How PA DSS Will Change the Application Business Forever

By David Taylor -- Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it's only because they haven't read the standard or don't immediate grasp what's involved.

 Essentially, this standard could cause merchants in all industries and of all sizes to have to switch payment application vendors. Furthermore, since these applications are not generic "plug and play" software "modules," any changes will require changes to all custom code designed to integrate with ERP, sales audit, general ledger and other office management applications would also have to change. In short, PA DSS is a much "bigger deal" than the 1.2 release of the PCI DSS.

The Scope of PA DSS. Any application packaged for sale that collects (e.g., via a form that someone fills in or automated means), processes, or stores card data is included in the scope of PA DSS. That means that ALL merchants (even Level 4s) must only be running validated applications and this means that application vendors must pay to have their application tested in a "laboratory" by a PA DSS QSA (assessor), a list of which is conveniently maintained by the PCI Security Standards Council, who recently took over the task from Visa.

Assessment is price-competitive. Currently, there are fewer than 20 companies worldwide that have been approved to test and validate PA DSS compliance. More are joining the list all the time. Because the demand from merchants and, hence, application vendors, is just developing, we're hearing stories of a very price-sensitive market, with resulting "variability" in the quality of assessment, because low-ball-bidders have to make a profit on their assessments. As a result, we caution all merchants not to assume an equal level of data security between two application vendors just because they both appear on the PA DSS "white list." Merchants need to do their own validation of the data security controls and ask for copies of the PA DSS test reports.

The application vendor's dilemma. We've interviewed application vendors who tell us they are waiting until customers demand PA DSS compliance before having their software tested, and/or that their customers (the merchants) have no clue about PA DSS, so they don't want to get their current version validated, when a new version will be coming out in another 6 months, and they'd have to pay to have it tested also. The issue of "Why pay for security testing that customers don't even care about?" is likely to continue for another six months or so. As long as the focus of the SSC and the card brands is on the "minor tweaks" in PCI DSS 1.2, there will be less marketing bandwidth available to highlight the major changes which PA DSS will bring about in the market.

The demand lag and its market impact. This "cat and mouse" issue of paying to have a version validated prior to demand for PA DSS will get much more complex over the next two years. Most application vendors have, thusfar, only had zero or one version tested, because it's expensive and demand is "immature" at best. We expect that getting tested and being on the PA DSS "white list" will become part of nearly all relevant RFPs within a year. If this doesn't happen, then it's highly unlikely that the merchant community (all levels) will be running all PA DSS compliant applications by the October 2009 and July 2010 deadlines. Faced with potentially massive non-compliance, the logical response would be to postpone the deadlines. It's happened before.  

What are the compensating controls for PA DSS? Read rest of article

Recent Entries

Mobile Barcodes Explained - Aztecs in the Matrix
Mobile barcodes are on the verge of becoming a global phenomenon, but what exactly are they, what do they do,…
How PA DSS Will Change the Application Business Forever
By David Taylor -- Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications…
Tokenization and your store
New approach shapes how retailers secure private information and consumer confidence against data breachesWith stores located in various states and,…
Americans prefer online banking - ABA survey
For the first time, more US bank customers express a preference for managing their finances online compared to any other…
IKEA Execs Discuss Launch Of US Loyalty, Use Of Mobile Medium
Written by Amanda Ferrante   Tuesday, 15 September 2009 00:00Well known for its innovative approach customer relationship management, home furnishings retailer IKEA has…
First Data And RSA "Legitimize" Tokenization-Then What?
The conventional wisdom is that when large vendors enter a niche market, those vendors "legitimize" that market. But the announcement…
New driver license legislation proposed
Some believe that new proposed driver license legislation would help states better secure IDs while also protecting citizen privacy. Others…
Patients are keen on self-service healthcare
American are taking a shine to self-service healthcare.They may not be snatching the scalpel out of their doctor's hands and…
Touchscreen Technology Website
News from 3M on multi-touch and also launch of new "education" site touchtopics.com which is to explain all various touchscreen…
PCI Best Practice Supplement for Merchants
August 2009 release of best practice doc, PCI_skimming_prevention_form.pdf, directed at skimming attacks. Illustrates how exposed terminals in POS are targeted by…
Cloud Computing - Does Amazon fail PCI Compliance?
There's an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment…
End-to-End Tokenized Encryption
EPX now extends data protection to what I call the 'first inch" of a transaction, i.e., from the plastic to…
Guidelines - PCI DSS Wireless Guideline Supplement
Dcument purpose  - This document provides guidance and installation suggestions for testing and/or deploying 802.11 Wireless Local Area Networks (WLAN)…
Healthcare - Building Kiosks From Scratch
In an era of consumerism, physician group practices are looking for ways to improve customer service and gain loyalty. So…
Trends - Number of retail medical clinics shrinking
Projections that showed there would be 2,500 retail clinics operating by 2010 are coming up short as the industry has…
Wireless transactions and PCI DSS 1.2 Compliance
Article covering wireless transaction and protocols in context of PCI compliance. Amazing that 11% use WPA2. Gist of article is…
EMV Level 2 - Just what does it mean?
The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant…
CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time.¬†Credit Card Tokenization: Put All…



  |