The Payment Card Industry Security Standards Council (PCI SSC) has announced the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS).

PA-DSS is designed to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe or Pin data, and ensure that payment applications support compliance with the standard.

The requirements apply to payment applications that are sold, distributed or licensed to third parties.

They do not apply to in-house payment applications developed by merchants or service providers that are not sold to a third party, but these applications must still be secured in accordance with the PCI DSS.

The new standard was unveiled at the Electronic Transactions Association Annual Meeting and Expo.

The PCI SSC will also roll out a programme this autumn to include maintenance of a list of validated payment applications.

This list will enable buyers to identify the payment applications that have been recognised by the PCI SSC and meet the new standard.

Criminals are increasingly targeting vulnerabilities in payment applications to steal payment card data, according to the PCI, and some software may be storing sensitive card data on a user's system unknowingly.

"Many merchants and retailers rely on third-party software vendors for applications that run payment processing," said Joseph Finizio, executive director of the Retail Solutions Providers Association.

"Having the PCI SSC manage a globally-recognised list of validated payment applications will make it easier for merchants of all sizes to select validated payment applications that are accepted by all the major payment brands, ensuring that cardholder data continues to be secure."

Furthermore, over the coming months, the PCI SSC will be qualifying companies to become Payment Application Qualified Security Assessors (PA-QSAs).

Approved companies will be recognised in a PCI SSC maintained and published list and can begin conducting PA-DSS assessments in accordance with Security Audit Procedures.

"The issuance of the PA-DSS and a defined process for PA-QSAs is another key milestone for the PCI SSC," said Bob Russo, general manager of the PCI SSC.

"Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers, and allows them to make informed choices regarding the security of their payment application."