« What my gateway processor needs to do | Main | On-boarding a New Auth Interface in jPOS, Part 6 »

Saturday, October 18, 2008

The PABP Compliance Threshold: We’re so over it

The Word arrived yesterday from Visa – via our Qualified Security Auditor (‘QSA’) – that our acquirer-side payment switch solution will be added to the List of Validated Payment Applications that have been assessed for compliance with the Payment Application Best Practices (‘PABP’).  We’d completed the effort a number of months ago, but Visa has been under a virtual deluge of submissions.  We’ll be on the list dated October 15, 2008. 

This isn’t a one-time effort though.  We’ll need to be reassessed and revalidated each year.  Like any effort of this nature, the first time is always the one that takes the most effort.  We are most fortunate to have my colleague Dave Bergert spearheading our compliance efforts.  What was eye-opening to me was that we (‘we’ = Dave) spent a minority of time addressing code shortfalls vs. PABP mandates, and a majority of the time compiling our PABP Compliance Guide (it’s important that we tell our users how to implement to assure compliance), creating and providing other supporting documentation, and shoring up our processes and procedures.  Our focus on process has always been strong. In the PABP era, it’s even better.

image

 The ‘Compliance Mandate’ at left gives you a good summary as to why this is so important to solution providers in the payment systems industry.  The original PABP announcement was very clear that Visa has determined that “[v]ulnerable payment applications have proved to be the leading cause of compromise incidents, particularly among small merchants.”  Anyone out there currently considering a payment switch is going to have ‘PABP Compliant App’ as a tick-box.  It you don’t have it, you aren’t playing.  There’s no finessing the point with a prospective buyer.

Here’s a passage from our press release on this news:

"We take the security of cardholder data seriously," said David Bergert (CISSP, CISA) of OLS.  "Obtaining our PABP certification ensures that when our customers implement OLS.Switch in accordance with its PABP Implementation Guide and within their PCI DSS-compliant environment, it will protect stored data and will not retain sensitive authentication data.  Our PABP validation also provides assurance that as a software vendor, we follow secure development processes and secure troubleshooting procedures.”

Posted by aaorrock on Saturday, October 18, 2008 at 09:59 |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

My Photo

Tools

  • Google

    The entire web
    www.andyorrock.com
AddThis Social Bookmark Button

Recent Posts

Resources

  • About Me
  • Dave Bergert's blog
    Insightful payment systems thoughts by my OLS colleague, Dave Bergert, CISSP, CISA, CompTIA Security+, and former Visa-certified QSA.
  • Glenbrook Partners' Blog List
    Glenbrook Partners has compiled "a current summary of the latest content from some of our favorite payments and banking blogs based upon their RSS feeds." Alejandro, Dave and I are on the list, as are many other good info sources.
  • jPOS
    Faced with payment systems challenges? Start here to learn more about Alejandro Revilla's jPOS project.
  • Randy San Nicolas' blog
    My OLS colleague Randy San Nicolas writes about his wealth of experience in various Issuer- and Acquirer-side endeavors in his Prepaid Enterprise blog.
  • soliSYSTEMS
    My friend Roque Solis is our go-to guy for RFID, smart cards, chip cards, integrated circuit(s) cards (ICC), HSMs, cryptographic accelerators, DES and public-key cryptography.
  • Specs Online - AMEX
    American Express (Amex) puts all its acquirer specs online for public retrieval.
  • Specs Online - First Data
    First Data Merchant Services (FDMS, aka 'FDR') puts all its acquirer specs online for public retrieval. [NOTE: FDMS' spec repository is accessible only via Internet Explorer; this link will not work with Firefox or other browsers.]

Archives

More...

Blog Widget by LinkWithin

Enter your email address:

Delivered by FeedBurner

Blog powered by TypePad

If you're looking here...

  • Your attention to detail is a great asset. Use it wisely.