The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), and the Payment Application Data Security Standard (PA-DSS), has announced the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS). The Council will also roll out a program to include maintenance of a list of validated payment applications. This list will enable buyers to identify the payment applications that have been recognised by the PCI SSC and meet the new standard.

Increasingly criminals are targeting vulnerabilities in payment applications to steal payment card data, and some software may be storing sensitive card data on a user's system unknowingly.

"Many merchants and retailers rely on third-party software vendors for applications that run payment processing," said J Joseph Finizio, Executive Director, Retail Solutions Providers Association. "Having the Council manage a globally-recognised list of validated payment applications will make it easier for merchants of all sizes to select validated payment applications that are accepted by all the major payment brands, ensuring that cardholder data continues to be secure."

PA-DSS is the Council-managed program formerly managed by Visa Inc and known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the PCI DSS. PA-DSS requirements apply to payment applications that are sold, distributed or licensed to third parties.

PA-DSS requirements do not apply to in-house payment applications developed by merchants or service providers that are not sold to a third party, but these applications must still be secured in accordance with the PCI DSS.