As cybersecurity becomes an increasingly important issue, it’s never been more important for retailers to protect sensitive consumer information. The payment card industry data security standard (PCI-DSS) and payment application data security standard (PA-DSS) were both created for this purpose. But how do these two forms of regulation differ from each other?
The PA-DSS and PCI-DSS are designed to help companies protect credit card information and secure payment portals. Because of their similar purpose, separating PA-DSS from PCI-DSS can be a little difficult. It also doesn’t help that both data security compliance standards were created by the same entity—the Payment Card Industry Security Standards Council (PCI SSC).
The PCI SSC is a regulatory board that consists of the five major credit card brands: Visa, Mastercard, Discover, American Express, and JCB. However, it’s not just big brand credit card companies that are a part of the PCI SSC. It also includes financial institutions, merchants, processor companies, software developers, and point-of-sale vendors.
Fortunately, the difference between these mandates is rather straightforward. Once you understand the specifics behind these standards, it should clear up any confusion. Let’s start by first explaining what PA-DSS is.
The PA-DSS is a set of requirements that are aimed at helping software vendors develop secure payment applications. The rules stated in the PA-DSS apply to all third-party applications that store, process, or transmit cardholder data as part of an authorization or settlement. The only software that is exempt from these regulations are ones that are built and used internally. However, in-house software is still subject to PCI-DSS compliance.
There are 14 requirements listed in the PA-DSS:
- Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
- Protect stored cardholder data.
- Provide secure authentication features.
- Log payment application activity.
- Develop secure payment applications.
- Protect wireless transmissions.
- Test payment applications to address vulnerabilities and maintain payment application updates.
- Facilitate secure network implementation.
- Never store cardholder data on a server connected to the internet.
- Facilitate secure remote access to the payment application.
- Encrypt sensitive traffic over public networks.
- Secure all non-console administrative access.
- Maintain PA-DSS instructions, documentation, and training programs for customers, resellers, and integrators.
- Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.
While many of the rules here align with the PCI-DSS, PA-DSS compliance does not guarantee PCI-DSS compliance.
The PCI-DSS is a set of requirements to ensure that any organization that handles credit card data processes, stores, and transmits that data securely. Launched in 2006, the purpose of the standard is to improve account security throughout the transaction process. The PCI-DSS is the industry’s primary compliance standard.
Since this is a regulation deployed by an organization outside of the local, state, or federal government, PCI-DSS is not a law. This means that you are not legally obligated to adopt PCI standards. However, the major card brands demand its use via banks and other organizations that process all credit card transactions. If you fail to comply with PCI-DSS, it could result in your company being unable to accept credit card transactions.
Similar to the PA-DSS, PCI-DSS also outlines its requirements. The 12 listed rules must be followed fully to achieve compliance. These requirements include:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
The main difference between PCI-DSS and PA-DSS is that PCI applies to any company that stores, processes, or transmits cardholder data. While PA-DSS specifically applies to vendors that produce and sell payment applications.
PA-DSS compliance begins with an audit. A PA-DSS Qualified Security Assessor must perform an audit on the application you developed. During the assessment, the assessor makes sure that your application follows all requirements.
The PCI-DSS compliance process is slightly more complicated. Every merchant is classified into different levels depending on the number of transactions you process per year. While the brand of the card used during these transactions can influence the level, assessment requirements remain consistent across all levels.
Assessing PCI-DSS compliance depends not only on the level your business falls into, but also the type of business you are performing. Additionally, who audits your business and the level of detail of that audit is determined by your merchant level.
Here are the three types of assessors that generally perform the audit:
- Qualified Security Assessor: This is a third-party assessor who has been certified by the PCI Security Council to perform PCI assessments. They perform assessments for all Level 1 merchants.
- Internal Security Assessor: This is an assessor who resides internally in your organization. The ISA has to be certified by the PCI Security Council to perform PCI assessments.
- Self-Assessment Questionnaire: The self-assessment questionnaires are used by lower-level merchants to perform a self-assessment.
If you need to reach PCI-DSS compliance, the experts at RCS Secure can help. From helping you build a secure network to identifying and mitigating vulnerabilities, we get your company ready for your audit.
Contact us today to learn more about how RCS Secure helps you achieve compliance.
RCS Secure offers a full spectrum of cyber security safeguards and services. Our services combine compliance standards expertise with cutting-edge technology to identify risks, prioritize remediation, and ensure you are both secure and compliant.