This is page 2 of:
Complying With Visa’s July 1 PA-DSS Mandate
Pages: 1 2
June 10th, 2010
In the same way you wouldn't buy your gold Rolex from a street vendor, you shouldn't buy a software payment application that is not on the PCI Council's list of PA-DSS validated applications, writes PCI Columnist Walter Conway.
His advice to retailers: If an application is not on the list, don't even include it in an RFP.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
Pages: 1 2
5 Comments | Read Complying With Visa’s July 1 PA-DSS Mandate
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
June 10th, 2010 at 9:51 am
This deadline date is interesting, guidance in Europe from VISA Europe is as follows (of course VISA Inc will have their own opinion) :
Effective 1 July 2010, acquirers must ensure that all merchants using payment applications that store (or cause to be stored) sensitive authentication data post-authorisation, or applications that are listed as ‘‘vulnerable’’ by either Visa Europe or Visa Inc. must move to applications that do not store sensitive authentication data.
Effective 1 July 2010, acquirers must ensure that all new merchants only use PA-DSS compliant applications
————————————————-
But when you ask for further clarification they state reply with the following:
New merchants applies to brand new merchants only, not merchants moving from one acquirer to another.
Note the use of compliant, at this stage we are not mandating the certification of applications.
————————————————-
So breaking it down further, Acquirers must ensure merchants dont use a listed ‘vulnerable’ paymwent app from July 1st. Then, new merchants, who have never had a bank acocunt or business before must use a compliant app but not one that has been certified from July 1st..
June 10th, 2010 at 10:12 am
This deadline date is interesting, guidance in Europe from VISA Europe is as follows (of course VISA Inc will have their own opinion) :
Effective 1 July 2010, acquirers must ensure that all merchants using payment applications that store (or cause to be stored) sensitive authentication data post-authorisation, or applications that are listed as ‘‘vulnerable’’ by either Visa Europe or Visa Inc. must move to applications that do not store sensitive authentication data.
Effective 1 July 2010, acquirers must ensure that all new merchants only use PA-DSS compliant applications
————————————————-
But when you ask for further clarification they state reply with the following:
New merchants applies to brand new merchants only, not merchants moving from one acquirer to another.
Note the use of compliant, at this stage we are not mandating the certification of applications.
————————————————-
So breaking it down further, Acquirers must ensure merchants dont use a listed ‘vulnerable’ payment app from July 1st. Then, new merchants, who have never had a bank account or business before must use a compliant app but not one that has been certified from July 1st..
June 11th, 2010 at 5:00 pm
@Chalky,
I find it very surprising that Visa or any brand or acquirer would draw a distinction between a new vs. existing merchant, especially when it comes to PCI. To me it makes no sense. In fact, with merchant IDs and retail locations coming and going, I’m not even sure I know what a “new merchant” would be in this context.
In case you can’t tell, I’m really hoping that the person to whom you spoke misunderstood the question. Did you speak to a compliance/risk person? The answer you got is particularly confusing since several of the earlier mandates (that were part of the same release) dealt explicitly with “newly boarded merchants” as opposed to new merchants.
Merchant risk and PCI compliance is too important to have all kinds of conditions attached. Let’s hope Visa Europe clarifies.
June 13th, 2010 at 9:58 am
The repsonse came back via email from the compliance team for PA-DSS / Payment applications at VISA Europe……..I also asked to see the list of vulnerable ‘third-party apps’ mentioned in your article and they told me it doesnt get put on general release and only goes to the acquirers…….
June 13th, 2010 at 8:31 pm
Well, I guess Visa Europe did clarify their position as you say. I’m a little surprised, but it is their brand and their region, so I guess they get to make the rules. As for the list of known compromised apps, you got the standard response. Visa does not release that list, but as you say your acquirer has direct access to it and can advise you if any app (or version!) you have is known to have been compromised.
Thanks for the update from Visa.