PCI Council: Software Security Guidelines To Be a Standard

In a move long expected by software developers, merchant processors, and others, the PCI Security Standards Council this week said it is adding a new standard for point-of-sale software based on Visa Inc.'s set of best practices for card-processing applications. The action is aimed at strengthening the software component of card security. “This is no longer going to be a best practice, this is going to be a standard,” Robert Russo, general manager of the Wakefield, Mass.-based PCI Council, tells Digital Transactions News. The PCI Council was established by the card networks to oversee the Payment Card Industry data-security standard, or PCI. Dubbed the Payment Application Data Security Standard, or PA-DSS, the new standard is based on the Payment Application Best Practices (PABP). Visa created PABP as a set of guidelines to help software vendors and others develop applications that don't store prohibited information, such as a card's full magnetic-stripe track data, the so-called CVV2 security code, and PIN data. But with older software systems still in widespread use and often storing card data unbeknownst to the merchant, PABP is rapidly evolving from recommendations into mandates. Last week, Visa set five deadlines for merchant acquirers and processors to remove vulnerable old applications and ensure that newly signed card-accepting merchants are using secure software by 2010 (Digital Transactions News, Nov. 1). Acquirers failing to meet the mandates could face PCI fines. A preliminary draft of the PA-DSS to be built on PABP is circulating among the PCI Council's board of advisors, participating organizations, and others such as qualified security assessors. Russo says application developers are encouraged to join the Council's group of participating organizations if they want to give input, which will be organized by a technical working group. Other components of the PA-DSS program will be rolled out following publication of the standard. Those include the requirements and training program for security assessors and ultimately publication of a list of validated payment applications, according to the Council. Already, about 200 products used by many merchants worldwide have been validated as meeting Visa's PABP criteria. The five major card networks?Visa, MasterCard Worldwide, American Express Co., Discover Financial Services LLC, and JCB Co. Ltd.?all endorse PA-DSS, according to the PCI Council. The networks rolled up their individual security rules under the PCI umbrella about three years ago and in 2006 formed the PCI Council to oversee and update the standard. One payment software executive, Darryl Wright, president and general manager of Gainesville, Fla.-based Main Street Softworks Inc., says he isn't surprised by the PCI Council's action and has no problem with it. But he, like others did when the networks created the council, questions the way the card networks are now managing security issues, with the PCI Council in charge of standards development but the card networks remaining responsible for enforcement. “It's kind of created an extra cog in the wheel,” he says. “It should be a one-stop operation.” Main Street Softworks makes the Monetra line of payment applications, which Wright says meets PABP criteria and has 15,000 installations. Users include Yum! Brands Inc.'s Pizza Hut chains and Papa John's International Inc. Russo says development and enforcement ultimately may be moved into one tent, but “right now each one of the brands maintains their own compliance programs.” One issue to be resolved before that could happen is the antirust question of collusion among erstwhile competitors, he says.