On 28 October 2022, the PCI Security Standards Council (PCI SSC) formally retired its Payment Application Data Security Standard (PA-DSS). As one of the first standards and programs of its kind, PA-DSS laid the groundwork for software security in the payment industry and has served the payment industry’s needs for more than 14 years.
As payment industry needs have evolved, so too has the approach to software security standards. An innovative approach – the PCI Secure Software Standard - was needed to support modern payment software architectures and software development methodologies, and to protect payment software from increasingly complex software attacks.
While we move forward with the next evolution of payment software security through the PCI Software Security Framework standards, the Council would like to take this moment to pay tribute to PA-DSS, one of the original, foundational payment security standards of the organization and of the industry.
In this tribute video, current and former employees of the PCI Security Standards Council bid farewell to PA-DSS and reflect on what the standard has meant to them over the last 14 years.
The video features two employees who were instrumental in the development and implementation of PA-DSS and its program in 2008; former General Manager of the Council, Bob Russo (now retired), and the Chair of PCI SSC’s Technical Working Group, Lauren Holloway (now Director of Data Security Standards at PCI SSC).
Also featured in the video are:
- Marc Bayerkohler, Standards Trainer, PCI SSC
- Brandy Cumberland, Director Program Quality, PCI SSC
- Elizabeth Terry, Senior Manager Community Engagement, PCI SSC
- Tom White, Senior Manager Content Development, PCI SSC
PA-DSS, announced on April 15, 2008, was formerly created by Visa Inc., and known as the Payment Application Best Practices (PABP). It was created to help software vendors and others develop secure payment applications that do not store prohibited data, and support compliance with PCI DSS (Data Security Standard).
Payment applications adhering to PA-DSS minimized the potential for security breaches and the resultant fraud. Other components of the PA-DSS program were rolled out following the publication of the standard, including the requirements and training program for PA-QSAs (Payment Application Qualified Security Assessors) and ultimately the publication of a list of validated payment applications.
Endorsed by the five PCI Participating Payment Brands at the time - American Express, Discover, JCB International, Mastercard and Visa Inc. - PA-DSS helped the PCI Security Standards Council to meet its strategic mission: to develop and maintain global, industry-wide security standards for the protection of payment account information throughout the payment transaction lifecycle.
PA-DSS was transformational to both the Council and to the industry. With the Council’s adoption of PA-DSS, there was now a single entity managing global standards and streamlining requirements related to payment data security, which included the PCI DSS and the PCI PED (PIN Entry Devices) Security Requirements. By adopting PA-DSS, the Council established a common foundation for widespread adoption of secure payment applications.
From all of us at the Council, we thank you, PA-DSS, for serving the industry well, and we congratulate you on your well-deserved retirement!
The Future: The Software Security Framework
In January 2019, PCI SSC published new requirements for the secure design and development of modern payment software. The PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard are part of the PCI Software Security Framework (SSF), which includes a validation program for software vendors and their software products and a qualification program for assessors.
The PCI Secure Software Standard expands on the key principles of protecting payment applications and data that were first introduced in PA-DSS, and is designed to support a much larger set of payment software architectures, functions, and software development methodologies.
The PCI Secure SLC Standard provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place.
For more information on how the PCI Software Security Framework builds on PA-DSS to take payment software validation forward, visit our blog posts:
- How to Successfully Transition Software from PA-DSS to the PCI Secure Software Standard
- Conceptual Differences Between SSF and PA-DSS
- SAFECode and PCI SSC Discuss the Evolution of Secure Software.
Everyone interested in learning more about the Software Security Framework standards is encouraged to attend SSF Knowledge Training. New this year, Knowledge Training courses are designed to bridge the knowledge gap between organizations and assessors by providing learning opportunities for individuals to take the same training and exam as the Assessor. Knowledge Training is offered for both the Secure Software Lifecycle (Secure SLC) Assessor course as well as the Secure Software Assessor course.
PCI SSC is offering PA-DSS Vendors a special discount for SSF Knowledge Training in 2023. If you are a PA-DSS Vendor, please contact the PA-DSS Program Manager for details on how to take advantage of this special offer.
Also on the blog: Watch and Learn All About Knowledge Training