Vendors of  payment-application software will have to abide by new standards to help protect the data on payment cards from criminals.

The PCI Security Standards Council announced [1]this week the release of its Payment Application Data Security Standard (PA-DSS). The council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to make payments more secure.

ComputerWorld reports [2] "The PA-DSS is a set of broad-based security controls that vendors of payment- application software will need to include in their products over the next few years."

Payment applications developed in-house, however, do not come under the purview of the council's new standards.

The council says criminals are increasingly exposing the vulnerability of payment applications to steal sensitive information stored on payment cards, while the software may store such information in a merchant's system unknowingly.

According to the Web site, Security Focus [3]:

The latest version of the application-security standard follows the revelation that online data thieves managed to make off [4] with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million [5] credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance.

The new standards will ensure payment-application software sold to merchants will not store sensitive data, such as the card's full magnetic strip, authentication data, or personal identification number.

The standards were originally devised by Visa Inc. and were known as Payment Application Best Practices (PABP). Last November, the PCI Security Standards Council adopted [6] the PABP as the industry standard for payment-application software sold to third parties.

The council also says it will compile a list of those software applications approved as PA-DSS compliant. “Having the Council manage a globally-recognized list of validated payment applications will make it easier for merchants of all sizes to select validated payment applications that are accepted by all the major payment brands," said J. Joseph Finizio, executive director of the Retail Solutions Providers Association, "ensuring that cardholder data continues to be secure.”