Why PA DSS Was Created
Payments by credit and debit cards have been regulated by various industry-formulated measures since they were introduced decades ago. Ingenious and determined cyber criminals are tireless in their efforts to subvert the most secure systems which means the card industry remains constantly alert to the threat of theft and fraud. In 2004 the far-reaching internationally agreed Payment Card Industry Data Security Standard (PCI DSS) was introduced and applies to every company, organisation or entity that collects, stores, processes or transmits credit card data. A more comprehensive provision is hard to imagine.
However, it became clear that this still left an important loophole. Further provision was needed for companies that produce and sell payment applications in order to prevent those applications, developed for third party use, from storing secure data including magnetic stripes, security codes and PIN numbers. This was the basis of the Payment Application Data Security Standard (PA-DSS), which with the help of PCI compliance providers has been helping app developers meet these security requirements since 2008. Effective as it has been, PA-DSS has been overtaken by evolving technology and the emergence of new platforms. Rather than producing yet another upgrade, the industry plans to retire PA-DSS in October 2022 and replace it with the PCI Software Security Framework (PCI SSF).
The New PCI SFF Regime
The processing and transmission of data is fraught with dangers. Maintaining public trust as well as security are vital challenges. The development of modern payment application software demands objective-focused security which can respond quickly to changes in practices and software. The standards formulated in the new security framework will help protect data, minimise vulnerabilities and provide robust defences against cyber-attack. Compliance with the new regime is to be overseen by SSF Assessors and every supplier of online payment software will need to be ready for the change.
However, there’s no need to wait: the training of assessors began in 2019 so it’s possible to engage in the assessment process before PCI SFF formally launches. It’s important to remember that both PA DSS and PCI SFF are simply adjuncts to the central PCI DSS which remains the overarching set of provisions. PCI compliance providers are fully conversant with each of these standards and can deliver highly effective PCI DSS compliance solutions that are appropriate to your business. Gradeon’s consultants are fully qualified to advise you on your obligations and to provide all the practical answers to the challenges you may face now and in the future.