PCI Revisions, Adding Application Software Requirements

The PCI Security Standards Council announced another building block to set of payment industry security standards. This one covers applications -- specifically those developed and then distributed to third parties -- that handle credit card data. A draft has been released (not publicly) for review. Final release is expected in a few months (Q1 2008). Official press release here. The official FAQ is here.

The new standard (called PA-DSS) is based on Visa's existing best practices for applications which can be found here (scroll down to the bottom and you'll find a link to the document or just click here). Thus, even though the new standard isn't released, one can get a preview by reading through that document.

Some more coverage here and here.

Key Points:

• Does not apply to internally developed applications by merchants (but these are subject to PCI DSS still)
  
• Based on existing Visa "Payment Application Best Practices"
• Will be publicly released in Q1 2008
  

(I would also anticipate that a future revision of this standard, or a similar counterpart, will come out covering in-house applications).

-jr