The PCI Security Standards Council is an organization created by the major credit card companies in an effort to improve the security of cardholder data. The Council was formed in response to a drastic surge in a data security breach that had put customers at risk and costed credit card companies’ huge financial losses. The ultimate mission of the PCI SSC is to enhance global payment account data security by developing standards and supporting services that create awareness and ensure effective implementation by stakeholders. Keeping this in mind PCI DSS Compliance Standards and PA DSS Standards were introduced to help organizations achieve compliance and secure cardholder data. However, the introduction to both these standards has left stakeholders confused on what is applicable for their business.
To clear this doubt and help stakeholders understand both the standards, we have in this article covered the critical differences between PCI DSS & PA DSS to highlight which standards apply to your organization.
About PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed by Visa, MasterCard, Discover Financial Services, JCB International, and American Express in the year 2004. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the set compliance standard aims to secure credit and debit card transactions against data breach/theft/fraud. While the PCI SSC has no legal authority to compel compliance, it is however a requirement for a business that processes credit or debit card transactions. Complying to PCI DSS Standard is the best way to safeguard sensitive data and help businesses build long-lasting relationships with their customers.
About PA DSS
PA-DSS is a Standard managed by the PCI SSC and formerly under the supervision of the Visa Inc. The Standard which is also known as the Payment Application Best Practices (PABP)was established with an aim to help software vendors secure payment applications. Payment applications that are sold, distributed, or licensed to third parties are subject to the PA-DSS requirements. On the other hand, In-house payment applications developed by merchants that are not sold to a third party are not subject to the PA-DSS requirements but need to adhere to the PCI DSS Compliance Standard.
Also Read : PCI DSS 4.0 Updates
Critical difference between PCI DSS & PA DSS Standards
|Titles||PCI DSS||PA DSS|
|Standard||PCI DSS is a Compliance standard that was set to secure payment card details of customers that are stored, processed, or transmitted for business by organizations.||PA DSS is a global security standard that is also known as the Payment Application Best Practices.|
|Purpose of Implementing the Standard||PCI DSS Standards are implemented to build and maintain a secure network, protect cardholder data, maintain vulnerability management programs, implement strong access control measures, regularly monitor and test networks, and ensuring enforcement/maintenance of information security policies.||PA DSS is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS Compliance|
|Application||The Compliance Standard is applicable to all organizations that store process or transmit cardholder data.||The PA DSS Standard is applicable for makers/developers and integrators of payment applications that use credit card information for payment authorization and settlement, where the payment applications are sold, distributed, or licensed to third parties. |
However, it is important to note that In-house payment applications developed by merchants or service providers that are not sold to a third party or even heavily customised applications are not subject to the PA-DSS requirements.
|Focus||The Standard focuses on supporting and securing networks, systems, and other payment card processing equipment.||The Standard focuses on securing payment card applications to support the secure payment process.|
|Scope or coverage of Standards||The PCI DSS scope covers securing the entire cardholder data environment eco-system.||The PA DSS scope includes addressing the security challenges of payment applications.|
|Application Mandatory||PCI DSS must be implemented by all entities that process, store, or transmit cardholder data.||PA-DSS is mandatory or not for a particular application is determined by the payment brands or sometimes by the acquirer.|
|Supervised||PCI DSS is mandated by card brands like Visa Card, Master Card, American Express, Discovers, and JCB but administered by the Payment Card Industry Security Standards Council.||PA-DSS is the Security Standard Council-managed program formerly under the supervision of the Visa Inc.|
|Standard Requirement|| The PCI Data Security Standard is comprised of 12 general requirements as listed below –|
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
|The PA DSS Payment Application Standard comprises of 13 requirements as listed below- |
1. Do not retain full magnetic stripe, card verification code or value or PIN block data.
9. CHD must never be stored on a server connected to the internet
10. Facilitate secure remote access to the payment application
11. Encrypt sensitive traffic over the public network.
12. Encrypt all non-console administrative access.
13. Maintain instructional documentation and training programs for customers, resellers, and integrators.
|Validation||Formal validation of PCI DSS compliance is not mandatory for all entities. Currently, both Visa and MasterCard require merchants and service providers to be validated according to the PCI DSS.||The PCI PA-DSS Validation is intended to ensure that the Payment Application will help you achieve and maintain PCI DSS Compliance|
Correlation between PCI DSS and PA-DSS
1) PA-DSS compliance alone does not suggest that the entity is PCI DSS compliant. The PA-DSS requirements are derived from the PCI DSS Requirements and Security Assessment Procedures, which details what is required to be PCI DSS compliant.
2) All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS. PCI DSS assessment verifies whether the PA-DSS payment application is appropriately configured and securely implemented as per PCI DSS requirements.
3) In case the payment application has undergone any customization, an in-depth review will be required during the PCI DSS assessment, as the application may no longer be validated based on the earlier PA-DSS Compliance.
4) It is important to note that PCI DSS may not be directly applicable to payment application vendors unless they store, process, or transmits cardholder data, or have access to their customers’ cardholder data. However, since these payment applications are used by the application vendor’s customers to store, process, and transmit cardholder data, and their customers are required to be PCI DSS compliant, payment applications should facilitate, and not prevent, their customers’ PCI DSS compliance.
Now that the article clearly explains the PCI DSS and PA-DSS Standards, one can consider taking necessary steps to ensure their organization is PCI compliant. For those who do not have to comply with PA DSS, we suggest not to overlook these requirements. PA DSS requirements form a great audit assessment guide for validating vendor’s payment application or for their own independent audit of the payment app. Referring to the outlined PA DSS requirements may help the internal app development and security teams to ensure that the apps developed are designed keeping in mind the requirements of cardholder data protection.