Compliancy Dates
In order to tackle ever-growing concerns relating to card data security the PCI Council has developed standards for users of payment applications that store sensitive authentication data.
The Payment Application Data Security Standard (PA DSS) is largely based on Visa’s Payment Application Best Practices (PABP) program. In order for all merchants to conform to these standards the PCI has set dates for compliance.
Effective from July 1st 2010
Acquirers must ensure that all new merchant implementations only use PA DSS compliant applications
Effective from December 31st 2012
Acquirers must ensure that all merchants using payment applications must either be fully PCI DSS compliant or using a PA DSS compliant application.
It is vital that merchants are fully aware of their obligation to protect cardholder data. In order to conform to the expected standards of responsibility for creating a secure data environment the client must have policies for:
- Storage of sensitive data
- Retention period
- Secure removal of historical data
- User accounts
- Logging
Even though the standard ‘PCI’ version of PC-EFT does not store sensitive information (i.e. Track 2, AVS or CV2 data), to fully comply with the PA DSS there must be no risk of protected data being compromised. To that end, Servebase have further enhanced its PC-EFT product to provide a PA DSS compliant version.
As the main obstacle in achieving PA DSS is protecting the customers card data, we have separated sensitive data storage from PC-EFT onsite and placed it within the secure boundary of the Servebase Data Centre. This allows safe connection straight through the PC-EFT Interface to the secure Servebase Data Centre via e-link and HTTPS. By not holding cardholder data, the risk of data theft is greatly reduced. As no card data will be stored locally, the merchant will need to utilise our browser-based transaction reporting facility.
Benefits of PC-EFT Reporting include:
- Powerful search facility
- Supports most browsers (IE6 ,7 & 8 and Mozilla Firefox)
- User access levels
- Download and export data (Excel and CSV formats)
- Efficient centralised reporting solution
- Ability to process refunds
- Ability to view all transactions including pre-authorisations, sales, refunds, referrals and declines
Installing PA DSS compliant PC-EFT will assist merchants on achieving PCI DSS certification. In order to fully comply with the PA DSS clients must still maintain several areas of the storage and processing procedure.
Areas to be maintained by the client:
- Do not retain full magnetic stripe, card validation code or value
- Protect stored cardholder data (if kept outside of PC-EFT)
- Protect wireless transmissions
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the Internet
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain instructional documentation and training programs for customers, resellers, and integrators
More information:
Detailed information on what is required for the above points along with the Servebase compliance listing can be found using the following link to the PCI Council website:
https://www.pcisecuritystandards.org/security_standards/vpa/