The PCI Security Standards Council on Friday released version 3.2 of its Payment Application Data Security Standard, which sets rules for payment-processing software. The new PA-DSS aligns with the recently updated main security standard, the Payment Card Industry Data Security Standard version 3.2.

Today’s update was expected, as the Wakefield, Mass.-based PCI Counciltraditionally closely aligns the software standard with its main one. The Council said updates to its standards are based on feedback from its 700-plus global participating organizations, which include processors, merchants, and industry vendors, as well as data-breach report findings and new trends in payment acceptance.


“Using secure software and making sure that the software is installed and maintained correctly is a critical part of protecting payments,” PCI Council general manager Stephen Orfei said in a statement.


In addition to clarifying some existing requirements and aligning certain rules to better fit with the main standard, the new revision makes changes to the detailed instructions included with vendor products, the so-called PA-DSS Implementation Guide, which explain how to configure payment applications properly and in accordance with the PCI-DSS, the Council said. These address procedures for secure installation of software patches and updates, and instructions for protecting cardholder data if using debugging logs for troubleshooting because they can be exploited during a compromise.


“We continue to see how failure to properly configure and patch payment applications exposes organizations to attacks that lead to mass data compromise,” PCI Council chief technology officer Troy Leach said in a statement. He further said that “we’ve added more guidance to help integrators, resellers, and others implementing payment software to configure it properly and protect payment account data.”


The new version takes effect June 1, while version 3.1 of the PA-DSS retires on Aug. 31.


Leach discusses the new update in a blog post that includes a link to a document summarizing the changes.


All merchants, processors, vendors, and other firms that handle general-purpose payment card applications and hardware must abide by PCI Council’s rules, which are enforced by the card networks and merchant acquirers.