As an acquirer, WorldPay must follow requirements laid down by both the PCI Security Standards Council (PCI SSC) and the individual card brands. Formerly, Visa Inc. managed payment application compliancy through a program they established known as Payment Application Best Practices (PABP). This program was managed solely by Visa and was the first generation attempt to build strong application security practices by the payment application software vendors. With the establishment of the PCI SSC in 2006, a slow migration has occurred to transform PABP into what is now know as the Payment Application Data Security Standard (PA DSS). The PA DSS is a standard now managed by the PCI SSC and is a series of rules that need to be complied with if a vendor is to sell off-the-shelf payment applications to third parties (namely merchants). The traditional Payment Card Industry Data Security Standard (PCI DSS) targets entities that store, process, or transmit cardholder data. While not all software vendors store, process, or transmit cardholder data, the applications they create perform any one or all of these functions for the entity, hence the creation of the PA DSS. A secure payment application, in conjunction with a compliant PCI DSS environment will help minimize potential security risks and exposure of cardholder data.
Payment application vendors need to comply with the PA DSS, which provides a specific set of standards for development of payment applications. The PCI SSC has produced the following document to assist Payment Application Qualified Security Assessors (PA QSA) in the testing of the payment application code against the PA DSS.
https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf
Once the PA QSA has completed testing and validation, the testing validation will be submitted to the PCI SSC for acceptance and posting on the PCI SSC compliant application listing. You can find this listing by clicking on the following link:
http://www.pcisecuritystandards.org/security_standards/vpa/
According to Visa’s payment application mandates, effective July 1, 2008, acquirers and processors are only allowed to certify new applications to their platforms that meet this standard.
