A Major Step in Application Security
PABP has officially been accepted by the PCI Security Standards Council and will become PA-DSS. The announcement, which can be read here, represents a MAJOR change in how data is protected when processed in (or perhaps through) software applications.
This announcement, particularly when taken in light of the recent Visa mandate, is a strong statement about payment software applications. When Visa released their last announcement (October 23rd) there was an excellent blog post about the statement and ramifications. This post, here, was on the treasuryinstitute.org blog which serves an excellent resource for security and compliance related issues.
But what does it mean?
According to the Visa mandate, and I paraphrase, there are several significant upcoming milestones related to PA-DSS.
- New merchants must not use known vulnerable applications – January, 2008
- Level 3 and Level 4 merchants (newly boarded) must be PCI compliant or use PABP-compliant applications – July, 2008
- Acquirers are required to ensure their merchants ONLY use PABP-compliant applications – January, 2010
If I read correctly, this means that all applications MUST be PA-DSS compliant in just over 2 years. As such, the time is now for software companies (and their merchants) to start making decisions about how to improve their application, and associated processes, to meet PA-DSS compliance.
I will write more, tomorrow, on the specifics of PABP compliance and methods for achievement. If you are interested, there was additional coverage of this story on Branden Williams’ Security Convergence blog.
November 8, 2007