[Infowarrior] - Group releases credit-card software standard
Richard Forno
rforno at infowarrior.org
Thu Apr 17 02:00:12 UTC 2008
Group releases credit-card software standard
Published: 2008-04-16
http://www.securityfocus.com/brief/724?ref=rss
The PCI Security Standards Council announced on Tuesday an updated version
of its security standards for applications that process credit-card
transactions, aiming to prevent data breaches such as those at Hannaford
Bros. and the TJX Companies.
Known as the Payment Application Data Security Standard (PA-DSS), the
compliance effort will allow the Council to become a "one-stop shop" for
merchants who want to search for applications and services that will not
increase their exposure to attacks, a PCI Security Standards Council
spokesperson said. Version 1.1 of the standard (pdf) will make certain that
payment applications do not store sensitive data, such as the information
typically stored on the magnetic stripe on the back of credit and debit
cards
"Having a single source of information on approved payment applications and
security assessors provides business value to merchants and service
providers and allows them to make informed choices regarding the security of
their payment application," Bob Russo, general manager for the PCI Security
Standards Council, said in a statement announcing the new standard.
The latest version of the application-security standard follows the
revelation that online data thieves managed to make off with millions of
credit- and debit-card numbers from grocery store chain Hannaford Bros. In
2007, retail giant TJX Companies also announced a large data breach, and by
the end of the year, estimates of the size of the loss surpassed 100 million
credit- and debit-card numbers. While TJX Companies had not complied with
the PCI Data Security Standard, it is currently not known whether Hannaford
Bros. had remained in compliance. According to Visa, about three-quarters of
large companies and two-thirds of medium-sized firms had complied with the
PCI's payment security standards by the end of 2007.
The PCI Security Standards Council plans to certify companies over the next
year to be Payment Application Qualified Security Assessors (PA-QSAs). The
application standard is based on Visa's Payment Applications Best Practices
(PABP) requirements for its merchants.
More information about the Infowarrior
mailing list