/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsUK: The Payment Card Industry Security Standards Council has announced a new standard for payment application software. This moves some of the security burden relating to card payments from the merchant to the software vendor. The Payment Application Data Security Standard (PA-DSS) is developed from the Visa Payment Application Best Practice.
The large number of applications that already conform to PABP should be easy to certify under PA-DSS. PA-DSS is due to be published in Q1 2008. It will join the existing PCI Data Security Standard that is currently being rolled out across all card merchants and the PCI PIN Entry Device (PED) Security requirements.
The standard does not place any liability on the software vendor apart from the requirement to be developed and tested in accordance with the standard.
Ovum says: "Payment application vendors will be set mandatory procedures and tests before they can ship their applications. Merchants should find it easier to pass their PCI-DSS examinations if they use applications that have been shown to satisfy the PCI requirements.
"The standard does not place any liability on the software vendor apart from the requirement to be developed and tested in accordance with the standard. This is an advance on the current situation where software vendors have no formal obligation to make their products fit for purpose. It should end the cases of litigation between these vendors and their customers, the merchants."
Some questions remain to be answered. The most pressing one is to decide what level of testing is needed for new versions of a product and how these relate to the scale of the modifications.
Ovum adds: "This standard is further evidence of the way in which the information security community is turning its attention to application security, rather than relying on network security. This is welcome. We have often been critical of the slow progress of enforcement of security standards by the PCI. This new standard shows that the PCI is taking a holistic view of the security situation. This is also welcome."
PCI is different from most of the other compliance standards around at the moment in being precise and prescriptive about what players have to do, rather than in specifying just the end points. Partially, this is because the vast and diverse body of card merchants around the world requires precise guidance.
The danger of such a prescriptive approach is that hackers only have to find one loophole in the standard and they have a global gold mine to exploit. However, this is a risk worth taking, Ovum concludes.