eWeek published an article by Evelyn de Souza entitled ‘How To Achieve Payment Card Industry Compliance: 5 Simple Steps’. The article is focused on small merchants and while the article points out five great ideas, in my experience, it’s the implementation of those ideas that create the problem. So let’s look at another one of those ideas.
The second point is to make sure that a small merchant uses a PA-DSS compliant point of sale (POS) solution. First I have a nit to clear up. Ms. de Souza refers to the PA-DSS as being Visa’s program which is not true. Visa’s program was called the Payment Application Best Practice (PABP) certification. The PABP program was turned over to the PCI Security Standards Council last year and became the basis for the Payment Application Data Security Standard (PA-DSS). PA-DSS compliant applications are just being certified given the newness of the certification process, so most applications at this point are only PABP compliant. However, we expect to see PA-DSS certified application very soon. And PABP compliant applications are still allowed to be used under the PCI DSS.
While PABP compliant applications have been available for almost four years, the vast majority of small merchants are using POS software solutions that are nine or more years old. This is because most merchants replaced their POS solutions just before 2000 for Y2K and expected to get around 10 to 15 years out of their POS solution. Since most of these merchants operate on thin margins and the economy has tanked, most cannot afford the expense of new hardware and software at this time. After all, current POS software requires Windows XP or greater, so just upgrading the POS application is not going to be an option on 10 year old hardware.
Just because you use a PABP/PA-DSS compliant application does not mean that it does not store cardholder data. It does mean that if the application stores cardholder data that it is stored securely. But wait, wasn’t Ms. De Souza’s first rule to not store cardholder data? Software vendors are required to provide an implementation guide that describes the steps necessary to implement the software so that the merchant maintains compliance with the PCI DSS. The implementation guide will explain that backups, key management and other PCI DSS requirements must be met by the merchant.
Which leads to my final point which is there is the assumption that because the software is PABP/PA-DSS compliant that it somehow confers PCI DSS compliance on the organization that uses the software. PABP/PA-DSS compliance just means that the software properly protects cardholder data. PCI DSS compliance requires more than just a compliant application. There are numerous issues that need to be complied with that are outside of the application vendor’s control and therefore not covered by the PABP/PA-DSS certification. As a result, there is plenty of additional work to be done to ensure that PCI DSS compliance is achieved.
So, PABP/PA-DSS does not confer PCI DSS compliance on a merchant. A merchant still has quite a bit of work to do in some cases to be compliant.
PCI Guru 
0 Responses to “Simple PCI Compliance – Part 2”