the program was to guide software vendors in creating secure applications.
Another goal was to support merchants' overall compliance with PCI DSS.
Since its inception, however, there has been no widespread adoption of PABP. Without
mandates or penalties, software vendors lacked a viable business case to justify
the inordinate time and expense required to achieve compliance with PABP. In 2008 the PCI Security Standards Council
published the Payment Application Data Security Standard, PA-DSS. In doing so, Visa's PABP was
effectively transitioned into an enforceable security standard.
PA-DSS applies to software developers and integrators of applications that store,
process or transmit payment cardholder data as part of authorization or settlement.
It also applies to these applications that are sold, distributed or licensed to
PA-DSS requirements include:
Software vendors must now successfully pass a PA-DSS review, performed by independent
assessors known as PA QSAs. The Payment Card Industry Security Standards Council has
published a list of PA-DSS
compliant applications. Not being on that list could mean damage to a software
provider's brand, financial liability or – perhaps worst – a loss of sales to merchants
for whom PCI DSS compliance is essential.
Element offers two innovative solutions to help software providers become PA-DSS
compliant. One is direct
integration with Element's payment processing system, Element Express Processing
Platform. The other is called
Hosted Payments, which fully removes your application from the scope of PA-DSS compliance.
Key PA-DSS Deadlines:
To better understand what PA-DSS means for you, download our Guide to PCI
Compliance for ISVs. You can also check out these top PA-DSS Blog Articles: