NetSPI and the Payment Application Data Security Standard (PA-DSS)

VISA and Vulnerable Payment Applications

Minneapolis, October 9, 2008 — The story of the Payment Application Data Security Standard (PA-DSS) begins with VISA. Seeing an increasing number of merchant compromises in recent years, VISA discovered that certain payment applications were inappropriately storing prohibited data, including magnetic-stripe, CVV2 or PIN data, after the transaction had been authorized. Hackers were targeting merchants and agents that used vulnerable payment applications, exploiting vulnerabilities to capture this sensitive data. VISA realized that it was critical for acquires to ensure that their merchants and agents did not use payment applications known to improperly retain prohibited data elements. Acquirers needed to make sure that corrective actions were taken to address any identified deficiencies.

To that end, starting in 2005, VISA launched its Payment Application Best Practices (PABP). PABP spelled out how developers or payment applications can make those applications secure and compliant with the PCI-DSS standard.

The PABP requirements are:

1. Do not retain full magnetic strip, card validation value, or PIN block data.
2. Protect stored cardholder data.
3. Provide secure password features.
4. Log application activity.
5. Develop secure applications.
6. Protect wireless activity.
7. Protect wireless transmissions.
8. Test applications to address vulnerabilities.
9. Facilitate secure remote software updates.
10. Facilitate secure remote access to application.
11. Encrypt sensitive traffic over public networks.
12. Encrypt all non-console administrative access.
13. Maintain instructional documentation and training programs for customers, resellers and integrators. (Source: Visa)

These PABP requirements can be mapped to elements of PCI-DSS. In 2007, VISA put new urgency into the PABP guidelines by mandating compliance. Merchants and agents that continued to use payment applications that stored prohibited data, or that had other inherent security weaknesses, would not be compliant with PABP or PCI-DSS.

PABP and New Payment Application Security Mandates

Beginning on January 1, 2008, VISA issued a schedule of mandates for compliance with PABP, to eliminate the use of non-secure payment applications from the VISA payment system. Outlined below are the five mandates, scheduled to take effect over the next two years.

PABP Becomes PA-DSS

Recognizing that data security is a collaborative effort by multiple entities in the payment chain, the PCI Security Standards Council (PCI SSC) adopted PABP as an industry-wide standard, calling it the Payment Application Data Security Standard (PA-DSS). The PABP scheduled mandates became the hard deadlines of an industry standard.

The comprehensive PA-DSS program provides a clear understanding of what encompasses a secure payment application. PA-DSS also provides:

• Guidance for software vendors – helping them develop payment applications that do not store prohibited cardholder account or transaction data.
• Insurance that payment applications are developed using secure coding procedures to guard against common attack methods.
• Insurance that merchants and agents use software vendors whose payment applications have been validated by a PCI-approved security assessor.
• Help in preventing data compromises and helps payment chain participants comply with the PCI-DSS.

To ensure compliance not just with payment applications but with PCI-DSS as a whole, it will be more important than ever for organizations in the payment chain to have the requisite security strategy-ensuring a strong understanding of the PCI requirements, implementing the required major changes and maintaining compliance through a strong security program. The penalties for non-compliance can be severe, as pressure increases from acquirers and issuers.

NetSPI’s PCI-DSS and PA-DSS Credentials

NetSPI has made a significant investment in PCI-DSS certifications in order to deliver services to merchants and service providers that need to comply with the PCI standard. For example, NetSPI is a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV), certified to perform both the on-site audit and the quarterly network scans required of merchants and service providers.

As of September 15, 2008 NetSPI became one of the first eight USA-certified Payment Application Qualified Security Assessors (PA-QSA). The certification process was a continuation of our experience and proven methodology as a VISA Qualified Payment Application Security Company (QPASC).

Let NetSPI put that experience and expertise to work for your organization, to ensure the development and use of secure payment applications that comply with PA-DSS.

About NetSPI (www.netspi.com)

NetSPI is a privately held information-security consulting company founded in 2001. By using its consulting team's deep security knowledge and its CorrelatedVM vulnerability management & reporting solution, the company is a trusted advisor to large enterprises. NetSPI provides a range of assessment and advisory services designed to analyze and mitigate risks and ensure compliance with relevant regulations and industry standards. Clients include large financial services firms, retailers, healthcare organizations and technology companies. More information is available at www.netspi.com.