PA DSS Certification Process

PA DSS, which is an acronym for the Payment Application Data Security Standard, is a set of security standards intended to assist software vendors frame secure payment applications that keep up with PCI DSS compliance. PA DSS applies to third parties to whom the payment applications are distributed, licensed or sold as part of a settlement or authorization. The PA DSS helps ensure that the payment applications are secured with no prohibited data like CVV2, magnetic stripe of PIN data.

Nevertheless, the payment applications that merchants or service providers developed in-house are not required to adhere to PA DSS requirements, but they need to be in conformity to PCI DSS requirements. Earlier under the supervision of Visa’s Payment Application Best Practices (PABP), PA DSS is now maintained by the Payment Card Industry Security Standards Council (PCI SSC). For PA DSS compliance, you need to have your application audited by a certified quality security assessor (QSA).

What Are the Documents Required for PA DSS Compliance Certification?

Unlike the PCI DSS certification, a PA DSS certification is specifically targeted at payment software vendors and developers and requires a high compliance level with the relevant software products. Where you have to undergo a PA-DSS audit as a software vendor, you need to get ready the following documents.

Description of software development life cycle (SDLC): It should detail the phases of the software development cycle by focusing on the procedures of software code review, which is compliant to PA DSS certification requirements.

Implementation guide: This include the steps to follow to have your application installation conforming to the PCI SSC’s PA DSS program. The implementation guide should have the product installation guide as a section, which details the essential PCI information and its installation and maintenance.

Specific SDLC requirement list: This includes information about particular SDLC requirements related to the development environment and processes, as well as the development of particular application. As a framework of information, the document fills in the requirements for the SDLC process and can be used as a checklist.

Training procedure description for developers: This should include the number of trainings for developers and the PA DSS compliance materials used.

Details regarding the procedures for maintenance: The document should list the procedures used to maintain the product. It should clearly mention that the cardholders prohibited details will not be stored by any means during the maintenance.

Instructions for installation for resellers: Where the reseller is involved in installation, a guide showing how the product should be installed in compliance with PA DSS should be included.

Know the PA DSS Certification to Follow

The above certification requires an assessor who needs to conduct the following:

Gap Analysis: The assessor checks the questionnaire filled out by the software vendor and addresses the gaps or weak points which are not PCI standard compliant.

Complaint lab environment: The lab environment should be PA DSS compliant for the product installation.

Documentation analysis

Product testing, remediation and final certification

The above is the procedure for PA DSS certification.