Believe it or not, one of the most important challenges in the last 2 decades facing the electronic payment industry is the problem regarding security requirements for various industries. Many people forget or tend to overlook and assume that only the Payment Card Industry Data Security Standard (PCI DSS) faces this challenge but the truth is that the problem is much bigger. In fact there are several security standards that are being used on a current basis.
To host your web site with a premium HIPAA and PCI Compliant Host click here
Due to its huge popularity and success, PCI DSS is becoming mistaken with the entire industry. The fact of the matter is that there are also other security standards such as HIPAA (the Hospital Insurance Portability and Accountability Act) of 1996 Title II, FACTA (Fair and Accurate Transaction Act) of 2003, the Graham-Leach-Bliley Act of 1999 and the Sarbanes Oxley Act of 2002. From these federal regulations only one stands out due to its popularity among merchants and the industry that it serves. HIPPA consists of two Titles, Title I deals with health insurance coverage for employees and their relatives while Title II deals with national standards for electronic health care transactions and the information associated with these transactions such as identification information for providers, health insurance plans, etc.
Many experts agree that the two compliance standards share many similarities and that they are also codependent. Both the Health Insurance Portability and Accountability Act (HIPAA) privacy standards and the Payment Card Industry Data Security Standards (PCI-DSS)strive to minimize risk exposure but if you take a careful look you will observe that they try to achieve this thorough subtle different ways.
PCI-DSS classifies those covered by the requirements in tiers, and those tiers are determined according to the amount of sensitive data covered. On the other hand HIPAA doesn’t classify them or at least not in a very clear way.
Another example of differences can be illustrated by the size of the requirements documents. PCI structures all the requirements together with workflows, charts and other material in a single document made of 73 pages. In the other case, HIPAA choose to decentralize their requirements in 9 separate documents which together make up for almost 200 pages.
PCI is very strict when it comes to its requirements whereas HIPAA separates their specification in two different categories depending on the level of reinforcement. The two categories are addressable and required. Addressable specifications mean they are not mandatory but they must be assessed for each individual separately. Required specifications are the ones that must be implemented
You can already observe a trend from the comparisons made above; the trend is that PCI is strict about its requirements whereas HIPAA just give some general guidelines.
If we take a closer look at these two standards and analyze them we can observe that these differences come from their very nature. The most important difference of all is that PCI-DSS is supported by a private institution which is the Payment Card Industry which in turn is supported by important companies such as American Express, Mastercard and Visa whereas HIPAA is supported by the government. It came to be due to political requirements. The reason for these two institutions to be created is fundamentally different and this echoes other differences. PCI was developed to ensure card companies that their products were secure and efficient so that people will use them and generate profit for the parent companies whereas HIPAA was created presumably out of need, but at its core was the desire of a man to be reelected.
Then again they also share some common principles. One of the most important is the implementation principle. In both cases poor implementation or the lack of knowledge regarding the requirements lead to a potential disaster. In both cases, the mistakes of merchants are severely punished because through their own mistakes they put the entire system (HIPAA or PCI) at risk and that is not tolerated. Another important common principle is the desire to make their system as safe as possible, to offer their clients the best possible experience although they achieve this through different means. Both standards share similar policies regarding, information access, management of the security process, assignment of security responsibility, contingency planning workstation use and disposal requirements and many more.
In conclusion the two systems are fundamentally different due to the fact that one is state owned and the other is privately owned but this doesn’t mean they do not have similarities. As I have showed previously they share common policies but they apply them differently.
If you’ve been in business online for some years, then you practically know exactly what the payment card industry data security standard is. However, if online trading and business is new to you, then it might be worth your while to become familiar with this term and to know exactly what it is. Knowing about an implementing PCI compliance can be crucial for your business, not to mention the fact that it’s more or less mandatory in online trading, business and industry today. So why should you bother with something like PCI compliance?
For PCI Compliant Hosting, we recommend Penguin Web Hosting
There are more reasons for being PCI compliant than simply doing so because it’s mandatory in the industry. The main reason why you should think about being PCI compliant is because it makes excellent sense and is in all justice your duty to your customers. After all, no business today can survive without sufficiently handling credit card transactions. Not being PCI compliant can lead to serious breaches of security, and lead to hackers accessing your databases of customer credit card information.
Were this to happen, just consider how your customers would lose confidence in you. Then consider just how many problems and delays would be incidental upon such a breach of security. Having your credit card database hacked is a serious issue and will require your attention to the exclusion of nearly everything else. Then consider the legal fees and lawsuits that would be an inevitable part of any such breach of security. What we are talking about here is a serious outlay of time and money. Ultimately though, beyond even this the loss of trust is perhaps the biggest disadvantage that you can sustain in an incident of this kind.
Actually, especially with smaller businesses there are sometimes appallingly large breaches of security. With people managing and operating their e-commerce sites from the most unsecured of locations online vendors stay connected on the twenty four hour bases while maintaining and using risky applications, such as chat, person-to-person sharing applications and even games. Every one of these can possibly be a window for a hacker to access your system, and very often they are.
Lastly, there are very definite penalties for companies that do not comply with the PCI standard. Large organizations that do not meet the regulations could face potentially enormous fines up to fifteen to twenty five thousand dollars per month. Lesser financial penalties could also be levied on smaller online e-commerce ventures.
While this enforcement of PCI compliance might seem rather dictatorial to some, it is nevertheless in an e-commerce venture owner’s own best interests. The root of the development of PCI compliance standards was the growing realization in the industry that companies had to protect their customers from hackers, spy ware and other sources of financial and information loss and identity theft. Such protection is crucial to the credibility of the company. Of course, with the advent of the PCI guidelines all sorts of software was developed to help a company monitor and ensure compliance with the said guidelines.
This software is especially important for a large company which cannot possibly oversee every single computer connection, network or even organizational unit, a company whose organizational units may well be scattered across the globe. For a large company a cloud based system would seem to be better, become deployment of such a system is easy and requires little extra support, and prevents a company from incurring any additional cost. There are also other benefits to a cloud based system.
Primarily, it provides a central hub, from which the company’s PCI compliance can be run and overseen, capable of deployment across any operational unit of the company, no matter where the location of that unit might be. The second advantage of a cloud based system is that it can handle a large array of functions and operate through a single platform and system. Cloud based systems also allow for micro controlling of individual units of the company spread out across the world with easy overviews of compliance levels of anyone unit and the risk factors associated with it available at the click of a mouth.
Best of all, such system can scan continuously for loop holes in the operating system of various units and can inform the system operator of remedies that need to be initiated. Best of all, the actions of various units are logged, providing easy analyses both to help prevent and in case of a hacker intrusion or similar security breach. Having a cloud based system in place can be vital in case of a real security breach or disaster allowing you to quickly detect the breach, clamp upon it, isolate important databases and files, and so limit the damage caused. Cloud based systems will also report their findings to the proper authorities if necessary.
We live in a modern world where speed and time are very important because nobody wants to waste time, especially “dead” time such as waiting in a queue, waiting for a receipt, waiting for the elevator, etc. Many industries understood this idea very well and made the necessary changes so that their clients could spend less time doing chores and gain more time for themselves. This trend is also present in the payment industry. Ever since the fall of 2011, the Payment Card Industry Security Standards Council (PCI SSC) released a document, which provided the necessary requirements for merchants, assessors and vendors to set up hardware-based P2PE products that are compliant with PCI DSS regulations and offer scope reduction for vendors. In other words, the council is working on a solution which will allow clients to pay with their mobile phones in a safer manner.
Top PCI DSS Web Host information
In the last period, information hackers have developed a system that would allow them to steal information while in transit. Visa issued a series of best practices which include data encryption protocols. The PCI SSC has looked at this problem and came up with a solution called P2PE, and everybody agreed that this is the best solution and that it is the next logical step for the future of the payment industry.
Point to point encryption (P2PE) or end to end encryption (E2EE) represents a service which transforms plaintext into a ciphertext and sends it to another device where the ciphertext is transformed into plaintext back again. The objective of this is to send sensible information without the risk of the information being hacked. This process allows a person to pay safely with his card while at the same time, keeping his information safe. Furthermore, this service allows vendors to minimize the risk exposure to information theft. P2PE is also compatible with mobile phones and that mean that people can pay safely using the smartphones without any worries.
P2PE offers many advantages:
Minimizes risk exposure for client and merchant alike
Easy to implement
Allows vendors to offer point-to-point encryption of cardholder data from point of entry to settlement.
In April 2012, the PCI DSS updated this article and released new information and concerning scenarios where there are several acquires and only one P2PE solution, the scope of assessment for P2PE products and to incorporate merchant-focused guidance for use of a validated P2PE product. The most important change brought by the updated is that while the first version of the document provided guidelines on how to implement the procedures, this version brings testing methods to verify if those standards are respected. With the help of these testing procedures, PCI got the complete P2PE picture. This means: training assessors to become qualified, and having them test the requirements so that in the end they could list P2PE products in the PCI website. Among these changes, based on the feedback from the vendors and merchants, they also made some esthetic changes and mare the requirements and guidelines as clear as possible to leave no room for misinterpretation.
“Probably one of the better examples of industry feedback and collaboration that we’ve got….This is a phased approach. The efforts on this technology are centered on trying to help merchants reduce the scope of their PCI compliance footprint.” this is how the general manager of the PCI SSC, Bob Russo, described P2PE. During this summer, the council has set to continue the P2PE program with the next step, which is to develop requirements for products which use simultaneously hardware-based encryption and decryption, as well as software that is able to deal with transaction-level cryptographic keys for decryption.
People are starting more and more to pay using the mobile phones. It is no wonder as this payment method offers many advantages but sadly at the moment it is not as safe as other payment methods. Thankfully the PCI SSC realized that in the near future people will be paying more via phones rather than with the outdated plastic card. This is why the council is working hard to make paying with mobile phones more safe. Taking into consideration that this summer assessors will be able to verify the requirements imposed to the vendors, it will be a short while longer until we can pay safely and fast with our mobile phones.
A big percentage of the people who have jobs have to travel in order to fulfill their tasks. Travelling implies several risks with which we have grown accustomed to. Furthermore people who travel use the internet much more that those who do not travel. While travelling we have become used to always stay connected with our friends and families as well as business partners. Hotels have noticed this trend and as a complementary service, they offer free Wi-Fi for their guests. Recent news has uncovered yet another risk which nobody suspected so far. The F.B.I has recently released a report in which it states that in certain countries, hotel guests have been subjects of information thievery from their personal computers. This act of thievery was accomplished through malware installed via hotel networks.
For secure web hosting click here
Clients would connect their computers to the hotels internet network and suddenly pop ups would appear on their screens, requesting them to allow the update of a certain program. But actually behind the appearance of a simple and innocent update, a malware program is disguised. In this manner several computers were hacked and information was stolen. The F.B.I. wasn’t very specific with regards to what country, or what updates caused all the hustle but a report published by Bloomberg mentions Marriot International Inc. as one location where Chinese hackers have stolen sensitive information from around 760 companies via the iBahn broadband. Among the victims of this information thievery we can mention Research in Motion Ltd. and Boston Scientific Corp and also important companies who activate in the research and innovation sectors.
The F.B.I. did not mention the countries where these attacks took place and many speculated that they happened abroad. It is a big mistake to presume you are safe in your own country as software engineer Justin Watt has proved. While staying at a Marriott International hotel in the U.S. he noticed strange activities on his computer as he was logging onto the hotels internet network. He noticed a programming code that was installing on his computer to push third-party advertisement to users. Marriot International, quickly release an official press release, claiming they did not know about these attacks.
The F.B.I releases some guidelines on how to protect yourself from these attacks in case you find yourself in the same situation as Marriott’s guests:
- First and foremost, in case any update is required, make sure it is downloaded from its official site
- As a preventive measure try to update your computer before traveling so that you should expect no updates during your stay.
- You should check the author or digital certificate of any popup in order to see if it corresponds to the software vendor.
- Try as much as possible to limit the use of your laptop and thus limiting the risk of malware being installed
Hopefully by respecting these guidelines you could avoid becoming a victim of information theft. It would have been more helpful if the F.B.I mentioned exact names and locations instead of being ambiguous but probably this was due to diplomacy relations.
Hopefully, in the near future more permanent and more effective solutions should be implemented because at the moment the best way to protect yourself and your information is not to bring your laptop in your travels, but for some of us that is impossible as we work on our laptops and we also require internet connections.
For years now, many of us have been taking Wi Fi connections for granted and never doubted their security level. But due to these latest events all our conception about the security of Wi Fi connection are about to change. In the future we should pay more attention on what updates we install on our computers and probably investing in an effective and efficient firewall will become a priority. Although little information has been released, this story is far from over; I expect continuity in the story so that we can be aware of the dangers.
Hotel chains will also invest more in their network security as information theft from their guests is bad for business. It is yet unclear what measures, the hotel chains will take but they will surely think twice about their security levels. These news raised awareness among tourists, and hotel owners alike and in the near future we might be able to see the first efforts towards making internet networks more secure.
PCI standards often change and news updates are available weekly. For those who work in the field or related, for example merchants that use PCI Compliant Hosting, it is vital to be updated so that nothing important escapes them. 2012 did not bring just another new year but also a lot of changes. Judging on the press releases from the official website of PCI Security Standard Council one might say that the emphasis this year will be on cloud computing and mobile security. There other important topics as well such as changes on the PCI Council and new measures to techniques to increase the safety of online transactions.
The beginning of the year started off with concerns regarding security levels for cloud computing. Some voices say that vendors and consumers who are part of the cloud system fear the lack of security but that may be caused by a lack of education. As in all cases, time will tell if could computing is superior to conventional methods of keeping data safe.
The end of January brings news related to could computing and PCI. Experts such as Michael Dahn, director of threat and vulnerability management at PricewaterhouseCoopers, Chenxi Wang, vice president and principle analyst at Cambridge and Ed Moyle, a senior security strategist at Savvis and founding partner of consultancy Security Curve share their opinions on cloud computing and PCI compliance. The main idea is that in the last couple of years, merchants have switched to cloud computing, either for cutting costs or to reduce the complexity of their own systems, but in the end if something bad happens the merchant together with the cloud provider will share the blame.
After numerous entreaties Bob Russo, general manager of the council announced on the 9th of February 2012 that the PCI is going to allow end users to receive certification which proves that they are qualified in managing a company for a PCI assessment. The certification is yet to be named but it is known that people will have to take an online test and for those how want to follow a course they will have this option made available in the near future. Bob Russo comments that most of the people who wanted this certification want it just for the title but there is also a smaller group of persons represented by experts and professionals who want the title to attest their experience and knowledge on PCI compliance. The council also released information according to which assessors can choose training programs where they will learn how to validate point-to-point encryption products.
February brings perhaps the most important piece of news for this year. There has been made a strategic change at the top level of the council. Michael Mitchell has been announced on the 10th of February 2012 that he will be replacing Eduardo Perez ass chairperson of the PCI council. Michael has a very impressive experience in the industry and management domain. He also has proven to be a great leader and he will be a great asset for the PCI team. Michael’s new role will make him responsible for various risk management functions, the global compliance operations as well as for the secure processing of payment data throughout the transaction lifecycle. Michael commented on the council new agenda for 2012 and he said this will be an interesting year because it will bring new challenges and opportunities.
The latest news coming from the PCI Security Standards Council shows what will be the main focus of the council for 2012. Mobile devices are becoming more popular and they have the potential of becoming a very important payment tool. Unfortunately mobile and software companies didn’t take into consideration that as the mobile market will increase and people will start using them more and more for payments, the risk of their security being breached will increase exponentially. Mike Mitchell, PCI SSC chairman, commented on the topic and said “We have special interest groups that will be looking at how to take a risk-based approach to the next level”. Back in 2011 the council released some general guidelines but now they will concentrate a lot of effort in some best practices.
So far 2012 has been kind to the PCI council as it offers only good news. Of course there are some new challenges regarding the security for payments made with mobile devices but they can also turn into opportunities. The most notable change so far has to be the change at the top level of the council, Michael Mitchell being the new asset.
PCI Compliance in 2012
Most people know how in the context of the market today, the number of possibilities is so high that they stopped counting.
From transactions concluded at home in front of the laptop for paying bills or with the phone, every new technology developed changes in people’s lives in a certain percentage.
Only yesterday if one wanted a T-shirt from a foreign country you would need some contacts from outside to send you the T-shirt, but today, with the newly developed technologies, this is possible from home, at a personal computer without any further “headaches”.
But, all these new changes although they improve our lives, also lead to the development of new risks, so the company has to learn to deal with or, the customer has to face.
One of these risks is the increasing possibility of fraud in what concerns the use of credit cards for transactions while acquiring various products.
This is why companies involved in producing credit cards have developed the Payment Card Industry Data Security Standard, a set of regulations that merchants have to comply with in order to keep their customers’ transactions safe.
To be compliant with all the regulations specified in the standard is not an easy task and most companies do not manage to comply. The most important issue represents the language of the regulations, which is not very easy to understand if employees are not trained for it.
Furthermore, when technology is evolving so fast and new payment methods are discovered, it can become very challenging for companies to implement these regulations only to change them again in the following year.
What will be the challenges in 2012 for PCI compliance standard and for companies?
Some changes regarding the implementation of regulations have already been announced on MasterCard’s website regarding Levels 1 and 2 of merchants and the audit they have to perform.
On a more general level, the number of companies who will try to automate the security services will most probably increase a lot. This automated security services will help companies not depend on periodical audits and will be able to focus more on getting things right.
Nevertheless, this does not mean that the challenges will not be high and that risks will not evolve. In 2012, due to so many evolutions occurring such as cloud computing or EMV cards, it will be very difficult for companies to both implement and adapt to the possible risks that can occur.
Another important change expected in 2012, is having more companies move their services to cloud computing. Since 2010, this has been a major issue of discussion, since PCI announced the new virtualization environment including cloud computing.
Nevertheless, for many organizations this has proved to be a useful solution in terms of costs (it is cheaper to host your servers on a cloud computing than buying a server to implement locally) and time (with its web browser interface it proves to be user friendly and help the customer save a lot of time).
Along with all this, 2012 will also meet the higher usage of smart cards. The future of e-commerce is very linked to this development, so PCI regulations will have to meet this point.
What else will 2012 bring? Although PCI has not announced the release of some important changes, as stated many times before in this article, it is up to companies to keep on maintaining their PCI certificate and meeting the requirements.
For a company, being secured should be an obligation first of all towards consumers and offering them the possibility to perform a safe transaction and afterwards, an obligation towards legal entities. Although the fines for not being compliant with the PCI regulations can reach a very high level, companies should not implement these policies just for the fear of receiving a fine, but to be safe.
The use of a cloud computing tool has been proved to be safe and companies that make sure that they choose the right service provider and that they comply in respect to all other issues, this can become a very cost and time effective solution.
This was just an example mentioned before in this article to underline the importance of certain aspects related to PCI and cast a light upon the reluctance towards the implementation of this policy.
After all, the merchants’ only goal besides selling should be taking care of their clients.
For someone starting out an online business for the first time, security can be a serious consideration. Of course, larger companies have all sorts of security protocols in place to protect important information, for example, credit card databases from being accessed by hackers. But what can you as a small online vendor do to protect yourself? Well, one of the things that can certainly be implemented by even the smallest vendor is to comply with the payment card industry data security standard.
Compliance to the PCI standard ensures that your customers are protected against all sorts of possible information and identity theft. And of course such compliance can vastly benefit you as well.
Now if you explore this issue further, you’ll find yourself coming up against two terms. One would be “PCI compliance” and the other would be “PCI certification”. So what’s the difference, really? Well, PCI compliance is your own compliance with industry standards, whereas PCI certification is the certification a third party company gives you after having tested your ventures for PCI compliance.
Now there are all sorts of reasons why you should be PCI compliant, many of which you will be able to see for yourself, however let me touch upon a few important points. For one thing, in any online financial transaction trust is perhaps the most important commodity. Your customers trust you with their personal and credit card information, and trust you to keep that information safe. A betrayal of this trust can have serious ramifications for your business. Obviously, a customer whose credit card information or identity is stolen is unlikely to come back to you or deal with you again.
Then consider the legal fees and inevitable lawsuits that would be incident upon any such occurrence. And then, consider the time you would invest in this issue. So, a hacker accessing your database can cause serious problems and massive loses for your business – loses that are measured in customers’ trust, in the time you spend resolving this issue and in the amounts you pay out as penalties and legal fees. Too many owners of small businesses run their businesses hoping that nothing will happen, but the simple fact is that hackers are growing increasingly proficient, and have found ways around almost every form of security system and protocol.
As a matter of fact, they pose a serious threat to online trade and industry today, a threat that the industry has come together to meet by implementing the PCI standard. But there is more that you can do than even PCI compliance to ensure online security. For example, applications like chat, person-to-person file sharers and even games can be a threat to your security. If you are running any of these applications on your main server, it can be a possible door way for a hacker to access your system.
Remember, that many applications can be infected by viruses and spy ware, and that these viruses could steel information from your databases and pass them on to their creators. But that’s not all. There are actually lots of penalties that you can come up against if you fail to meet the PCI standard. This can be a potential stumbling block, especially for large companies, which could face financial penalties of between twenty to thirty thousand dollars a month in case of non compliance. Smaller ventures could face smaller but still significant penalties. So how does one go about being PCI compliant? For a smaller venture it isn’t hard, especially if you run a single server, with a limited amount of systems operational upon it. I’ll roughly spell out the guide lines, necessary to ensure PCI compliance.
A small company needs to have an absolutely secure firewall in place that will protect transactions and prevent security breaches. It is also required that system passwords be non standard and complex. Moreover, your credit card database needs to be encrypted to protect the information contained in it. You need to have antivirus defenses in place to protect your system from viruses and spy ware. The number of people who can access the higher level of system security and control needs to be limited to the very minimum. Following these guidelines might seem complicated, but actually they are simple enough to implement, and really what all the PCI guidelines called for is the simple implication of common sense.
For example, it is asking for trouble to download strange software from the internet randomly and to install it on your server. Many such applications are infected with viruses and spy ware, and both are a threat to the security of your system. Basically, all you have to do to comply with PCI guidelines is to keep your operating system as clean as possible and running the minimum amount of applications.
Ideally, the only applications you should run on your server are those you actually need to operate your business. This, combined with a good antivirus and anti spy ware software will usually ensure that you comply with PCI guidelines.
The Payment Application Data Security Standard represents the global standard created by PCI SSC for providing definitive standards for vendors of software applications which develop payment applications. The PA-DSS requirements are developed based on the requirements and changes of PCI-DSS.
The PCI DSS published a list containing the validated payment applications as being PA-DSS compliant. In this way, all interested merchants in payment applications can have full access to secure and well developed software applications for ecommerce purposes.
After all, the payment applications developed are designed for ecommerce purposes enabling business to easily control and administer the shopping cart and other such features. Ensuring the security of cardholder data and making the online shopping more secure is the main purpose of PA-DSS. However, in order to receive a PA-DSS certification this implies costs and regular assessment processes.
Similarly, only 85% of online stores require PA-DSS certification but if you decide to buy payment applications from these software providers you can be confident that cardholder security will be ensured for all your transaction as well as quality services. In this way, the PA-DSS certification applies in the case of specific ecommerce systems and payment applications.
When is PA-DSS required?
If you are still wondering whether you need PA-DSS certification or not, you should be aware of the following situations:
PA-DSS is required if you use a payment application which is installed “off the shelf”
PA-DSS is required if you accept credit cards and use cardholder data on your “off the shelf” shopping cart
However, if your payment application does not transmit or stores cardholder data and credit card information, you do not need a PA-DSS certificate and neither if you use a custom shopping cart.
How to avoid compliance with PA-DSS?
Starting with 1st of July 2010, vendors who accept credit card payments were required to be PA-DSS certified. But, in order to avoid the costs involved by PA-DSS certification an alternative for software vendors would be the use of an offsite gateway. This means that the user will be directly set to the actual payment gateway for payment. In this way, the software vendor will not store nor transmit cardholder data. This is an alternative for avoiding the PA-DSS compliance issue, even if it might look unprofessional.
Requirements imposed by PA-DSS certification
For a payment application to be PA-DSS compliant, the software vendors must make sure that their payment applications fulfill the 14 requirements listed below:
There must not be retained data regarding the card validation date, code, full magnetic stripe and neither PIN block information
Protection ensured for cardholder data
The payment application must provide secure authentication features
There must be a log activity for the payment application
Well-developed and secure payment applications
Protection must be ensured for wireless transmissions
The payment applications must be tested to address vulnerabilities
The payment applications must be able to facilitate secure network implementation
The cardholder data must not be stored on a Internet connected server
The payment applications must securely facilitate remote software updates
Remote access to the payment applications must securely facilitated
The encryption of sensitive traffic over public networks
The encryption of all non-console administrative access
The payment applications should maintain training and documentation for customers, integrators and resellers.
If you want to receive a PA-DSS certification you should first make sure your payment application satisfied the above requirements and protections. Once you have received a PA-DSS certification you will be included within the list of validated payment applications of the PCI SSC.
In conclusion, if are a software vendor of payment applications it is important to be informed regarding the PA-DSS certification requirements. Similarly, you should also be aware of the advantages and security guaranteed by a PA-DSS certification, such as being included in the list of validated payment applications of PCI SSC. In the same way, maybe there are some available alternative to avoid the costs incurred by PA-DSS compliance, such as using an offsite gateway.
In 2007, with the purpose of enforcing more security for cardholder security and avoid personal information theft in the case of credit card payment processes, the PCI Security Standards Council (PCI SSC) has introduced the PCI Data Security Standard (PCI DSS). In this way, the PCI DSS ensures security for all cardholder data which might be stored, transmitted or processed by any merchant.
At the end of 2008, the PA-DSS 1.2 version was launched in order to align with the PCI DSS requirements and to cover the changes occurred in terms of PCI compliance. The latest version of PA-DSS 2.0 was launched in October 2010, when updates were made according to the new PCI DSS version 2.0.
PCI DSS Compliant Web Hosting allows you to upload PA-DSS approved 3rd party credit card processing, storage and/or management software.
Similarities between PCI-DSS and PA-DSS
In order to understand the difference between these two important issues, it would be helpful to first be aware of their similarities, listed below:
- Both, PCI-DSS and PA-DSS, are Digital Security Standards through which merchants ensure cardholder security, but at different levels;
- The PCI Security Standards Council analyzes and oversees the implementation and development of PCI-DSS, respectively PA-DSS;
- The same lifecycle for changes: By means of the community meetings, the PCI-DSS and PA-DSS changes are being determined. This lifecycle lasts for 36 months (3 years). Since the PA-DSS was created based on the PCI-DSS requirements, the lifecycle changes also apply in for PA-DSS.
Both of these standards are being managed by the PCI SSC and stick the same lifecycle for changes with the following stages: Stage 1 – Standards published (October of Year 1 after a new lifecyle has been initiated); Stage 2 – Standards effective (January 1st of Year 1); Stage 3 – Market implementation (throughout Year1); Stage 4- Feedback begins (November-March of Year 2); Stage 5 – Old standards retired (until 31st of December Year 2); Stage 6 – Feedback review (April-August Year 2); Stage 7 – Draft revisions (November-April Year 3); Stage 8 – Final review (May-July year 3). Stages 1-3 last for a whole year, Stages 4-6 during the second year of lifecycle, while the Stages 5-8 during the third year of lifecyle for changes.
Apart from these common issues, there are plenty of other aspects which differentiate PCI-DSS from PA-DSS.
Differences between PCI-DSS and PA-DSS
One of the most important differentiations is related to the objective of each of these standards: in this way, the PA-DSS is only for software providers that develop Payment Application (hence the abbreviation PA), while the PCI-DSS is a MUST for all merchants who deal with cardholder information and data.
Furthermore, there are different deadlines for implementing these standards: for instance, all software providers of payment applications had to be PA-DSS compliant until the latest 1st of July 2010. In this way, the deadline of these two standards is not connected to one another.
The relationship between PCI-DSS and PA-DSS
Based on the similarities and differences mentioned above, we may determine whether there is actually a relationship between PCI-DSS and PA-DSS or not.
Due to the fact that PA-DSS was developed 2-3 years later after the implementation of PCI-DSS, there is a connection. More specifically, the requirements and specifications for PA-DSS were developed based on the PCI DSS Requirements and Security Assessment Procedures – this proves the relationship between these standards.
Moreover, being compliant with PA-DSS does not mean an entity is also PCI-DSS compliant. In addition, not all payment application vendors are requested to be PCI compliant since some such vendors do not store cardholder information, thus being required only PA-DSS compliance. In the same way, since the payment applications are developed for merchants to secure customer’s cardholder data, these applications are developed based on the PCI-DSS requirements.
The best way to minimize and prevent the potential risks for security breaching is the implementation of PA-DSS within a PCI-DSS compliance-environment.
To sum up, there is definitely a relationship between PCI-DSS and PA-DSS sustained by the similarities between these two standards, but there are also specific issues which prove the purpose, objective and scope for each of these standards. It is important to be informed regarding these issues and if you are a merchant or software vendor for payment applications it will make it easier for you to ensure cardholder security.
A number of people have come to me after failing a PCI scan and the recommendation from their current host was to “just pay the fine, its only $20/mo, that’s much better than having to worry about it”. This is the PCI non-compliance fine, or also called fee or service charge, assessed by your merchant account provider.
Unfortunately that’s like telling you to keep speeding, the tickets aren’t that expensive. Well while that may work for a little while, unfortunately that’s going to get you in a lot more trouble down the road.
First of all, your probably failing the PCI scan for a good reason, and then people who have come to me, failed for major items such as really old versions of PHP or mySQL that their host is running.
Second, the $20 fine assessed by your bank/merchant provider is going to go up, as with all bank fees. There have been talks that some banks plan to raise this to $100/mo or more.
Third,that fee is minimal compared to what the payment card industry can fine you if there is a security breach and customer data is compromised. Those fines can easily be in the 10’s of thousands of dollars, even for small businesses where only a handful of credit card numbers were compromised.
Forth, you can get a PCI compliant hosting plan for less than $20, such as this shared PCI compliant hosting plan from Penguin Web Hosting, and then you won’t have to pay your old host any more either.
After reading this we hope you won’t “just pay the fine”, and think twice about the security of your current host if you are not passing a PCI scan.