On May 27th, the PCI Security Standards Council released an updated version of the Payment Application Data Security Standard (PA-DSS), which establishes regulations for payment processing software. The new PA-DSS supports the newly updated primary security standard, the Payment Card Industry Data Security Standard (PCI-DSS), version 3.2. 

 

All vendors, processors, and merchants who create and sell payment card applications and hardware have to comply by the PCI Council’s rules, which are administered by merchant acquirers and card networks. Payment application vendors globally use PA-DSS criteria to certify their software products and guard against theft involving payment card data. Businesses and merchants use PA-DSS validated software in order to securely accept payments online and in-stores and to protect payment card data within their networks and systems, which is mandated by the PCI-DSS. 

 

This anticipated update is based on data breach report detections and responses from over 700 world wide participating companies, including merchants, vendors, and processors. In addition to aligning specific rules to support the primary security standard better and explaining in greater detail certain existing requirements, this updated revision provides changes to instructions in  the PA-DSS Implementation Guide. This guide explains the process of configuring payment applications correctly and in agreement with the PCI-DSS.  In addition, the guide discusses techniques for secure installation of updates and software patches, and guidelines for safeguarding cardholder data while using debugging logs for troubleshooting in case of a compromise. 

 

“We continue to see how failure to properly configure and patch payment applications exposes organizations to attacks that lead to mass data compromise,” PCI Council chief technology officer Troy Leach said in a announcement. He further stated “we’ve added more guidance to help integrators, resellers, and others implementing payment software to configure it properly and protect payment account data.” 

 

The updated version goes into effect June 1, with version 3.1 of the PA-DSS retiring on August 31. 

 

To obtain a full copy of the PA-DSS version 3.2 that includes a Summary of Changes document, Attestation of Validation (AOV) and Report on Validation (ROV) forms, click here.