PA DSS Compliance
PA DSS is the standard by Payment Card Industry Security Standards Council (PCI SSC), for validating payment applications that store, process, and/or transmit cardholders’ data for payment authorization and settlement. PA DSS Compliance is required when these applications are sold, distributed, and/or licensed to third parties, in addition to taking part in payment authorization and settlement.
In other words, if you create your payment application for the use of your organization, the application will be covered under the PCI DSS scope. However, if you sell, distribute and/or license the payment applications (off-the-shelf solutions) to different customers, then the application must meet the PA DSS compliance guidelines.
To achieve PA DSS Compliance, a software vendor must have the corresponding application audited and certified by a PA DSS qualified security assessor (PA-QSA).
PA DSS Compliance journey and how to get started
PA DSS compliance requires organizations to follow a set of guidelines to ensure the security of cardholders’ data. For example, you must not retain full magnetic stripe, card validation code or value, or PIN block data. You must have secure password features, detailed activity logs, additional security for wireless transmissions. Also, organizations must test applications annually to identify threats and vulnerabilities and also to maintain detailed documentation for all of your stakeholders.
SISA will help you implement the best practices and processes, educate you on how to implement applications in a PA DSS compliant manner, create detailed documentation, and support you with the compliance process end-to-end.
PA DSS Phase-wise compliance journey:
Phase 1: PA DSS Gap Assessment
Our specialists will start the Payment Application validation process with education on PA DSS and getting to know the application, followed by a code review of the application and review the log file contents and database entries. Next, SISA will conduct an application penetration testing to find any loopholes in the application and will provide recommendations, in case any gaps found.
Phase 2: Final Validation
This phase will include the final audit and the PA DSS compliance review report (Report on Validation) being shared with the PCI SSC for application listing, after successful review and validation.
The objective of PA-DSS Compliance are as follows:
- Do not retain full magnetic stripe, card validation code or value, or PIN block data
- Provide secure password features
- Protect stored cardholder data
- Log application activity
- Develop secure applications
- Protect wireless transmissions
- Test applications to address vulnerabilities
- Facilitate secure network implementation
- Do not store cardholder data on a server connected to the Internet
- Facilitate secure remote software updates
- Facilitate secure remote access to applications
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain instructional documentation and training programs for customers, resellers, and integrators
How SISA will help to get PA DSS compliant?
SISA handholds you through the entire process and ensure that we identify and support you to mitigate all the vulnerabilities in the payments application to make it fully PA DSS compliant and enables you to get certified quick and easy, keeping in mind SISA’s philosophy of True Security.
With over a decade of experience in the payment security space, SISA brings a rare depth of understanding and acts as a trusted partner to over 2000 customers in 40+ countries to secure their payments environment and applications to secure the cardholder data.
SISA has worked to provide cutting-edge compliance services to diverse industries and domains which includes banks, ITES, insurance, e-commerce, payment service providers, telecommunications, airlines, and retail companies
How to maintain PA DSS compliance?
Although the PA DSS certification is valid for 3 years, the payment application needs to be revalidated annually.
Below are some of the task that needs to be performed on a quarterly or half-yearly basis to maintain the PA-DSS certification:
What if the application does not take part in payment authorization and/or settlement?
SISA also provides PaySec validation, in line with PA DSS guidelines, in case the application doesn’t fulfill the eligibility criteria for PA DSS validation and listing but the application developer aims to provide a secure payment application to their customers.
Talk to an expert from SISA to get your payment application PA DSS Compliant.