I have spoken with a number of companies over the last several weeks that are preparing themselves to go through the PA-DSS assessment process (software providers, not security firms) and they all are trying to understand the level of priority that they need to set.  Particularly smaller firms are trying to come to grips with the fact that they are now required to go through an expensive, potentially disruptive assessment process that they didn’t have to address previously.

It only makes sense that they all end up asking the question, ‘are the card brands actually going to enforce this?’  After all, why make a significant investment in money and time for something that no one is actually going to enforce?  So, I thought I’d put this up here with a couple of thoughts that I’ve formed about the PCI Council, the card brands, and their desire/ability to enforce the PA-DSS deadline in 2010.  These are just my own thoughts based on conversations and history…

1. PCI Council Enforcement - based on conversations that I have been apart of and feedback from others that I trust in the industry, the council will be enforcing this standard to the highest degree that they can.  They look at the PA-DSS as an extension to the PCI-DSS (which it is) and therefore will be supporting and enforcing the standard to the same degree as the broader PCI-DSS.
2. The Card Brands - less direct insight here, but I can tell you that, as the organizations that instituted the PCI Council to begin with, they are going to support the standard and are most likely going to support the enforcement of PA-DSS to the highest degree that they can.  A large number of the vulnerabilities that exist in PCI-relevant environments are at the application level - the card brands know this and they are going to fully support a standard that is directly reviewing and assessing the applications that deal with relevant information - whether in rest or in transit.  This is why the PA-DSS standard was incorporated into the broader PCI-DSS environment and brought under the auspices of the Council.
3. Merchants - merchants and service providers are going to be the defacto ‘enforcement’ arm for the PA-DSS standard.  We’re actually been seeing this already with large merchants.  Basically, merchants and service providers are going to need to implement secure applications in order to maintain their own PCI compliance.  There are avenues that can be taken that don’t absolutely require PA-DSS-compliant applications in their environment, but its going to be impractical for the vast majority of retailers to do anything other than chose a PA-DSS certified application.  Merchants are already starting to screen applications based on the PA-DSS validated list (link) or on the vendor’s commitment to getting their application on the list (if they aren’t up there yet)….

So, my feedback on the likelihood that PA-DSS is going to be ‘enforced’ - basically 100%.

Again, it’s not that the council is going to show up on a software vendor’s doorstep and say ‘gotcha’ - it’s simply that your clients are going to be under a huge amount of pressure to implement PA-DSS compliant payment applications - if you choose not to go through the PA-DSS assessment process (or if you wait until the deadline is past) you run the risk of putting yourself at a disadvantage in the marketplace.

If anyone has any feedback or questions (or just wants to vent)- please feel free to leave a comment or send me an email - alex.crittenden@yahoo.com and I’ll do my best to answer your questions or track down the person that can.  Also (I have to put a plug in here …), NetSPI (my employer) is one of the leading PA-QSAs, so if you have a ‘we need to find a PA-QSA’ sort of inquiry please email me at my NetSPI address - alex.crittenden@netspi.com and I’ll get back to you in a more official manner.  Thanks.

Related articles by Zemanta

• Amazon Confirms EC2/S3 Not PCI Level 1 Compliant (it.slashdot.org)