PCI Application Security: Who's Guarding the Data Bank?

Ben Rothke and David Mundhenk offer compliance strategies for PCI's new application security requirements

1 2 Page 2
Page 2 of 2

COTS payment processing applications that are sold or leased to the public have more stringent requirements for application security compliance. These requirements were originally developed, implemented and enforced by Visa and were known as the Payment Application Best Practices (PABP) standard.

Over the years these requirements served the industry well and have helped to protect Visa credit card commerce wherever compliant applications have been implemented. Unfortunately, however, the PABP was focused primarily upon applications processing Visa payments, and the enhanced security benefits could not be shared across all payment card brands. It became obvious that a broader, more encompassing application security standard was in order; this is where PCI Payment Application Data Security Standard (PA-DSS) came into play.

In November 2007, the PCI Security Standards Council (SSC) announced that PABP will be transcended by the PCI Payment Application Digital Security Standard (PA-DSS). In doing so the PCI SSC became the sole entity to maintain these new card brand independent requirements and oversee compliance with this new security standard. Payment applications that have been previously certified as compliant with the most current versions of the PABP specification will have their certification grandfathered for a limited time, and be given a grace period before they must be recertified under the new PA -DSS.

Newly developed commerce applications, which are sold to the public, will have to be tested and found compliant with PA-DSS requirements starting in October 2008. The two standards are similar and indeed a majority of PA-DSS content is based upon the previously well-defined PABP requirements. There are some distinct differences between two, however, including a very stringent requirement for the PA-DSS QSA to validate the environment which is used for all application security testing.

In addition, the PA-DSS Implementation Guide (similar to PABP's Best Practices Implementation Guide) has detailed references on how to securely implement the payment application and related systems in a specific supported, compliant configuration. It also clearly states that any deviations from specific supported configurations may indeed jeopardize PCI DSS compliance for merchants and businesses who implement the chosen COTS payment application.

Additional Visa Mandatesvulnerable payment applications from their Visa's payment processing networks. To quote from their announcement, "These mandates require acquirers to ensure their merchants and agents to not use payment applications known to retain prohibited data."

Beginning in January 2008, Visa raised the bar on application security when they announced a series of new mandates. Ultimately, these mandates are designed to eliminate the use of what are deemed to be

The initial Visa mandates will be focused primarily on new payment applications to be connected to the Visa payment processing system this year. As the other additional mandates are phased in over time, however, their overall objective is to force the eventual de-commissioning of all known vulnerable payment processing systems from Visa networks by July 2010.

In addition, Visa will be publishing a list of current known vulnerable applications and providing that information to acquirers. By doing so, Visa can ensure that acquirers will hold their merchants and agents accountable for using only non-vulnerable payment processing systems.


Web applications have become the backbone of banking and e-commerce. POS and payment processing applications leveraging web and web-like technologies are being deployed as the next generation alternative to similar legacy systems. They connect end-users, customers, merchants, agents, and partners and process sensitive data including personal and financial information which is of the highest value. They do so anywhere, everywhere, anytime, and in real time. The need for significantly enhanced application security becomes paramount, and as a result the importance of PCI DSS and PA-DSS application security requirements become even more focused.

While application security presents some of the most challenging, and possibly the most costly, barriers to compliance with PCI DSS, requires 6.6 is far too important to ignore, no matter how difficult it is, nor how high the cost. Your organization's future depends on securing web applications and the costs of an unauthorized breach will eclipse the costs of doing the right thing by protecting the applications and sensitive data in the first place. ##

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)

. David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net) is a Security Consultant with a major professional services firm.

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline