The Payment Application Data Security Standard (PA DSS) has been developed to assess off the shelf payment applications against Payment Card Industry compliance standards.

Merchant and Service providers that purchase products from vendors need to be confident that these products operate in a compliant fashion. As such, these technologies need to be assessed for compliance. Once that compliance has been attained, the product is officially recognised as PA DSS compliant and any Merchant or Service Provider can be confident that it meets with its own PCI compliance programme.

The process of a product vendor becoming PA DSS compliant is rather similar to a merchant or service provider becoming PCI compliant. A measurable standard is used to assess the compliance of a defined technology. All applicable aspects of the PA DSS standard must be satisfied to ensure that the overall compliance objective is met. Once completed, the product is officially listed by the PCI Security Standards Council as being PA DSS compliant.

Listings are associated with a product at a particular version. If the product is enhanced and subject to a version upgrade, it is normally re-certified.

We have been performing PA DSS audits for large and small clients for several years. During this time, we have developed a cost effective approach to PA DSS auditing that provides the right level of assistance to ensure you certify successfully.

Stage 1: Onsite Gap Analysis

Our PA QSA team performs an onsite assessment to help you understand the PA DSS and how it applies to your product set. All results are recorded in the ROV (the Report on Validation). All issues or 'gaps' are recorded for remediation purposes.

A key area we address is scope. PA DSS is only interested in the modules in your product set that store, process or transmit card data. For any vendor to comply against the PA DSS, understanding where these modules are, and being able to separate them from non-card processing modules, will ensure that you reduce the product environment being audited.

Features of the Gap:

• Performed onsite using our own PA QSA team.
• Often used to confirm the scope of the PCI environment ready for the final audit.
• Recorded in the ROV - a detailed assessment of what is and is not in place.
• Recommendations made against gaps to achieve compliance.
• All findings peer reviewed by our PA QSA team.

Stage 2: Remediation Assistance

Once the Gap audit has been completed, you will have a detailed understanding of what needs to be fixed to ensure you successfully comply with the PA DSS. We are frequently called upon to study designs, perform independent product selections and review progress.

All recommendations are reviewed by our PA QSA team. Any compliance advice we provide is peer reviewed. You can be sure that you will be working with one of our experienced QSA team. Our ticketing system for queries provides measurable advice that is in itself auditable.

Recent assistance tasks include:

• Working directly with IT support teams to review application configuration and associated administration infrastructure.
• Working directly with application development teams to review secure development practices and appropriate implementation of crytographic strategy.

Stage 3: Final Audit

A Final Audit is normally conducted to confirm that your application and supporting organisation is PA DSS compliant. This assumes that you have previously been measured against the PA DSS and addressed all identified issues.

Our PA QSA team records all results in the ROV. Our approach to performing an onsite audit follows strict Quality Assurance guidelines as set by the PCI Security Standards Council. To ensure a consistent approach to auditing, we adhere to set procedures when assessing if each individual section of the standard is 'in place'. This might include checking documentation, interviewing staff, sampling the network or reviewing source code.

We are totally committed to quality. All ROV reports produced are reviewed by 2 other members of our QSA team before shipment.

Features of the final audit:

• Performed onsite using our own PA QSA team.
• Strict adherence to PCI Security Standards Council Quality Initiative.
• Recorded in the ROV - a detailed assessment of what is and is not in place.
• All findings peer reviewed by our QSA team.

 

Some useful steps for Vendors when preparing for an onsite PA DSS audit:

• You can find out more about the PA DSS at: http://www.pcisecuritystandards.org.
• Scoping your PA DSS application architecture is key to a successful compliance audit. The more you are able to rationalise and segment this environment - the smaller the target audit environment. Remember, PA DSS is only interested in application components that store, process or transmit card data.
• Vendors that have undergone a successful onsite audit are registered online as such. For example - see the listing maintained by the PCI Security Standards Council.
• Prior to undergoing an audit - ensure that you have fully defined what needs to be audited. Decide on which software product version and a standard operating system platform.
• If you review the PA DSS, you will see that great emphasis is placed on the quality of the test laboratory available to the PA DSS auditor. It should be stable and be representative of what clients run in a 'live' environment. It should represent a fully PCI DSS compliant implementation of the application to be audited, including all applicable network components.
• Documentation. The production of an Implementation Guide is vital for any PA DSS compliant application. It describes how the application is installed, configured and maintained in a PCI DSS compliant environment. Without this documentation, the audit cannot take place. Many organisations fail on this point.

Feel free to contact us to discuss any aspect of your security or compliance programme.