The Payment Card Industry Security Standards Council has announced a new standard for payment application software. This moves some of the security burden relating to card payments from the merchant to the software vendor.
The standard does not place any liability on the software vendor apart from the requirement to be developed and tested in accordance with the standard. It should end the cases of litigation between these vendors and their customers, the merchants.
Payment application vendors will be set mandatory procedures and tests before they can ship their applications. Merchants should find it easier to pass their PCI-DSS examinations if they use applications that have been shown to satisfy the PCI requirements.
Some questions remain to be answered. The most pressing one is to decide what level of testing is needed for new versions of a product and how these relate to the scale of the modifications.
This standard is further evidence of the way in which the information security community is turning its attention to application security, rather than relying on network security. This is welcome. We have often been critical of the slow progress of enforcement of security standards by the PCI. This new standard shows that the PCI is taking a holistic view of the security situation. This is also welcome.
PCI is different from most of the other compliance standards around at the moment in being precise and prescriptive about what players have to do, rather than in specifying just the end points.