News

PCI council issues app for data-security standard

April 15, 2008

LAS VEGAS — The PCI Security Standards Council, a global team dedicated to supporting open-industry standards for management of the Payment Card Industry Data Security Standard, PCI PIN entry device security requirements and the Payment Application Data Security Standard, announced at the Electronic Transactions Association Annual Meeting and Expo the release of a new version of the Payment Application Data Security Standard.

According to a news release, the council expects to roll out a program this fall that will include maintenance of a list of validated payment applications. The list is expected to enable buyers to identify the payment applications that have been recognized by the PCI SSC and meet the new standard.

Increasingly criminals are targeting vulnerabilities in payment applications to steal payment card data, the council says, and some software may be storing sensitive card data on a user's system unknowingly.

"Many merchants and retailers rely on third-party software vendors for applications that run payment processing," said J. Joseph Finizio, executive director of the Retail Solutions Providers Association. "Having the council manage a globally recognized list of validated payment applications will make it easier for merchants of all sizes to select validated payment applications that are accepted by all the major payment brands, ensuring that cardholder data continues to be secure."

PA-DSS is the council-managed program formerly managed by Visa Inc. and known as the Payment Application Best Practices. The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the PCI DSS.