The Payment Application Data Security Standard (PA-DSS)
The Payment Application Data Security Standard (PA-DSS) refers to a set of requirements that are geared toward aiding software vendors in developing, implementing, and maintaining secure payment applications that can be used to protect the credit card data of consumers. Moreover, the PA-DSS also works to ensure that businesses and organizations do not unnecessarily retain certain categories of personal data, including the CVV numbers of credit cards, as well as security pin numbers, among other pertinent financial information. This being said, the Payment Card Industry Security Standards Council (PCI-SSC) created the PA-DSS in 2008 for the purpose of replacing Visa’s Payment Application Best Practices (PABP). The PABP, much like PA-DSS, was intended to aid software vendors in creating safe payment applications, but the standard ultimately failed to gain widespread acceptance or adoption.
To this point, the PCI-SSC regulates PA-DSS compliance, in addition to PCI-DSS compliance, although these two financial standards apply to different companies and organizations. This being the case, software applications that a particular merchant or software vendor develops in-house are exempt from the requirements of the PA-DSS, in contrast to the PCI-DSS, which applies to all businesses, merchants, vendors, and other relevant third parties that collect and process cardholder data with any significant volume. Likewise, just as is the case with the PCI-DSS, software vendors that process cardholder data must adhere to certain responsibilities in order to maintain compliance with the PA-DSS.
What is the scope and applicability of the PA-DSS?
As it pertains to the scope and applicability of the PA-DSS, the standards apply “to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data. If one or more PA-DSS requirements cannot be met by the payment application directly, they may be satisfied indirectly by controls tested as part of the PCI PTS validation.” Alternatively, as it concerns the scope of the PA-DSS, the rules cover “all payment application functionality”, which includes error conditions, end-to-end payment functions, including authorization and settlement, encryption and authentication mechanisms, and all data flows of cardholder data, among other things. On top of this, the PA-DSS also mandates that software vendors provide customers with the information they need to “implement the payment application in a PCI DSS-compliant manner.”
What are the PA-DSS compliance requirements?
In order for a software vendor to achieve compliance with the PA-DSS, said vendors must adhere to the following requirements when collecting, processing, or storing cardholder data:
- Software vendors are prohibited from retaining the magnetic stripes of CVV numbers, card validation codes and values, and PIN block data.
- Software vendors are responsible for providing consumers with secure password features.
- Software vendors are required to protect any stored cardholder data.
- Software vendors must log all activities that are undertaken within their respective applications.
- Software vendors must develop and maintain payment applications that are secure.
- Software vendors are required to protect all wireless transmission of financial information.
- Software vendors are responsible for testing software applications for any potential vulnerabilities, as well as addressing such vulnerabilities should they be discovered.
- Software vendors must facilitate the secure implementation of their networks.
- Software vendors are forbidden from storing cardholder data on any server that is connected to the internet.
- Software vendors are responsible for facilitating remote software updates.
- Software vendors have a duty to encrypt sensitive data and traffic that is transmitted over public networks.
- Software vendors are responsible for encrypting all non-console administrative access.
- Software vendors are required to create and maintain training programs and instructional documentation that can be utilized by customers, integrators, and resellers alike.
In conjunction with the PCI-DSS, the PA-DSS stands as the foremost means by which consumers around the world can be assured that their financial information will be safeguarded when they are making payments with their credit, debit, and prepaid cards. As online payment functionality has become such a pivotal part of e-commerce on a global scale, rules such as the PA-DSS and the PCI-DSS are very much needed, as a consumer living in Amsterdam that wants to buy an article of clothing from a U.S.-based clothing retailer must have the peace of mind that their financial information will remain confidential and secure at all times when doing so.