“PA-DSS”的意思、由来-开放百科全书

The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC).^[1]

PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN.

In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

Requirements

For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following fourteen protections:^[2]

Governance and enforcement

PCI SSC has compiled a [https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html list of payment applications] that have been validated as PA-DSS compliant, with the list updated to reflect compliant payment applications as they are developed.

Creation and enforcement of these standards currently rests with PCI SSC via Payment Application-Qualified Security Assessors (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.

History

Governed originally by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS then became retroactively distinguished as "version 1.1"^[3] and "version 1.2".^[4]

In October 2010, PA-DSS 2.0 was released,^[5] indicating: Update and implement minor changes from v1.2.1 and align with new PCI DSS v2.0. For details, please see PA-DSS – Summary of Changes from PA-DSS Version 1.2.1 to 2.0.

In November 2013, PA-DSS 3.0 was released,^[6] indicating: Update from PA-DSS v2. For details of changes, please see PA-DSS – Summary of Changes from PA-DSS Version 2.0 to 3.0.^[7]

In May 2015, PA-DSS 3.1 was released^[2] indicating:Update from PA-DSS v3.0. See PA-DSS – Summary of Changes from PA-DSS Version 3.0 to 3.1 for details of changes.^[8]

In May 2016, version 3.2 of the PA-DSS Program Guide and Standards were released.^[9]^[10] For details, see Summary of Changes from PA-DSS Version 3.1 to 3.2.^[11]

Congressional attention

On March 31, 2009, the United States House of Representatives’ Committee on Homeland Security convened to discuss the current PCI DSS requirements.^[12]

Representatives such as Yvette Clark (D-NY) expressed interest in increasing the strength of standards while others, such as Bennie Thompson (D-Miss.) expressed doubt that industry created standards would be sufficient in the future.^[13]

While Congressional attention was focused largely on PCI DSS, the criticism of card-issuer standards could eventually bring Congressional or legal focus on PA-DSS and on PCI SSC as an entity.

Future

The future of these standards is somewhat vague, with Congressional attention giving rise to the possibility of governmental intervention.

Regardless, meeting standards can prove expensive and time consuming for software vendors, with the current expense of PA-DSS certification outpacing other methods of compliance. Given the cost of compliance and certification, current or yet-undetermined alternatives could emerge in the PCI standards compliance market.

Visa USA announced a more aggressive push into such technology (chip and pin) in August 2011.^[14]

Supplemental information

The PCI SSC has published additional materials that further clarify PA-DSS, including the following:

References

1. ^[https://www.pcisecuritystandards.org/ PCI Security Standards Council]
2. ^¹²{{cite web|title=Requirements and Security Assessment Procedures Version 3.1| url=https://www.pcisecuritystandards.org/documents/PA-DSS_v3-1.pdf| accessdate=27 January 2016| ref=1}}
3. ^{{cite web|url=https://www.pcisecuritystandards.org/security_standards/pci_pa_dss_v1-1.shtml |title=Payment Application Data Security Standard (PA-DSS) V1.1| publisher=PCI Security Standards Council| archiveurl=https://web.archive.org/web/20100802223456/https://www.pcisecuritystandards.org/security_standards/pci_pa_dss_v1-1.shtml|archivedate=2010-08-02}}
4. ^{{cite web|url=https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml |title=Payment Application Data Security Standard (PA-DSS) V1.2|publisher=PCI Security Standards Council| archiveurl=https://web.archive.org/web/20100802223445/https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml|archivedate=2010-08-02}}
5. ^{{Cite web| url=https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf|title=Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures: Version 2.0| last=| first= |date=|website=PCI Security Standards Council| language=en| archive-url=|archive-date=|dead-url=|access-date=2017-04-22}}
6. ^{{Cite web| url=https://www.pcisecuritystandards.org/documents/PA-DSS_v3.pdf|title=Payment Card Industry (PCI) Payment Application Data Security Standard: Requirements and Security Assessment Procedures: Version 3.0| last=| first=| date=|website=PCI Security Standards Council| language=en|archive-url=| archive-date=| dead-url=|access-date=2017-04-22}}
7. ^[https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3_Summary_of_Changes.pdf Summary of Changes from PA-DSS Version 2.0 to 3.0]
8. ^¹[https://www.pcisecuritystandards.org/documents/PA-DSS_v3-1_Summary_of_Changes.pdf Summary of Changes from PA-DSS Version 3.0 to 3.1]
9. ^{{Cite web| url=https://www.pcisecuritystandards.org/documents/PA-DSS-v3_2-Program-Guide.pdf|title=Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) v3.2: Program Guide| last=| first=| date=May 2016|website=PCI Security Standards Council|language=en|archive-url=| archive-date=| dead-url=|access-date=2017-04-22}}
10. ^{{Cite web| url=https://www.pcisecuritystandards.org/documents/PA-DSS_v3-2.pdf| title=Payment Card Industry (PCI) Payment Application Data Security Standard: Requirements and Security Assessment Procedures: Version 3.2|last=|first=|date=|website=PCI Security Standards Council|language=en|archive-url=| archive-date=|dead-url=|access-date=2017-04-22}}
11. ^{{Cite web| url=https://www.pcisecuritystandards.org/documents/PA-DSS_v3-2_Summary_of_Changes.pdf|title=Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards| website=www.pcisecuritystandards.org| language=en|access-date=2017-04-22}}
12. ^{{cite web |url=http://www.homeland.house.gov/hearings/index.asp?ID=185 |title=Do the Payment Card Industry Data Standards Reduce Cybercrime? |date=March 31, 2009 |publisher=U.S. House Homeland Security Committee | archiveurl=https://web.archive.org/web/20091202013722/http://homeland.house.gov/hearings/index.asp?ID=185 |archivedate=2009-12-02}}
13. ^[https://www.forbes.com/2009/03/31/visa-mastercard-security-technology-security-visa.html Visa, MasterCard In Security Hotseat]
14. ^{{cite press release|url=http://corporate.visa.com/media-center/press-releases/press1142.jsp| title=Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments |publisher=Visa|date=August 9, 2011| archiveurl=https://web.archive.org/web/20110923151959/http://corporate.visa.com/media-center/press-releases/press1142.jsp| archivedate=2011-09-23}}
15. ^[https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf PA-DSS Requirements and Security Assessment Procedures v1.2.1]
16. ^[https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf PA-DSS Requirements and Security Assessment Procedures v2.0]
17. ^[https://www.pcisecuritystandards.org/documents/PA-DSS_v3.pdf PA-DSS Requirements and Security Assessment Procedures v3]
18. ^[https://www.pcisecuritystandards.org/documents/PA-DSS-v3_2-Program-Guide.pdf PA-DSS 3.2 Program Guide]