The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today provides clarity around what type of payment applications are eligible for PA-DSS validation and listing, including an update on the applicability of PA-DSS to mobile payment acceptance applications. A report from the company lists the types of mobile applications now measured by the security standards, and which applications require additional review.
The PA-DSS program provides standards for developing software applications that store, process or transmit cardholder data. Not all applications involved in payments transactions are eligible for PA-DSS validation, however. To streamline the understanding and process of identifying payment applications that fall under the PA-DSS program, the Council has released the “Which Applications are Eligible for PA-DSS Validation? A Guiding Checklist.” The resource accompanies an updated statement from the Council on PA-DSS and mobile payment acceptance applications that provides specific detail on the types of mobile payment acceptance applications that can meet PA-DSS requirements, and those that require additional examination from the Council.
The statement is a result of the first phase of the Council’s evaluation of the mobile communications device and payment application landscape, focused on identifying and clarifying the risks associated with validating mobile payment acceptance applications to the PA-DSS 2.0 standard. One of the major risk factors determined is the environment the application operates within and the ability of that environment to support the merchant in achieving PCI DSS compliance. As a result, the Council has classified mobile payment acceptance applications into three separate categories based on the type of underlying platform and its ability to support PCI DSS compliance, and identified which can now be considered for review and listing as PA-DSS validated applications. The Council plans to release additional guidance around mobile payments by the end of 2011.
Together, these resources help developers of all payment applications ask the right questions when determining which payment applications can be reviewed and validated by the Council as secure for accepting and processing cardholder data and support merchant PCI DSS efforts.
“We understand there is a growing demand in the marketplace for guidance on how to safely and securely implement mobile payments according to the requirements of the DSS and PA-DSS, and we are committed to providing this guidance,” said Bob Russo, general manager, PCI Security Standards. “Today’s update helps clarify how we will be evaluating all payment applications in the future.”
Additional information on the Council’s evaluation of mobile payment acceptance applications designed for communication devices may be found in the PCI Security Standards Council Update on PA-DSS and Mobile Payment Acceptance Applications (PDF) and accompanying FAQ.
Source: PCI Security Standards Council