All developers of payment applications, at some point in the life of products face the challenge of PA-DSS certification process. In this article we are going to look at this process a little bit more in detail.
PA-DSS is an officially adopted data security standard to be followed by developers of payment applications, that are installed in the PCI environment. The difference between PA-DSS compliance and PCI compliance is that PCI certification is a mandatory procedure for a card network or an organization intended to ensure that the network\organization is following all the necessary requirements, while PA-DSS certification is particularly targeted at payment software developers and vendors. PA-DSS certification of a payment application developer company indicates a high level of compliance with the necessary rules of respective software products’ development.
Let us now look at the key elements of PA-DSS certification, and list the documents, which a software vendor should have available in order to go through certification process successfully.
PA-DSS certification phases
Generally, to conduct PA-DSS certification, a software vendor contracts a certified PA-DSS assessor, such as Coalfire, SecurityMetrics, Trustwave among others.
The key steps within PA-DSS audit are as follows:
- Gap analysis. The process begins by software vendor filling out some form of questionnaire, allowing the assessor company to understand, which “weak points” or “gaps” will need to be addressed in the process of audit. The gaps in this context mean absence of some processes or procedures, required by PCI standard.
- Product installation in the PA-DSS compliant lab. The product is installed in the lab environment, where it is to be tested for compliance.
- Documentation analysis. At this stage installation documentation and diagrams are analyzed.
- Product testing. The product is tested in all environments (operating systems) that are or will be used for its operation at clients’ sites.
- Remediation. During this period any identified issued, that violate compliance, are addressed.
- Final certification. After the remediation stage, when all the gaps are eliminated, the product is subject to final certification.
Documents, necessary for PA-DSS certification
If you are a software vendor, going through PA-DSS audit, we recommend you to prepare several important documents in advance, so that you could have them handy at the time of your final certification. This will simplify your PA-DSS audit process significantly.
The documents are as follows:
- Implementation guide. This document describes the steps that must be followed in order for your application installations to comply with Payment Application – Data Security Standards (PA-DSS). The information in this document is based on PCI Security Standards Council Payment Application – Data Security Standards program. Product installation guide is one of the sections of the implementation guide. It includes the necessary PCI information on how to install and maintain the product correctly.
- Software development life-cycle (SDLC) description. This should define the phases of define the phases of the software development cycle, paying special attention to software code review procedures, associated with PA-DSS requirements.
- PA-DSS SDLC requirements list. This is an additional document with specific requirements to SDLC, concerning development processes, development environment, and development of the specific application. The document is a framework of the information needed to fill in your existing SDLC process with the requirements for PA-DSS. You can view it as a checklist to make sure, that each requirement is in your SDLC, and if not, add it to the appropriate location.
- Description of training procedures for developers. The document must specify the frequency of PCI and PA-DSS compliance trainings and include the list of training materials used.
- Description of support and troubleshooting policies. This document describes the procedures used to support and maintain the product. It should be clear from the document that cardholder data will not be compromised during product maintenance procedures (no card numbers will be accidentally stored etc).
- Installation guide for resellers. If resellers are involved in product installation (if the product is installed by some third-party reseller and not by the software vendor company), the guide must provide instructions on how the reseller should install the product in a compliant.
PA-DSS certification is a rather complicated procedure to go through. However, if you are a payment application software vendor, PA-DSS certification provides you with additional security guaranties. Beside that, it allows your company to organize your development team and structure the development process in a more efficient way. And, finally, the status of a PA-DSS certified software vendor, definitely, strengthens your business reputation.