Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
PA-DSS Compliance With Commerce Toolkit for Applications

PA-DSS Compliance With Commerce Toolkit for Applications

Ratings: (0)|Views: 102|Likes:
Published by pymnts

More info:

Published by: pymnts on Mar 05, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Business White Paper
PA-DSS Compliance andCommerce Toolkit forApplications
Published July 21, 2009 by IP Commerce
Business White Paper
PA-DSS Compliance and Commerce Toolkit for Applications from Commerce Labhttp://commercelab.ipcommerce.com
Page 2
In 2004, the payment card brands aligned their individual cardholder data protection programs to create the PaymentCard Industry Data Security Standard (PCI DSS). This alignment in standards provides an industry-wide frameworkthat forms the basis of each association’s individual security programs. The objective of the individual programs is tocompel merchants and payment service providers to enact measures that protect cardholder information. The goal ofthe PCI DSS is to specify the security controls required to protect cardholder data in the transaction-processingenvironment from end-to-end.In addition to the operational controls specified by the PCI DSS, Visa developed a voluntary validation programcalled Payment Application Best Practices (PABP). Visa derived the PABP validation requirements from the PCIDSS. These best practices were designed to help software companies create secure payment applications. WhilePABP compliance was initially voluntary, by the end of 2008 the Payment Card Industry Security Standards Council(an association set up by American Express, Japan Credit Bureau, MasterCard, and VISA International to promotefinancial data security standards) sanctioned it as a mandatory standard and changed the name to PaymentApplications Data Security Standard (PA-DSS).
Visa’s Payment Application Security Mandates
In addition to the adoption of a specific standard, Visa has released mandates surrounding the use of securePayment Applications by merchants accepting Visa cards.http://usa.visa.com/merchants/risk_management/cisp_key_dates.html
Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors(VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable paymentapplications
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS compliant
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications
VNPs and agents must decertify all vulnerable payment applications
– Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications
Who is Affected by PA-DSS?
PA-DSS applies to software companies and integrators of payment applications that store, process or transmitcardholder data as part of authorization or settlement when these applications are sold, distributed, or licensed tothird parties. Payment applications, when implemented according to PA-DSS and when implemented in a PCI DSScompliant environment, should facilitate and support driving merchant level PCI DSS compliance.
Business White Paper
PA-DSS Compliance and Commerce Toolkit for Applications from Commerce Lab
Why Compliance Matters
Right now, Credit Card Processors are contacting your customers requiring them to update to a PCI compliantenvironment or to use a PA-DSS compliant application as the 10/1/09 decertification mandate approaches. Thismeans that software companies, VARs and SIs who do not develop or deploy PA-DSS compliant solutions, will soonbe left behind their competitors who do, and will rapidly lose their reseller base.The payments industry is complicated; writing software is complicated; PA-DSS is complicated. Without the propertools and guidance, a software company can easily lose its way. Leveraging IP Commerce tools, processes, andpartners; software companies can achieve compliance in record time and at a greatly reduced cost. For more, seeAppendix: Simplify Integration and Compliance with Commerce Toolkit for Applications.
Commerce Toolkit for Applications
Building a secure payment processingapplication is intricate enough, before evenbeginning to consider achieving PA-DSScompliance. UsingCommerce Toolkit forApplications (CTA), developers can simplify theprocess of creating compliant paymentapplications.More information about the
is provided as anappendix to this document. The Transaction API, provided with the Toolkit,gives an application what it needs to be readyto process an ever-growing number ofelectronic payment types from a wide variety ofproviders and processors. The API does all theheavy lifting associated with buildingtransactions that can be processed over the IPCommerce Platform. It contains a layer of .NETclasses that sits on top of the PaymentsTransaction Layer Switching (PTLS™)specification. (PTLS–developed, owned andprovided by IP Commerce–is an XML softwarespecification for payment transactions and other payments-related messages.) With the Transaction API, developerscan create and populate service messages and then use the Toolkit to securely send the messages to the IPCommerce Platform, where they are routed to the appropriate service provider.In addition to easing the load of payment-enabling an application, CTA also provides an essential set of tools forbuilding payment applications that meet PA-DSS requirements including: functionality for providing secure userauthentication, key management, pre-persistence data processing (encryption, masking, removal of cardholder data),activity logging, and secure transport protocols.
Page 3

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->