PCI DSS Compliance Blog

One common point of confusion for software vendors when it comes to PCI Compliance revolves around this question:

What’s the difference between PA-DSS and PABP?

Here’s the low down.  In 2005, Visa developed the Payment Application Best Practices (PABP). The purpose of the program was to guide software vendors in creating secure payment applications that prevent storage of sensitive cardholder data and mitigate cardholder data compromises.

Three years later, in 2008, the PCI Security Standards Council – made up of the major payment card brands — adopted Visa’s PABP and released it as the Payment Application Data Security Standard, or PA-DSS for short. In doing so, the PA-DSS replaced PABP for the purpose of the Visa’s payment application compliance program.  In other words, think PA-DSS, not PABP! 

The PCI SSC is transitioning all 555 products previously validated under Visa’s PABP over to a consolidated list located at the PCI SSC website, comprised of the validated PABP applications and newly validated PA-DSS applications. All new payment application assessments should undergo PA-DSS validation by a Payment Application Qualified Security Assessor (PA-QSA) and listing with the PCI SSC.  Another option is to go out of scope for PA-DSS by transferring the responsibility of handling sensitive cardholder data to a third party.

Each payment card brand has different requirements and deadlines for PA-DSS compliance.  At least up to this point, Visa has the most stringent deadlines for PA-DSS.  View them as well as other PCI compliance deadlines for each payment card brand in our blog post, PCI Compliance Deadlines. 

When business owners or IT directors first become aware they need to comply with the Payment Card Industry Data Security Standard (PCI DSS) and haven’t gone through the process before, a period of learning, head scratching and sorting through the various PCI DSS requirements begins.  A similar trend applies for software vendors when they begin to understand the PA-DSS.

So when it comes to PCI compliance newbies, what’s the easiest way to get educated?

PCI Security Standards Council Website – First read through the PCI Security Standards Council  website, becoming familiar with the different PCI compliance standards.  The recently published Quick Guide is a good place to start.

Read PCI Compliance Related Blogs – Blogs are great for providing tips and in-depth analysis on the standards, technologies and strategies to help comply, etc.  Here are few of our favorites:

Storefront Backtalk

Anton Chuvakin “Security Warrior”

Treasury Institute for Higher Education (great for educators)

Read and Post Questions on PCI Compliance Forums – Post questions you have about PCI compliance on forums.  It’s amazing how much expert advice you will receive for free.  Or if you don’t have any specific questions yet surf the forums simply to gain more knowledge.   PCI Knowledge Base and Society of Payment Security Professionals are the best PCI compliance forums.

Listen to Podcasts and Attend Webinars – The PCI Security Council and several companies offer webinars and podcasts about PCI compliance.  Attend them live or download them later on, commonly for free.

Join LinkedIn Groups or Facebook Pages – Similar to forums, engage with a group of professionals working towards PCI compliance and experts in the field on social networking sites.  Check out the PCI DSS Forum group on LinkedIn or the Understanding PA-DSS Facebook page. 

Attend PCI DSS Training - The PCI Security Standards Council offers a two day training course based directly on the PCI SSC Qualified Security Assessor (QSA) training program. Attendees will learn what the QSAs learn so they can better prepare for an on-site PCI DSS assessment or perform the assessment internally. In addition to the QSA training materials, the Standards training course will also cover how to develop an internal PCI DSS compliance program to sustain PCI compliance after the on-site assessment is complete.  This is mainly for large companies. 

SANS also offers a general course on PCI DSS compliance and the Treasury Institute for Higher Education hosts a PCI workshop for higher education institutions.   Glenbrook offers a Payments Boot Camp that dives deeply into the current trends and issues of the U.S. payment system.

Surf forums on PCI compliance and you’ll quickly come across a plea for help from a small business owner on sorting out how to comply with PCI DSS.  Especially for mom and pop shops, PCI DSS compliance can be a daunting process.

One way to ease the process of PCI DSS compliance for your small business is to select a payment processing solution that removes the storage of credit and debit card data from your computer system to a secure data storage facility.  Using end-to-end encryption and tokenization technology, all that's left on the system is a unique identifier (token) that points to the actual credit card data without containing any sensitive information itself. This allows small business owners to securely process recurring bills and transfers all risk of cardholder data storage. If the system was ever breached, the data stored on location would be completely unusable to data thieves.

The advantage of removing cardholder data from your location – in addition to this decrease in risk of a data breach – is the ability to complete a much less time and resource intense PCI SAQ.  The PCI SAQ is an annual self assessment questionnaire that all level 2, 3 and 4 merchants who accept credit or debit card payment must complete.  Merchants who process cardholder data but do not store it on their computer system can fill out SAQ C – a 16 page questionnaire comprised of 41 questions – compared to SAQ D, a 31 page questionnaire comprised of 223 questions.

Read more about how to become PCI compliant and PCI SAQ Made Easy.