The Payment Application Data Security Standard (PA DSS), which requires organizations that handle credit card payment transactions to use only versions of payment applications that comply with the standard, has been around for nearly two years. PA DSS aims to ensure that commercial payment applications support compliance with the PCI Data Security Standard and don't store prohibited information such as full magnetic stripe data. However, our research indicates that both awareness of, and compliance with this standard are surprisingly low.
Even those merchants and financial institutions that have been PCI compliant for years have yet to upgrade their payment applications and related software to PA DSS compliant versions. Financial institutions not only need to be PA DSS compliant, but those that are card acquirers have the added burden of ensuring their merchants comply.
So why are organizations lagging in PA DSS compliance? It's not for lack of available validated compliant applications. The PCI Security Standards Council's regularly maintained "white list" includes about 400 payment applications from over 200 vendors. Based on our interviews with retailers and other organizations, it's the lack of threatening letters specific to PA DSS that seem to be the culprit. Merchants are holding off investing the money in application upgrades until they get a specific letter from their payment processor or acquiring bank that tells them they are out of compliance, specifies which applications they have to upgrade, and stipulates a clear penalty for not doing so that exceeds the amount they would have to invest.
Why is such a letter hard to come by? Theoretically, the payment processor can tell whether the merchant is running a compliant version of each payment application they use, across the various channels through which the merchant does business. In practice, however, the use of payment gateways and other third parties makes it difficult for a merchant to know exactly what applications and versions (let alone middleware) are in use, which means the processor or acquiring bank can only issue relatively generic "please upgrade" letters.
It's worth noting that payment applications developed internally by a retailer or financial-services firm are not subject to PA DSS, however, they are subject to PCI DSS compliance. One gray area relative to PA DSS is when a commercial payment application is customized by a third party or by the company that purchased it. The nature and degree of customization determines whether it becomes a "bespoke" application and is no longer subject to PA DSS compliance testing.
Considering the fact that not running PA DSS compliant applications automatically means an organization fails their PCI DSS annual assessment, both merchants and financial institutions should be much more focused on getting their payment applications upgraded to validated versions than they appear to be. The reality is that many small and midsize merchants simply don't know -- or don't want to know -- whether their payment applications, or the vendors who supply their applications, are compliant. Mind you, small and midsize merchants face the same compliance deadlines as larger or high transaction volume merchants.
Since the major PA DSS deadline is July 1, 2010, most merchants assume their processor and/or acquirer will let them slide on PA DSS compliance the first time around. Some merchants have told us they do not expect to get any major fines levied before 2011, and by then they expect the economy will have rebounded and revenues will be up to the point that they can afford to do the mandated POS and Web commerce upgrades. It's not that organizations we've interviewed don't care about security or PCI compliance. They do. But until they can go to management with a very specific letter from their processor that tells them what they need to do to achieve PA DSS compliance; most are playing the "wait and see" game.
For financial institutions that are under pressure to get their merchant portfolio compliant, the application-vendor community is their best ally. Some of these vendors have already spent tens, even hundreds of thousands of dollars to get their applications compliant, and they are even more frustrated by the lack of merchant interest in PA DSS. A joint awareness campaign fortified with very specific PA DSS upgrade costs and ROI data could be very useful in helping move PA DSS compliance forward in advance of the July 1, 2010 deadline. After that, demand will be driven by the level of fines imposed.
About the author:
David Taylor, CISSP, is founder of the PCI Knowledge Base , a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance. Taylor was an analyst and executive at Gartner Inc. for 14 years . He holds a Ph.D. in organizational psychology and authored Doing E-Business, published by Wiley (2000). He can be reached at David.Taylor@KnowPCI.com.