A Quick Note on PA-DSS and the July Deadline

Retail & Hospitality Information Security (including PCI)

Home » PCI News, PCI Philosophy / Approach, PED / Payment Terminals

15 October 2009

Every business day I have multiple conversations with software vendors regarding PA-DSS. Some of these vendors are currently being pressured by important clients to address PA-DSS validation. Some are looking at their strategic product investments over the next 18 months including technology, features enhancements, marketing, etc. and are building PA-DSS into their operational model. These two groups are actively moving forward with the PA-DSS validation process. NetSPI is helping them with potential changes to process, documentation, and (if needed) code to make certain that their applications are going to successfully move through the validation process.

However, other vendors are taking a bit of a different approach – they have been made aware of the standard and that it ‘might apply’ and are doing some preliminary research on what they actually need to worry about. Often they are looking for an ‘out’ - a way to claim that PA-DSS doesn’t apply to them (typically because they aren’t a ‘classic’ POS software provider) or they are looking for reassurance that VISA and the PCI council aren’t really going to enforce the standard.

The difficulty for this last group of software providers is that the definition of what falls under PA-DSS is pretty straightforward and the council and VISA have given every indication that they are going to enforce the standard (see my other post here). Also, since a majority of the leading POS vendors are aggressively addressing PA-DSS, the council isn’t going to really feel all that much pressure to back-off in July.

Why am I bringing this up again? Because we are getting closer and closer to the July 2010 deadline and there are still a LOT of software vendors that are continuing to drag their feet. Please keep in mind that there aren’t all that many PA-QSAs (particularly ones that have experience and a proven track record) and validation is not a going to happen in a week.

My guess, based on what I’m seeing in the market, is that there will be a sizable wave of companies in the spring that finally realize/accept that they have to do something and there will suddenly be a mad rush to get validated – causing a tremendous backlog and very long lead times. My suggestion is to not get caught up in that wave or you might get stuck in a bad spot come July – get things moving now …

Newsletter

Site Feeds

RSS Feed

Shared Articles

Disclaimer

Views and opinions expressed in this blog are mine and mine alone (unless I'm commenting on someone else's post or something). This blog is entirely independent from any corporate entity and does not, necessarily, reflect the views and opinions of any company that I work for or with. Thanks.

Connect

I'm all for connecting - here are the tools that I use online to connect to people and the community. This link presents a lot of connection options including LinkedIn and Facebook...

LinkedIn Directly

Visit Our Sponsors

Get Free Shipping on Orders of $69 or More.

Photo Attributions

The photos that I'm now using on the site are all from Flickr and the creators were kind enough to release them under CC. Some of them are attributed in the posts, but the thumbnails are not:

welome (the enter sign)
Uploaded on September 14, 2008
by Robert Couse-Baker

Security (the safe)
Uploaded on February 25, 2008
by Anonymous Account

Osco Drug, Salem NH (the outside of the store)
Uploaded on September 16, 2008
by NNECAPA

locked steel (the lock)
Uploaded on December 13, 2006
by Darwin Bell

Credit Card Theft (the hand)
Uploaded on October 16, 2007
by Don Hankins