Matt Curci, Epicor
What is PABP?
Payment Application Best Practices (PABP) is a best practice standard developed for payment application vendors by Visa. The requirements were derived from the PCI Data Security Standard and developed to facilitate PCI-DSS compliance. Visa has established a mandate that all merchants, VNPs and agents utilize PABP and Payment Application - Data Security Standard (PA-DSS)- compliant applications by July 1, 2010.
This mandate has been established for the United States and Canada.
What constitutes a payment application?
A payment application is defined as an application that stores, processes or transmits cardholder data as part of authorization or settlement, where these applications are sold, distributed or licensed to third parties.
What is PA-DSS?
PA-DSS stands for Payment Application - Data Security Standard. Visa's PABP standard was adopted by the PCI Security Standards Council (PCI SSC) in April 2008 and released as PA-DSS. Today, it is recognized by the major credit card brands (Visa,MasterCard, American Express, Discover Financial Services and JCB International) as the data security standard for payment applications.
Why did the PCI SSC assume responsibility for the administration of PABP/PA-DSS? Assuming responsibility for the administration of PABP/PA-DSS has allowed the five major card brands to support the same program. The goal was standardization - Security Requirement Standardization, Qualified Security Assessor (QSA) Testing and Lab Methodology standardization, and Approval Process for Payment Applications
Standardization.
What is the scope of PA-DSS?
PA-DSS applies to payment applications that are sold, distributed or licensed to third parties. It applies to payment applications that are typically sold and installed "off the shelf" without much customization by software vendors.
PA-DSS applies to payment applications that are provided in modules, which typically include a "baseline" module and other modules specific to customer types or functions, or customized to meet customer specifications. PA-DSS applies to the baseline module if that module is performing payment functions.
What is not in scope of PA-DSS?
PA-DSS does not apply to applications that are not payment applications as defined by the PCI Security Standards Council (PCI SSC), but store cardholder data.
PA-DSS does not apply to payment applications that are developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI-DSS compliance review. It is important to note that such an application is sold to only one customer and is designed and developed according to customer-provided specifications.
PA-DSS does not apply to payment applications developed by merchants or service providers if used only in-house (not sold, distributed or licensed to a third party) since in-house developed payment applications would be covered as part of the merchant's or service provider's normal PCI-DSS compliance.
When did PA-DSS come into effect?
The effective date of the PA-DSS standard was Oct. 1, 2008. Prior to this date, all assessments were completed under Visa's PABP program. After Oct. 1, 2008, all new assessments were performed under PA-DSS.
How long will the PA-DSS standard be in effect?
PA-DSS v 1.2 was released on Oct. 1, 2008 and is valid for two years.
What is the PCI Security Standards Council and what is its role?
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education and awareness of the PCI Security Standards, including: the Data Security Standard
(PCI-DSS), Payment Application Data Security Standard (PA-DSS) and Pin-Entry Device (PED) Requirements.
It provides the following functions:- Functions as the central repository for PA-DSS Reports on Validation (ROVs)
- Performs Quality Assurance reviews of PA-DSS ROVs to confirm report consistency and quality
- Lists PA-DSS validated payment applications
- Qualifies and trains PA-QSAs to perform PA-DSS reviews
- Maintains and updates the PA-DSS standard and related documentation according to a standards lifecycle management process
What is the role of the credit card brands with regards to PA-DSS?
The credit card brands (Visa, MasterCard, American Express, Discover Financial Services and JCB International) are responsible for developing and enforcing programs related to PA-DSS compliance. This includes any requirements, mandates or dates for use of the PA-DSS compliant payment applications or implications of non-compliance.
How does a payment application get validated under PABP or PA-DSS?
For a payment application to be validated, the application vendor must engage a PAQSA (Payment Application - Qualified Security Assessor) company that is certified by the PCI SSC. The PA-QSA validates adherence to the PA-DSS and submits a Report on Validation (ROV) to the PCI SSC for evaluation and acceptance.
How can I determine if an application has been PABP or PA-DSS validated?
The PCI Security Standards Web site provides a list of validated applications. The list of applications provides the company name, the name and version of the validated application, deployment dates, revalidation date and expiry date.
Once an application is validated under PA-DSS, when does the validation expire?
Once an application is validated under PA-DSS, the PA-DSS validation must be renewed each year. The PCI SSC has defined a specific procedure for re-validating applications which have or have not made changes that impact security of the payment application.
Are PABP-validated applications required to be validated under PA-DSS?
No, PABP-validated applications are not required to be validated under PA-DSS. PABP validated applications are grandfathered under PA-DSS.
What does it mean if a PABP-validated application is grandfathered under PA-DSS?
An application that is grandfathered under PABP is acceptable for new deployments and can continue to be marketed and sold for the grandfathering period. Applications that were validated under PABP version 1.3 are grandfathered for 18 months. Applications that were validated under PABP version 1.4 are grandfathered for 24 months.
What happens to PABP-validated applications after the grandfathered date expires?
If an application was validated under PABP but has not been validated under PA-DSS prior to the expiration of the grandfathered dates, that application will no longer be acceptable for new deployments and should not be marketed and sold by the application vendor.
If a PABP-validated application has already been implemented, it can continue to be utilized by that merchant for existing and new store openings after the grandfathering date has expired.
Matt Curci is director, information security of Epicor Retail. |
