PA-DSS

PA-DSS

The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). [1] PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

Contents

Requirements

For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following 14 protections:[2]

Requirements:
1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data.
2. Protect stored cardholder data.
3. Provide secure authentication features.
4. Log payment application activity.
5. Develop secure payment applications.
6. Protect wireless transmissions.
7. Test payment applications to address vulnerabilities.
8. Facilitate secure network implementation.
9. Cardholder data must never be stored on a server connected to the internet.
10. Facilitate secure remote software updates.
11. Facilitate secure remote access to payment application.
12. Encrypt sensitive traffic over public networks.
13. Encrypt all non-console administrative access.
14. Maintain instructional documentation and training programs for customers, resellers, and integrators.

Governance & Enforcement

PCI SSC has compiled a list of payment applications that have been validated as PA-DSS compliant, with the list updated to reflect compliant payment applications as they are developed. Creation and enforcement of these standards currently rests with PCI SSC via Payment Application-Qualified Security Assessors (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.

History

Governed originally by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS then became retroactively distinguished as “version 1.1” [3]and “version 1.2”[4].

Congressional Attention

On March 31, 2009, the United States House of Representatives’ Committee on Homeland Security convened to discuss the current PCI DSS requirements.[5] Representatives such as Yvette Clark (D-NY) expressed interest in increasing the strength of standards while others, such as Bennie Thompson (D-Miss.) expressed doubt that industry created standards would be sufficient in the future.[6] While Congressional attention was focused largely on PCI DSS, the criticism of card-issuer standards could eventually bring Congressional or legal focus on PA-DSS and on PCI SSC as an entity.

Future

The future of these standards is somewhat vague, with Congressional attention giving rise to the possibility of governmental intervention. Regardless, meeting standards can prove expensive and time consuming for software vendors, with the current expense of PA-DSS certification outpacing other methods of compliance.[7] Given the cost of compliance and certification, current or as of yet undetermined alternatives could emerge in the PCI standards compliance market. Visa USA announced a more aggressive push into such technology (pin and chip) in Aug 2011. Visa Press Release

Supplemental Information

The PCI SSC has published additional materials that further clarify PA-DSS, including the following:

  • PA-DSS Requirements and security assessment procedures.[8]
  • Changes from past standards.[9]
  • General program guide for QSAs. [10]

References

  1. ^ PCI Security Standards Council
  2. ^ PA-DSS Requirements
  3. ^ PA-DSS Version 1.1
  4. ^ PA-DSS Version 1.2
  5. ^ PCI DSS Congressional Hearing
  6. ^ Visa, MasterCard In Security Hotseat
  7. ^ PA-DSS Certification Vs. Hosted Payments
  8. ^ PA-DSS Requirements and Security Assessment Procedures
  9. ^ [ https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_summary_changes_v11_v12.pdf Summary of PA-DSS Changes]
  10. ^ [ https://www.pcisecuritystandards.org/pdfs/pci_pa_dss_program_guide.pdf QSA Program Guide]

Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • DSS (NMR standard) — Preferred IUPAC name 2,2 Dimethyl 2 silapentane 5 sulfonic acid …   Wikipedia

  • Dss — Cette page d’homonymie répertorie les différents sujets et articles partageant un même nom. {{{image}}}   Sigles d une seule lettre   Sigles de deux lettres > Sigles de trois lettres …   Wikipédia en Français

  • DSS — can refer to: Government and politics Diplomatic Security Service, an agency in the U.S. Department of State Defense Security Service, an agency in the U.S. Department of Defense Domestic Security Section, part of the Criminal Division of the U.S …   Wikipedia

  • DSS — abbreviation for decision support system; Department of Social Security * * * DSS UK US noun ► [C] IT ABBREVIATION for DECISION SUPPORT SYSTEM(Cf. ↑decision support system) …   Financial and business terms

  • DSS — [ˌdi: es ˈes] n the DSS the abbreviation of the Department of Social Security in Britain …   Dictionary of contemporary English

  • DSS — DSS: Системы поддержки принятия решений (англ. Decision Support System). Стандарт для цифрового хранения речи (англ. Digital Speech Standard). (англ. Digital Satellite Service) американский стандарт спутникового телевидения.… …   Википедия

  • DSS — abbr. digital satellite system. * * * …   Universalium

  • DSS —   [Abk. für Digital Signature Standard, dt. »Standard für digitale Signaturen«], 1994 in den USA veröffentlichter Standard für die Erstellung und Überprüfung von digitalen Signaturen. Erste Entwürfe lagen 1991 vor; dies waren die ersten… …   Universal-Lexikon

  • DSS — (Digital Satellite System) network of satellites orbiting the Earth that broadcast television and Internet signals …   English contemporary dictionary

  • DSS — ► ABBREVIATION ▪ (in the UK) Department of Social Security …   English terms dictionary

  • DSS Pro — Der Digital Speech Standard (DSS) ist ein proprietärer (d. h. nicht offener), herstellerübergreifender Audiocodec zur verlustarmen Speicherung von Sprachdaten in Diktiergeräten. Logo des DSS Standards Logo …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”