PCI Council launches payments apps standard

While the National Retail Federation’s call for the PCI Security Standards Council to lower the potential for data breaches by dropping businesses’ cardholder data retention requirements has yet gone unanswered, the payment card industry group has launched a new effort aimed at helping companies eliminate libraries of customer information unnecessarily stored in some point-of-sale and transactional systems.

On Wednesday, the PCI Council announced its intention to create — and eventually enforce — a new regulation known as the Payment Application Data Security Standard (PA-DSS) which it claims will help developers of payment applications to do away with product features that may have led to superfluous storage of sensitive information in the tools.

While the PCI Data Security Standard — on which the new mandate was based — orders that companies such as retailers shouldn’t use point-of-sale systems that store information that it has specifically banned them from gathering — including full magnetic card stripe identifiers, CVV2 (name and address) details and PIN data — the reality is that many existing applications in use today still aggregate some of those specifics.

The PCI Council said that the new measure is based on payment application best practices (PABP) developed by Visa, one of its founding members, and that is has distributed preliminary draft of the regulation to its Board of Advisors for feedback.

Among those participating in the review process are the group’s Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The PCI Council said that it will consider any feedback from those parties and then publish a final version of the PA-DSS sometime in the first quarter of 2008.

The group said that Visa initially created the best practices to aid software vendors and other developers in building payment applications that do not store prohibited data. For the record, proprietary applications developed by merchants themselves will not be made subject to the PA-DSS regulation, but they will still be required to meet the terms of the broader PCI Data Security Standard.

PCI Council claims that roughly 200 point-of-sale systems and transactional tools already in use by retailers and other companies have previously been validated against Visa’s standard.

Payment applications adhering to the PA-DSS will “minimize the potential for security breaches and the resultant fraud,” the group said in a statement.

“With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI Data Security Standard,” Bob Russo, general manager of the PCI Security Standards Council, said in an announcement.

“As criminals become more sophisticated and payment application vulnerabilities are realized by our membership, we must ensure that all components of the payments process are subject to rigorous standards that are supported by all of the global payment card brands with a single goal in mind: to protect cardholder data and combat fraud,” Russo said.

The group is asking developers of payment system to join in its latest effort, and said that individual components of the PA-DSS program will be rolled out following the publication of the standard — including the requirements and training programs for security assessors and a list of applications that have been validated under the measure.

In September, the PCI Council assumed responsibility for the PIN Entry Device (PED) Security Requirements that were previously administered by payment card giants JCB, MasterCard and Visa.

The PED Security Requirements were designed to help secure personal identification number (PIN)-based transactions, and apply to devices that accept PIN entry for transactions.

Meanwhile, the NRF and its members would clearly prefer it if the PCI backers would stop creating new rules that ask companies to improve their systems, and simply scale back the card issuers’ requirements that force retailers and other payment card processors to retain customer data in the first place — especially as the potential for fines and other penalties that will be levied against those responsible for breaches have grown.

But in the end, and most importantly, consumer privacy appears to be the big winner of these efforts, regardless of how all the inter-industry posturing plays out.