What is PCI?
PCI is used in multiple contexts to denote Payment Card Industry:
PCI SSC is the Payment Card Industry Security Standards Council that was launched on September 7th, 2006, with the goal of managing the ongoing evolution on the payment card security and compliance.
PCI DSS is the Payment Card Industry Data Security Standard which consists of 12 requirement designed to ensure ALL companies that process, store or transmit credit card information maintain a secure environment.
PCI PA-DSS is the Payment Card Industry Payment Applications-Data Security Standard,
consisting of 14 requirements to ensure vendors provide products which support merchant's efforts to
maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.
PCI SSC, PCI DSS, PA-DSS and
Payment Systems Companies
PCI Security Standards Council (PCI SSC)
PCI Data Security Standards (PCI DSS)
PCI Payment Applications Data Security Standards (PCI PA-DSS)
Importance of PCI DSS Validation
Why is it important for Payment Systems companies to Provide PA-DSS Validated Applications?
The payment systems companies PA-DSS validated applications provide their customers and potential customers the assurance that their payment applications are developed to meet stringent data protection requirements and enforce a high level of security.
Secure payment applications minimize the potential for security breaches leading to compromises of primary account number (PAN), full track data, card verification codes and values (CAV2, CID, CVC2, CVV20), PINs and PIN blocks, and the damaging fraud resulting from these breaches.
Payment card brands enforce their own PA-DSS related programs, and can set fines or penalties related to use of non-compliant payment applications.
By staying compliant, Payment systems companies are part of a united, global response to fighting payment card data compromise.
Payment Systems Companies
Application Security Compliance
(SDLC) was followed for Payment systems companies written CSMs.
The proof of compliance documentation provided should be discussed with the customer during contract negotiations.
How do Payment Systems Companies
Application become PA-DSS Validated
Payment Systems Companies determines if an application being developed meets the criteria for a PA-DSS validation.
Payment systems Companies select a Payment Application-Qualified Security Assessor (PA-QSA) to perform the assessment on the payment application.
Payment systems Companies provides the PA-QSA with relevant payment application documentation, access to a lab environment for testing the application, and provides information on the application and environment.
The PA-QSA assesses the payment applications security functions and features to determine whether the application complies with PA-DSS requirements.
If the PA-QSA determines the payment application is in compliance with the PA-DSS, then the PA-QSA submits their report setting forth their results, opinions and conclusions to the PCI SSC.
The PCI SSC reviews the report submitted by the PA-QSA and confirms or rejects whether the payment application meets all requirements.
When requirements are met, the PCI SSC Council provides an Attestation of Validation and lists the payment application on the List of Validated Payment Applications on the PCI SSC website.
PCI Cardholder Data Storages
These data elements must be protected if stored in conjunction with the PAN. This protection should be
per PCI DSS requirements for general protection of the cardholder data environment.
Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data,
Or proper disclosure of a company's practices if consumer related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed or transmitted.
Sensitive authentication data must not be stored after authorization (even if encrypted).
Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
PCI DSS helps you connect and share with the people in your life when it comes to secure payment systems or sending them payment.
The social network companies are excited about partnering with credit card companies and partnering with PayPal and all of the different folks in online payments to make their solutions as good as possible, as well as secure data in motion.