The Payment Card Industry Security Standards Council (PCISSC) will add a standard for payment software applications to its remit.
The Council manages the global standards for data security and PIN-entry devices that payment brands, such as Visa and MasterCard, want retailers to adhere to.
The new standard, called Payment Application Data Security Standard (PA-DSS), is based on Visa’s Payment Application Best Practices (PABP). A draft of the standard has been distributed to the Council’s advisory board, which includes Tesco, Wal-Mart and payments association Apacs, for them to give feedback.
Other participating bodies and suppliers that the Council has approved to carry out security audits and scans will also be able to voice their opinions before the standard is published in the first quarter of next year.
Visa created PABP to help software vendors, among others, develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 (a Card Verification Value code used in transactions not made in person) and PIN data and support compliance with the PCI’s Data Security Standard (PCIDSS).
About 200 applications used by merchants around the globe have been validated against Visa’s PABP. The Council expects this number to grow with its adoption of PA-DSS, although applications that merchants have developed themselves will continue to be subject to PCIDSS, rather than PA-DSS.
PCISSC general manager Bob Russo said: “As criminals become more sophisticated and payment application vulnerabilities are realised by our membership.
We must ensure all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud.”
No comments yet