PCI DSS Compliance Blog

One common point of confusion for software vendors when it comes to PCI Compliance revolves around this question:

What’s the difference between PA-DSS and PABP?

Here’s the low down.  In 2005, Visa developed the Payment Application Best Practices (PABP). The purpose of the program was to guide software vendors in creating secure payment applications that prevent storage of sensitive cardholder data and mitigate cardholder data compromises.

Three years later, in 2008, the PCI Security Standards Council – made up of the major payment card brands — adopted Visa’s PABP and released it as the Payment Application Data Security Standard, or PA-DSS for short. In doing so, the PA-DSS replaced PABP for the purpose of the Visa’s payment application compliance program.  In other words, think PA-DSS, not PABP! 

The PCI SSC is transitioning all 555 products previously validated under Visa’s PABP over to a consolidated list located at the PCI SSC website, comprised of the validated PABP applications and newly validated PA-DSS applications. All new payment application assessments should undergo PA-DSS validation by a Payment Application Qualified Security Assessor (PA-QSA) and listing with the PCI SSC.  Another option is to go out of scope for PA-DSS by transferring the responsibility of handling sensitive cardholder data to a third party.

Each payment card brand has different requirements and deadlines for PA-DSS compliance.  At least up to this point, Visa has the most stringent deadlines for PA-DSS.  View them as well as other PCI compliance deadlines for each payment card brand in our blog post, PCI Compliance Deadlines. 

2010 marks an important year for PA-DSS compliance.  On July 1 Visa’s fifth PA-DSS security mandate takes effect.  While the first four Visa mandates allowed various PA-DSS workarounds, the Visa Phase 5 Security Mandate clearly will not.  Up until this mandate, merchants using payment applications before the adoption of PA-DSS and who have not switched processors since its adoption were grandfathered in and not required to update to a PA-DSS compliant application.  This is no longer the case as of July 1: all merchants will be required to use only PA-DSS compliant applications.

With these fast approaching deadlines and the effort required to achieve compliance, Independent Software Vendors (ISVs) are finding themselves faced with major resource constraints.  It’s tough enough for ISVs to keep up with the competition and customer demand to build feature rich functions much less plan for compliance mandates requiring significant development time and effort.  However, ISVs that don’t take these deadlines seriously or remove their applications from the scope of compliance will lose customers that they worked hard to get and will ultimately be forced out of business. 

Most ISVs should have a PA-DSS compliance plan in place by now.  If you don’t, start by reading our post on PA-DSS implementation and get moving fast.  For those with PA-DSS plans in place, be sure that you are reaching out to merchants using your software and informing them of the upcoming July 1 deadline.  If they haven’t upgraded to a PA-DSS compliant version of your application by this date, they risk losing the ability to process credit and debit card transactions. 

Visa PCI compliance can seem like the veritable fast-moving train upon which you should already be seated, ticket in hand.  Fortunately, the conductors of the train (Visa), have chosen to bring the train out of the station slowly enough to give everyone a fair chance to board it or, in some cases, catch up.

By implementing PA-DSS in distinct phases, Visa has afforded merchants and software vendors the opportunity to meet security standards at a gradual and manageable pace.  Rather than implementing wholesale security compliance mandates all at once, Visa’s compliance program has evolved through various phases.

As we wrote a post about recently, Visa’s Phase 4 Security Mandate for software vendors is quickly approaching.  While this is an important deadline, next year’s Visa Phase 5 Security Mandate represents the final stage in PA-DSS compliance.  All previous Visa security mandates have focused on identifying and phasing out payment applications that are not PA-DSS compliant.  The Visa Phase 5 Security Mandate, effective July 1, 2010, goes beyond removing non-compliant applications to require that only PA-DSS compliant applications be used:

Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications.

While the first four Visa mandates allowed various PA-DSS workarounds, the Visa Phase 5 Security Mandate clearly will not.  Put simply, the advent of Phase 5 will only permit the use of PA-DSS compliant payment applications. 

With less than a year remaining, software vendors should begin planning for the final Visa PCI compliance mandate.

Related Posts and Pages:

Visa PA-DSS

PCI Compliance Deadlines

MasterCard PCI Compliance

As Ben Rothke wrote in a recent article, the much-ballyhooed debates in regard to PCI Compliance seem to shun the notion that PCI DSS is, effectively, evolutionary.  The PCI DSS “Lifecycle Process” (PDF) is intended to ensure that changes to PCI DSS follow a pre-determined 24-month cycle that allows for a gradual implementation of standards rather than drastic changes that would result in many organizations being suddenly non-compliant. 

Ironically, the very merchants for whom this gradual phasing-in was developed have been among the most vocal critics of PCI DSS.   Given such concern, it is hard to imagine the ferocity with which PCI DSS might be attacked were the entire PCI DSS “lifecycle” condensed and implemented at once; gradual implementation isn’t necessarily ideal for lockstep security, but it makes compliance among retailers far more realistic (and convenient), despite occasional assertions to the contrary. 

Similarly, merchants and software providers are witnessing Payment Application Data Security Standards (PA DSS) compliance continue on an evolutionary path, the ultimate goal being the elimination of vulnerable payment applications.   Accordingly, the payment application security mandates (PDF) set forth by Visa continue to move through the pre-determined five phases.

Visa PA DSS Compliance Deadline Approaching

As of October 1, 2009 merchants and software providers must decertify all known vulnerable payment applications, including those published on Visa's list of vulnerable payment applications. As future vulnerable payment applications are identified, VisaNet Processors, and agents, must decertify these, too, within 12 months.

What this means for merchants and software providers is that the age of relying on anything but compliant payment applications is nearing an end.  With the ability to accept credit cards at stake, trusting non-compliant applications hardly seems like a risk worth taking.

October 1 will be here quicker than you might realize.  Are you ready? 

Related Posts and Pages:

PA DSS Compliant Applications
Payment Application Data Security Standard (PA DSS)
PA DSS and PABP
Integrated Payment Processing
Hosted Payments

Knowing the critical deadlines for the Payment Card Industry Standards - PCI DSS, PA-DSS, and PCI PED - is vital for any merchant or payment service provider.  But finding all the PCI compliance dates can be tricky: even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands - Visa, Master Card, American Express, Discover and JCB International.

The PCI SSC does not currently maintain a comprehensive list of the PCI compliance deadlines on their site, so we compiled one here for each payment card brand, along with a link to their PCI compliance program section of their sites.  We hope you find this list useful.

Visa CISP (Cardholder Information Security Program)

Merchants

All compliance dates for Visa merchants have passed. Visa's PCI compliance validation requirements for merchants:

Level / Tier	Merchant Criteria	Validation Requirements
1	Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region	Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form
2	Merchants processing 1 million to 6 million Visa transactions annually (all channels)	Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV Attestation of Compliance Form
3	Merchants processing 20,000 to 1 million Visa e-commerce transactions annually	Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form
4	Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually	Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by acquirer

 

Service Providers

Level*	Validation Action	Validated By	Due Date
1	Annual On-Site PCI Data Security Assessment Quarterly Network Scan	Qualified Security Assessor Approved Scanning Vendor	2/1/2009
2	Annual PCI Self-Assessment Questionnaire Quarterly Network Scan	Service Provider Approved Scanning Vendor	2/1/2009

*Visa Service Provider Levels are defined as:
Level 1 - VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Level 2 - Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

 

Software Applications - US and Canada*

Phase	Compliance Mandate	Effective Date
1	Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications	1/1/2008
2	VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant	7/1/2008
3	Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications	10/1/2008
4	VNPs and agents must decertify all vulnerable payment applications	10/1/2009
5	Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications	7/1/2010

*In Asia Pacific, Central and Eastern Europe, Middle East and Africa, Latin America and the Caribbean (LAC), Visa acquirers must ensure that newly signed merchants use PA-DSS compliant applications by July 1, 2010. By July 1, 2012, those acquirers must ensure existing merchants and agents in the Visa network use PA-DSS compliant applications.

Visa CISP Program Home

Mastercard SDP Program (Site Data Protection)

Merchants

Merchant Definition	Criteria	Onsite Review	Self Assessment	Network Security Scan	Initial Compliance Validation Date
Level 1	Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant having greater than six million total combined MasterCard and Maestro transactions annually Any merchant meeting the Level 1 criteria of Visa Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system	Required Annually	Not Required	Required Quarterly	6/30/2011
Level 2	Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually Any merchant meeting the Level 2 criteria of Visa	At Merchant Discretion	Required Annually	Required Quarterly	06/30/2011
Level 3	Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually Any merchant meeting the Level 3 criteria of Visa	Not Required	Required Annually	Required Quarterly	6/30/2005
Level 4	All other merchants	Not Required	Required Annually	Required Quarterly	Consult Acquirer

 

Service Providers

All compliance dates for Mastercard Service Providers have passed. Required validation procedures by level:

Service Provider Definition	Criteria	Requirement
Level 1	All TPPs All DSE’s that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually	Annual Onsite review performed by a Qualified Security Assessor (QSA)  Quarterly scan by an Approved Scanning Vendor (ASV)
Level 2	Includes all DSE’s that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually	Annual Self-Assessment Questionnaire (SAQ)  Quarterly scan by an Approved Scanning Vendor (ASV)

Mastercard SDP Program Home

American Express Data Security

American Express requires merchants and service providers agree with their Data Security Operating Policy. American Express compliance dates are based on the date of the validation documentation: 90 days from the date of a scan, an updated scan document is due. One year (365 days) from the date of an Annual Onsite Audit, an updated Annual Onsite Audit is due.

Merchants

Level	Definition	Validation Documentation	Requirement
1	2.5 million American Express Card transactions or more per year; or any merchant that has had a data incident; or any merchant that American Express otherwise deems a Level 1	Annual Onsite Security Audit Report and Quarterly Network Scan	Mandatory
2	50,000 to 2.5 million American Express Card transactions per year	Quarterly Network Scan	Mandatory
3	Less than 50,000 American Express Card transactions per year	Quarterly Network Scan	Strongly Recommended

 

Service Providers

Compliance Requirements

Comply with the PA-DSS and the American Express Data Security Operating Policy Annual Onsite Security Audit Validation Documentation Quarterly Network Scan Validation Documentation

American Express Data Security Home

Discover Information Security & Compliance (DISC)

Merchants

Discover's Merchant Activity Calendar:

Activity	Date
Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2	12/31/2008
All new assessments must use PCI DSS v1.2	1/1/2009
Last date that PCI DSS v1.1 assessments will be accepted	12/31/2009
All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted	1/1/2010

Discover's Merchant Levels and Compliance Requirements:

Level	Description	Compliance Validation Requirements
1	All merchants processing a total of more than 6 million Discover Network card transactions per year Any merchant Discover Network, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant	Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
2	All merchants processing a total of 1 million to 6 million Discover Network card transactions per year All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant	Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire ("SAQ") Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
3	All merchants processing a total of 20,000 to 1 million Discover Network card-not-present only transactions per year All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant	Complete an annual self-assessment using the applicable PCI DSS SAQ Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
4	All other merchants	Validation and Reporting Requirements determined by the merchant's acquirer. Annual self-assessment using the applicable PCI DSS SAQ AND Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor are recommended

 

Service Providers

All service providers that process, store or transmit Discover Network cardholder data are required to report their compliance status to Discover Network on an annual basis. All compliance reports must be submitted by December 31 for the current year.

Assessment	Requirement
On-Site Assessment	Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC). Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.
Self-Assessment	Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance. Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.

Discover also strongly recommends that service providers and their agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

DISC Home

JCB International

Contact JCB International directly for PCI compliance deadlines.