Securing Card Account Data
is Everyone's Responsibility
Every entity around the world involved in payment card transactions – including hardware/device manufacturers and software developers, as well as banks, service providers and merchants – must continually focus on safeguarding payment card data. In addition to the requirements laid out in the PCI Data Security Standard (PCI DSS), the Council has created programs specifically aimed at developers and device manufacturers, available via the links below.
These programs include:
- The Payment Application Data Security Standard (PA-DSS), which helps software vendors and others develop secure payment applications that do not store prohibited data; and
- The PIN Transaction Security (PTS) program, through which device manufacturers can validate their products as tested against Council-approved global security criteria.
Resources for Assessing PCI DSS Compliance
- Applicazioni di pagamento convalidate
List of approved payment applications
- Documents Library
Download helpful white papers and guidelines for vendors
- Certification Programs
Training and certification courses
- PIN Transaction Security (PTS)
Requirements and guidelines for testing, approval and listing of your hardware/device
- Merchant Assessment Forms
Your feedback is important
- Information Supplements
Documents related to the security framework of the Payment Card Industry Data Security Standard (PCI DSS)
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold or distributed to third-parties. Payment applications validated per PA-DSS, and when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches. Internally developed applications that are not sold or distributed to third-parties are not subject to PCI PA-DSS but are subject to PCI DSS.
PCI DSS is the standard for merchants and service providers to protect cardholder data. The PA-DSS and PTS device security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment applications and PTS devices to further cardholder data security. PA-DSS and PTS are not merchant initiatives. Rather, they are geared toward the application providers and PTS device manufacturers who must submit their applications and devices for testing against the standards.
PCI DSS requirement 3.3 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific need to see the full card number. Business needs may exist to validate if the appropriate numbers were entered properly prior to completing the transaction (for example, for customer service representatives). To compensate for not masking the PAN on the screen for these types of transactions, controls such as Time To Live (TTL) or webpage "timeouts" should be deployed so that the screen does not display the card numbers indefinitely. Additionally, as should all websites that transmit cardholder data, the website which displays the PAN should be SSL enabled to ensure the data is secured as it is entered and validated.
Merchants that store payment account data should contact the acquiring financial institutions with whom they have merchant agreements to determine whether they must validate compliance and the specific requirements for compliance validation. Service providers should contact the individual payment brands for further information.