The Payment Application Data Security Standard for Developers that Digital Dining certifies on minimizes vulnerabilities in payment applications. The goal is to prevent the compromise of full magnetic stripe data located on the back of a payment card. PA-DSS covers commercial payment applications, integrators, and service providers. Merchants and service providers should use certified payment applications and should check with their acquiring financial institution to understand requirements and associated timeframes for compliance.
|The Payment Application DSS Requirements (validated by PA-QSA assessment) are as follows|
|1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data.||8. Facilitate secure network implementation.|
|2. Provide secure password features.||9. Do not store cardholder data on a server connected to the Internet.|
|3. Protect stored cardholder data.||10. Facilitate secure remote software updates.|
|4. Log application activity.||11. Facilitate secure remote access to application.|
|5. Develop secure applications.||12. Encrypt sensitive traffic over public networks.|
|6. Protect wireless transmissions.||13. Encrypt all non-console administrative access.|
|7. Test applications to address vulnerabilities.||14.Maintain instructional documentation and training programs for customers, resellers, and integrators.|
PCI Data Security Standard for Merchants & Processors
The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards. It presents common sense steps that mirror best security practices.
|The goals for PCI DSS requirements are to build and maintain a secure network|
|1. Install and maintain a firewall configuration to protect cardholder data.||7. Restrict access to cardholder data by business need-to-know.|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters.||8. Assign a unique ID to each person with computer access.|
|3. Protect stored data.||9. Restrict physical access to cardholder data.|
|4. Encrypt transmission of cardholder data across open, public networks.||10. Track and monitor all access to network resources and cardholder data.|
|5. Use and regularly update anti-virus software.||11. Regularly test security systems and processes.|
|6. Develop and maintain secure systems and applications.||12. Maintain a policy that addresses information security.|
How to Comply with PCI DSS:
The PCI Security Standards Council sets the standards for PCI security but each payment card brand has its own program for compliance. Specific questions about compliance should be directed to your acquiring financial institution. Links to payment card brand compliance program include:
- American Express: www.americanexpress.com/datasecurity
- Discover Financial Services: http://www.discovernetwork.com/resources/data/data_security.html
- JCB International: http://www.jcb-global.com/english/pci/index.html
- MasterCard Worldwide: www.mastercard.com/sdp
- Visa Inc: http://www.visa.com/cisp (U.S.)
Qualified Assessors. The Council provides programs for two kinds of certifications: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained personnel and processes to assess and validate compliance with PCI DSS and PA-DSS. ASVs provide commercial software tools to perform certified vulnerability scans for your systems. Additional details can be found at: http://www.pcisecuritystandards.org/.
Self-Assessment Questionnaire. The “SAQ” is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Different SAQs are specified for various business situations; more details can found at: http://www.pcisecuritystandards.org/ or contact the acquiring financial institution to determine if you should complete an SAQ.