List of Validated Payment Applications

Inclusion on this list indicates only that the specific version of payment application has successfully completed an assessment following Payment Application Best Practices. Please be advised that Visa makes no endorsement of applications or products and disclaims all warranties. Members remain responsible for performing their own evaluation and due diligence, to ensure the CISP compliance of their merchants and service providers. more..

When will the new version of the PCI Data Security Standard (version 1.1) become effective?

Version 1.1 of the PCI Data Security Standard became effective with the launch of the PCI Security Standards Council. Some of the more complex individual requirements contained in the new version of the standard have built-in lead time for implementation. more...

How has the PCI Data Security Standard changed (January 2005 version to version 1.1)?

The focus of the 1.1 revision has been to address questions about how to implement the standard. The standard has been updated to provide clarification to certain requirements and to give flexibility for compensating controls for complex requirements such as data encryption. These updates are designed to acknowledge partner and customer feedback, along with technical compliance constraints, and foster rapid adoption, while maintaining the robustness of the security measures in the January 2005 version. Additional requirements have been added to address emerging threats related to application security. more...

The Council has compiled a Summary of Changes describing the significant differences between the two DSS versions; to read this document, click here.

If I am already PCI DSS compliant based on the January 2005 version of the PCI Data Security Standard and have initiated the re-certification process, what impact will version 1.1 have?

Because the focus of the 1.1 revision has been to address questions about how to implement the PCI DSS standard and to introduce flexibility for the use of compensating controls for complex requirements such as data encryption, current compliance to the January 2005 version should allow a business to be compliant with the DSS version 1.1 through 2006.
As of the launch of the PCI Security Standards Council, and until December 31, 2006 all new certifications and newly initiated re-certifications may be based on either the January 2005 version of the PCI DSS or DSS version 1.1. As of January 1, 2007 all new certifications and newly initiated re-certifications must be based on DSS version 1.1. Please consult the individual payment brands regarding certifications or re-certifications based on the January 2005 version of the PCI DSS that are not completed by the end of 2006. more...

Do I need to become PCI DSS compliant?

Every company that accepts, processes, or stores credit card information needs to comply with the standards set by the Payment Card Industry.

What is the Payment Card Industry (PCI) Data Security Standard (DSS)?

The PCI DSS version 1.1, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. www.pcisecuritystandards.org

When will the new version of the PCI Data Security Standard (version 1.1) become effective?

Version 1.1 of the PCI Data Security Standard became effective with the launch of the PCI Security Standards Council on September 6,2006.

How long does it take to become compliant?

The amount of time it takes for a company to be considered PCI Compliant is dependent the complexity of their network. Outsourcing some of the more difficult ongoing technical requirements such as sections 10 and 11 is a quick and cost effective solution.

What happens if I am not compliant?

Failure to comply with the Payment Card Industry security standards could result in heavy fines, (up to $50,000 monthly), class action law suits, restrictions or permanent expulsion from card acceptance programs.

What are my options and how much will it cost? Outsourcing to a Managed Security Provider can solve as much as 80% of the more technical as well as labor intensive requirements of PCI at 20% of the cost, allowing key employees of companies to remain focused on core, value-producing activities.

I need guideline or information on network security testing.

Network security testing should be integrated into an organization’s security program to evaluate system security mechanisms and validate that systems are operating according to the organization’s security policies and system security requirements. To maximize their usefulness and ensure that they are affordable, organizations should prioritize network test-ing activities according to system criticality, testing costs, and the benefits that testing will provide. Organizations can use a prioritization process, described in this document, to de-termine minimum required sets of tests and appropriate frequencies for these tests.

Routine testing of networks can greatly reduce the chances of a network compromise by helping to ensure that critical systems, e.g., firewalls, routers, servers, are configured, main-tained, and operated according to the organization’s security policy. Exploitation of a sys-tem could have a costly impact on an organization’s operations. Network testing can be a valuable and cost effective measure of protecting a network and preventing costly compro-mise. more...