Business White Paper
PA-DSS Compliance and Commerce Toolkit for Applications from Commerce Labhttp://commercelab.ipcommerce.com
In 2004, the payment card brands aligned their individual cardholder data protection programs to create the PaymentCard Industry Data Security Standard (PCI DSS). This alignment in standards provides an industry-wide frameworkthat forms the basis of each association’s individual security programs. The objective of the individual programs is tocompel merchants and payment service providers to enact measures that protect cardholder information. The goal ofthe PCI DSS is to specify the security controls required to protect cardholder data in the transaction-processingenvironment from end-to-end.In addition to the operational controls specified by the PCI DSS, Visa developed a voluntary validation programcalled Payment Application Best Practices (PABP). Visa derived the PABP validation requirements from the PCIDSS. These best practices were designed to help software companies create secure payment applications. WhilePABP compliance was initially voluntary, by the end of 2008 the Payment Card Industry Security Standards Council(an association set up by American Express, Japan Credit Bureau, MasterCard, and VISA International to promotefinancial data security standards) sanctioned it as a mandatory standard and changed the name to PaymentApplications Data Security Standard (PA-DSS).
Visa’s Payment Application Security Mandates
Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors(VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable paymentapplications
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications
VNPs and agents must decertify all vulnerable payment applications
– Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications
Who is Affected by PA-DSS?
PA-DSS applies to software companies and integrators of payment applications that store, process or transmitcardholder data as part of authorization or settlement when these applications are sold, distributed, or licensed tothird parties. Payment applications, when implemented according to PA-DSS and when implemented in a PCI DSScompliant environment, should facilitate and support driving merchant level PCI DSS compliance.