My Merchant Account Blog
My Merchant Account Blog should help you with your merchant account and electronic payment gateway. Also
hopefully it will help explain some fraud attempts and how to notice fraud
on your orders.
Search My Merchant Account Blog
My Merchant Account Blog Categories
- Domain Names (1)
- Electronic Payment Gateways (4)
- LinkPoint (2)
- Merchant Accounts (38)
- Miscellaneous (10)
- Security (8)
- Web Hosting and Design (4)
My Merchant Account Blog Archives
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
My Merchant Account Blog Recent Entries
- Credit Card Testing Numbers
- The LinkPoint Gateway
- The Security of Your Customers
- Payment Application Best Practices from Visa
- Let Me Use Your Merchant Account
- Our Grand Opening
- How to Handle a Large Order
- People Sending One Cent via Paypal
- Merchandise Not Received
- Merchant Direct Access Service
Other Blogs
Pod Casts
SiteMap
Payment Application Best Practices from Visa
Tuesday, March 11, 2008
High profile breaches of cardholder data have garnered a lot of attention in the media. Most of us have read or heard about the 40 million cards that were compromised at CardSystems, or the 100 million cards compromised at TJX. As a result of these breaches, the payment industry developed the Payment Card Industry (PCI) Data Security Standard (DSS). However, complying with the PCI DSS can be complicated and expensive, especially for smaller merchants. Although we may not read about it in the press, breaches at smaller merchants occur every day because the payment hardware and software they use is not compliant with PCI DSS.In an effort to make compliance with the PCI DSS a little easier for merchants who use payment application software, Visa developed the Payment Application Best Practices (PABP). The PABP applies to software applications that store, process, or transmit cardholder data as part of authorization or settlement. It does not apply to software developed in-house by merchants since that would be covered under the merchant’s normal PCI DSS compliance.
Software vendors are required to have their payment applications certified as PABP compliant by a Qualified Application Security Professional that is employed by a Qualified Payment Application Security Company. Once compliant, Visa will include the software vendor and product version in a list of validated payment applications for one year. Software vendors must re-validate their payment applications each year to remain on the list.
The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment applications from the Visa system. They require that members ensure that merchants do not use applications that retain prohibited data elements and use payment applications that adhere to Visa’s PABP. If you are using a payment application from a software vendor that is not PABP compliant then you will not be able to comply with the PCI DSS.
As of January 1, 2008 new merchants are not allowed to establish a merchant account using a non-compliant payment application. Existing merchants should check with their agent or ISO to make sure their payment application is on the list of PABP compliant applications.
