PA-DSS – Payment Application Digital Security Standard
Software vendors often ask about their applications and what the payment industry security standards mean to them. The questions Digital Securities they ask are very insightful, so we thought we’d provide a more detailed look at the most critical components of PA-DSS compliance.
This should help you understand the PA-DSS and the complex issues surrounding it on a deeper level.
Any discussion of PA-DSS compliance should begin with a clear definition of PA-DSS.PA-DSS stands for Payment Application Data Security Standard. It was created by the major credit card brands (under the umbrella of the Payment Card Industry Security Standards Council) to combat the growing number of credit and debit cardholder data breaches. Seventy five percent of all data security attacks are against software applications. The PA-DSS mandates all payment applications that store, process or transmit payment cardholder data as part of authorization or settlement be certified on a continuous basis using an approved Payment Application Quality Security Assessor (PA-QSA). The PA-DSS applies to applications that are sold, distributed or licensed to third parties.
With so many acronyms out there, it is easy to become confused about the different digital standards. It is important to understand the difference between PCI DSS and PA-DSS.The PA-DSS applies to software applications that store, transmit or process credit card data, whereas the PCI DSS applies to merchants that accept payment cards. Both were created to protect consumer cardholder data.
Some people become further confused due to the evolution of standards. Understanding the difference between PA-DSS and PABP is important for all software vendors.
In September 2006, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed the Payment Card Industry (PCI) Data Security Standard, an independent council designed to improve payment account security.
The PCI Security Standards Council serves as an advisory group and manages the underlying PCI security standards; however, each payment card brand is responsible for its own compliance programs. Even though the PCI Security Standards Council developed these standards, each payment card brand is responsible for its own compliance programs and has different deadlines for PCI compliance for both merchants and software providers.
All payment applications have to be compliant with these standards by July 1, 2010 (Visa’s Final Security Deadline) or risk their customers not being able to process Visa credit cards at all. And as of October 1, 2009, VisaNet processors must decertify all vulnerable payment applications. While non-compliance with PA-DSS hasn’t yet been addressed with fines, the card brands are addressing the issue by removing the ability to process payments entirely.
If it is any indication, MasterCard has begun fining merchants for non-PCI DSS compliance.
To achieve PA-DSS compliance, software providers must undergo the process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs generally range between $10,000 to $30,000. Some software providers also have the option of going out of scope for PA-DSS certification, which cuts down on PA-DSS compliance costs.
While merchants could stop taking credit cards, customers using credit cards tend to spend 2 to 3 times more than customers who only carry cash or check. And since the major credit card brands are accepted worldwide, you expose your business to customers from all around the globe, instead of just locally.