What is PA DSS ?
PA DSS, also considered as Payment Application Best Practices, is an off-shoot of PCI DSS. It validates those payment applications which participate in payment authorization and settlement and are sold, distributed, and/or licensed to third parties.
In PA-DSS lingo ‘Authorization’ refers to the payment authorization by the issuing bank. The application should participate in the authorization to an extent that it receives the track data and sensitive authentication data and processes it to complete the process of authorization. To clarify a bit more, this means your application will not be eligible to list with PCI Council if you don’t meet the above criteria.
Trivia: In case the payment application is developed by the organization for its use within, then it will be a part of PCI DSS scope.
PCI essentially requires merchants, service providers, and banks to employ only those third-party applications which are PA DSS compliant. Such applications do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data.
Why Certify ?
The payment application must be audited and certified by a PA QSA to achieve PA DSS compliance. PA DSS certification for a payment application lasts for three years but the application is required to be tested once in a year.
What makes PA DSS stand apart are the best industry practices it promotes, which are:
- Protect stored cardholder data
- Do not retain full magnetic stripe, CVV/CVC, or PIN block data
- Develop secure applications
- Provide secure password features
- Facilitate secure remote software updates
- Encrypt all non-console administrative access
- Maintain documentation
- Log application activity
- Do not store cardholder data on a server connected to the Internet
- Encrypt sensitive traffic over public networks
- Protect wireless transmissions
- Test applications to address vulnerabilities
- Facilitate secure network implementation
- Facilitate secure remote access to applications
Payment Applications Security Consulting
Our QSA team at Crossbow Labs are a carefully put together group of techno-consultants who have several successfully delivered engagements under their belt. We have a well defined and tested methodology for performing PA DSS assessments and audits. With that, we try to make the PA Data Security Standard less bemusing and complex for you to comprehend. To achieve our objective we divide PA DSS activity into two steps:
- Initial Gap Assessment: Once we get familiar with your payment application, we do a code review along with reviewing the log file contents and database entries. Subsequently, we do penetration testing to find the gaps in the application and provide remediation support.
- Final Review: Once the gaps have been fixed we do a final audit of application and provide RoV (Report on Validation). This way your application gets certified and listed on the Validated Payment Application List on the PCI SSC website.
PA DSS Training
To ensure secure software development, it is required to apply secure code in SDLC and best industry practices in organization, right from the beginning.
PA Data Security Standard requires employees (associated with the development of Payment Application) to be well aware of the PA DSS security standard and the requirements within. Crossbow Labs’ team of SMEs through its vast experience has carefully devised and customized the PA DSS training course.
In line with your business needs and objectives, our training courses will help your organization to:
- Upgrade the security culture
- Lower the likelihood of data loss, and
- Make PA DSS requirements easy to comprehend and implement
Subsequently, you will gain real-world insights on best security practices implementation and know a QSA’s worth when validating PA DSS compliance.