The PCI Security Standards Council announced on Tuesday an updated version of its security standards for applications that process credit-card transactions, aiming to prevent data breaches such as those at Hannaford Bros. and the TJX Companies.
Known as the Payment Application Data Security Standard (PA-DSS), the compliance effort will allow the Council to become a "one-stop shop" for merchants who want to search for applications and services that will not increase their exposure to attacks, a PCI Security Standards Council spokesperson said. Version 1.1 of the standard (pdf) will make certain that payment applications do not store sensitive data, such as the information typically stored on the magnetic stripe on the back of credit and debit cards
"Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers and allows them to make informed choices regarding the security of their payment application," Bob Russo, general manager for the PCI Security Standards Council, said in a statement announcing the new standard.
The latest version of the application-security standard follows the revelation that online data thieves managed to make off with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance. According to Visa, about three-quarters of large companies and two-thirds of medium-sized firms had complied with the PCI's payment security standards by the end of 2007.
The PCI Security Standards Council plans to certify companies over the next year to be Payment Application Qualified Security Assessors (PA-QSAs). The application standard is based on Visa's Payment Applications Best Practices (PABP) requirements for its merchants.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos