The Payment Card Industry (PCI) has developed security standards for handling cardholder information in a published standard called the PCI-DSS Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit cardholder data.
The PCI-DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where cardholder data is stored, processed or transmitted.
The purpose of this document is to guide help software development of project which require PCI-DSS compliance implementation.
This document also explains the Payment Card Industry (PCI) initiative and the Payment Application Data Security Standard (PA-DSS) guidelines. The document then provides specific installation, configuration, and on-going management best practices for PA-DSS Certified application operating in a PCI-DSS compliant environment.
Difference between PCI-DSS Compliance and PA-DSS Validation:
As a software vendor, our responsibility is to ensure that our solution does conform to industry best practices when handling, managing and storing payment related information.
PA-DSS is the standard against which Solutions has been tested, assessed, and certified.
PCI-DSS Compliance is then later obtained by the merchant, and is an assessment of end-client’s actual server (or hosting) environment.
Obtaining “PCI-DSS Compliance” is the responsibility of the merchant and client’s hosting provider, working together, using PCI-DSS compliant server architecture with proper hardware & software configurations and access control procedures.
The PA-DSS Certification is intended to ensure that the solutions will help you achieve and maintain PCI-DSS Compliance with respect to how solutions handles user accounts, passwords, encryption, and other payment data related information.
PCI Security Standards Council Reference Documents:
The following documents provide additional detail surrounding the PCI SSC and related security programs (PA-DSS, PCI-DSS)
- Payment Applications Data Security Standardhttps://www.pcisecuritystandards.org/tech/pa-dss.htm
- Open Web Application Security Project (OWASP)http://www.owasp.org