New PCI compliance standards go into effect July 1, 2010

Posted on August 6, 2009 by Les Jones

From VISA:


Visa Communication

Visa Announces Payment Application Security Mandates Across its Regions


New payment application security mandates require Visa clients to use, and ensure that their merchants and agents use, payment applications that adhere to the Payment Card Industry Payment Application Data Security Standard (PA-DSS). These security mandates require full compliance by July 1, 2012, and will not supersede any applicable, earlier regional deadlines and related enforcement programs already in place for the U.S. and Canada.  U.S. and Canada acquirers must ensure their merchants and agents only use PA-DSS compliant payment applications, to be in full compliance by July 1, 2010. These new payment application security mandates apply to all other Visa regions.  Note: Visa Europe operates as an independent company and licensee of Visa Inc. for business operations in Visa Europe markets. Visa Europe is aligned with the Visa payment application security framework, but has implemented its own set of mandates to drive compliance validation with the security initiatives outlined below. For information on the Visa Europe framework, please contact datasecuritystandards@visa.com.

These mandates, which will become effective over the next few years, require Visa clients to ensure that their merchants and agents use payment applications that are compliant with the PA-DSS. Compliance will be mandated in two phases:

Phase

Compliance Mandate

Effective Date

1

Newly boarded merchants that use payment application software must use PA-DSS compliant applications or be PCI DSS compliant

7/1/2010

2

Acquirers must ensure that merchants and agents use PA-DSS compliant payment applications

7/1/2012

For a list of products that have been independently validated against Visa’s Payment Application Best Practices (PABP) or the PA-DSS, please visit www.visa.com/pabp and www.pcisecuritystandards.org/security_standards/vpa.

For more information or questions related to this communication please review attached bulletin regarding the mandates or e-mail cisp@visa.com.

Notice: This information is CONFIDENTIAL and may only be used for the operation of Visa programs. It may not be duplicated, published, or disclosed without prior written permission from Visa.

First, the bad news: if you visit www.pcisecuritystandards.org/security_standards/vpa and select Application Type: Shopping Cart & Store Front there are only three shopping cart programs on the entire planet that are certified for the PA-DSS standard, and the certification for one of those expires in December.

Now the good news: that’s two more shopping carts than were certified when I checked a couple of months ago. By the time the July 1, 2010 deadline rolls around I expect many more shopping carts will be certified. Just be wary of any small or startup companies with tiny installed bases that might decide to cash in their chips before then. And of course it doesn’t hurt to get something in writing. And if you’re certified PCI compliant by a QSA you meet the Phase 1 qualification regardless of whether your software application meets the PA-DSS certification.

This entry was posted in E-commerce. Bookmark the permalink.

Comments are closed.