Last week we wrote about how merchants become PCI compliant. Today we want to outline the steps independent software vendors (ISVs) must take in order to become PA-DSS compliant.
Step 1 of PA-DSS implementation: Get familiar with the compliance standard that applies to you: the Payment Application Data Security Standard (or PA-DSS for short). PA-DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties.
PA-DSS requirements include:1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data
2. Provide secure password features
3. Protect stored cardholder data
4. Log application activity
5. Develop secure applications
6. Protect wireless transmissions
7. Test applications to address vulnerabilities
8. Facilitate secure network implementation
9. Do not store cardholder data on a server connected to the Internet
10. Facilitate secure remote software updates
11. Facilitate secure remote access to application
12. Encrypt sensitive traffic over public networks
13. Encrypt all non-console administrative access
14. Maintain instructional documentation and training programs for customers, resellers and integrators
Most ISVs then have two options from here: achieve PA-DSS compliance by undergoing an audit by a Qualified Security Assessor (QSA) or go out of scope of PA-DSS.
To stay in scope of PA-DSS, software vendors must undergo the process of validating their application or applications. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA), as well as any development changes needed to bring the application into compliance. ISVs are required to pay $1,250 annually (per software application) to have their solution listed as a validated PA-DSS-compliant solution.
Each payment card brand has their own terms for PA-DSS compliance. We’ve written a comprehensive article on the different PCI compliance deadlines for each payment card brand, along with their different PCI compliance requirements.
To go out of scope of PA-DSS, ISVs need to transfer the responsibility of handling sensitive cardholder data to a third party. Some payment processing companies offer hosted solutions where sensitive credit and debit card data bypasses your software all together and is transmitted directly to the payment processor.
Some resources to fulfill PA-DSS requirements:PCI SSC’s page on PA-DSS compliance
Related Blog Posts: