The Payment Card Industry (PCI) Security Standards Council (SSC) has released the Payment Application Data Security Standards (PA-DSS) for payment applications running at merchant locations. The PA-DSS assists software vendors to ensure their payment applications support compliance with the mandates set by the Bank Card Companies (Visa, Mastercard, Discover, American Express, and JCB).
In order to comply with the mandates set by the Bank Card Companies, Heartland Payment Systems:
- Requires that the account number cannot be stored in the clear in order to meet PCI and PA-DSS regulations. It must be encrypted while stored using strong cryptography with associated key management processes and procedures.
Refer to PCI DSS Requirements 3.4–3.6* for detailed requirements regarding account number storage. The retention period for the Account Number in the shadow file and open batch should be defined. At the end of that period or when the batch is closed and successfully transmitted, the account number and all other information must be securely deleted. This is a required process regardless of the method of transmission for the POS.
- Requires that, with the exception of the Account Number as described above and the Expiration Date, no other Track Data is to be stored on the POS if the Card Type is a:
- Visa, including Visa Fleet;
- Mastercard, including Mastercard Fleet, and Carte Blanche;
- Discover, including JCB, UnionPay, Diner's Club, and PayPal;
- American Express;
- WEX;
- Debit or EBT.
This requirement does not apply to FleetCor, Voyager, or Aviation cards; Stored Value cards; Proprietary or Private Label cards.
- Recommends that software vendors have their applications validated by an approved third party for PA-DSS compliance.
- Requires all software vendors to sign a Developer’s Agreement (Non-Disclosure Agreement).
- Requires all software vendors to provide evidence of the application version listed on the PCI Council’s website as a PA-DSS validated Payment Application or a written certification to Heartland Testing of the Developer's compliance with PA-DSS.
- Requires that all methods of cryptography provided or used by the payment application meet PCI SSC's current definition of "strong cryptography".
*Refer to www.pcisecuritystandards.org for the PCI DSS Requirements document and further details about PA-DSS.
