PA-DSS Compliance for Secure Payment Applications

The Payment Application Data Security Standard, PA-DSS for short, is a global security standards for payment applications, managed by PCI Security Standards Council. The PA-DSS program aims to help software vendors and other businesses to develop secure payment applications that do not store prohibited sensitive payment data as the PCI DSS compliance requires. With its strong adherence to PCI DSS, most card brands encourage their customers to use PA-DSS validated payment applications to ensure data security.

What is PA-DSS?

PA-DSS requirements help software vendors to develop secure payment applications that do not compromise full magnetic stripe data, card validation information, PINs and etc. that might otherwise cause serious damages and/or losses. In this way, PA-DSS provides a common set of requirements to maintain a global security standard across payment application development which eventually supports overall security for customer cardholder data.

How does PA-DSS Relate to PCI DSS Compliance?

PA-DSS and PCI DSS compliance are highly interrelated, although their scope and intended audience might differ. PA-DSS requirements are actually derived from PCI DSS. The PA-DSS is applicable for payment applications that store, process or transmit cardholder data as a part of authentication and/or settlement processes and being sold, distributed or licensed to third parties. When considering PA-DSS and PCI DSS together, there are two important factors to distinguish:

Firstly, PA-DSS is applicable for such payment applications, even if the software vendors are not subject to PCI DSS requirements. Consider this: even though such payment application vendors do not store, process or transmit cardholder data themselves, their customers probably do. Here, lack of preventive security measures in these payment applications may cause third parties to face breaches and security vulnerabilities. Since these third parties (the businesses that actively use these payment applications in their organizational processes) are responsible for managing the security of the stored, processed and transmitted cardholder data in accordance with PCI DSS, PA-DSS helps them support their PCI DSS compliance processes. Here, the role of PA-DSS becomes enabling the third parties to operate in compliance with PCI DSS. Secondly, PA-DSS compliance is only a part of PCI DSS compliance scope. For a business to be compliant with PCI DSS, they still need to put a great emphasis on securing their environment with applicable PCI DSS requirements. You can check our earlier blog post on PCI DSS compliance for details.

PA-DSS Applicability

The distinction between PCI DSS and PA-DSS appliances might seem complex at first glance. Let’s draw the line in accordance with the previously mentioned definition of PCI SSC¹:

“Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.”

Following this definition, let’s mention payment applications that are offered as Software-as-a-Service or developed for one specific customer only. If such SaaS payment applications are not managed, owned or controlled by the customers, software vendors do not need to get a PA-DSS validation for these applications. Similarly, if these applications are developed and sold to a third party for the sole use of their business, PA-DSS does not apply either. Important factor to highlight here is that these applications are still subject to PCI DSS, and the customers are responsible for addressing the PCI DSS requirements throughout their own compliance efforts.

PA-DSS Compliance

Roles and Responsibilities

The roles and responsibilities for each party varies in PA-DSS compliance requirements. For instance, software vendors need to make sure that the application should facilitate their customers’ PCI DSS compliance. Any application configuration/structure that prevents customers from satisfying PCI DSS requirements (such as prevention of firewalls as PCI DSS requires) should be resolved. In addition, the vendors are also responsible to follow PCI DSS requirements whenever they work with the cardholder data, for example during customer support processes, troubleshooting, etc. Software vendors are also expected to provide a PA-DSS Implementation Guide for their applications as well as educating their customers to implement and operate the payment applications in compliance with PCI DSS.

Customers in turn are expected to configure these PA-DSS compliant applications into their environment in line with the PA-DSS Implementation Guide and follow the PCI DSS standards within their environments. When cardholder data is stored, processed or transmitted as a part of authorizing or settlement steps in transactions, the business should comply with PCI DSS requirements.

PA-DSS compliance is applicable for a wide range of payment applications, ranging from kiosk services to web-based applications that support payment devices. PA-DSS validated payment applications are given as a list in the official website of PCI Security Standards Council.

PA-DSS Requirements

The PA-DSS Requirements given in the v2.0 are as following:

• Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data

• Protect stored cardholder data

• Provide secure authentication features

• Log payment application activity

• Develop secure payment applications

• Protect wireless transmissions

• Test payment applications to address vulnerabilities

• Facilitate secure network implementation

• Cardholder data must never be stored on a server connected to the Internet

• Facilitate secure remote access to payment application

• Encrypt sensitive traffic over public networks

• Encrypt all non-console administrative access

• Maintain instructional documentation and training programs for customers, resellers, and integrators

PA-DSS Compliant Applications in the Cloud

As the ultimate goal of PA-DSS compliance is to help the customers achieve PCI DSS compliance through secure application practices, cloud offers various tools and services to facilitate PCI DSS compliance. If you are familiar with AWS Shared Responsibility model, the security “of” the cloud is managed by AWS, whereas customers are responsible for the secure configuration and use of cloud resources, namely security “in” the cloud. AWS also offers various PCI DSS compliant services to help businesses secure their environments. You can check the list of almost 130 PCI DSS compliant AWS services here. Based on the PA-DSS requirements listed above, there are various AWS tools and services that you can implement for secure application development. AWS provides strong encryption at rest and in transit features, for instance AWS Key Management Service (KMS) to help you protect stored cardholder data as PA-DSS requires. On the other hand, you can utilize Amazon Cognito to provide secure authentication features or AWS CloudTrail to collect application logs in line with PA-DSS requirements.

When it comes to code security, cloud also enables you to automate specific compliance checks and improve your code security. You can utilize fully-managed source control services to enable your teams to collaborate on code securely with AWS CodeCommit. Another outstanding service example can be given as Amazon CodeGuru. Amazon CodeGuru helps developers to review their code and identify any defects and issues within source code automatically. Amazon CodeGuru Security Detector also enables you to scan and secure thousands of lines of source code and get recommendations against web application security vulnerabilities and address Top 10 Web Application Security Risks described by OWASP. You can check our previous blog post on Amazon Code Security Detector and see how it works.

1. https://www.pcisecuritystandards.org/minisite/en/pa-dss-v2-0.php

2. https://www.pcisecuritystandards.org/minisite/en/docs/pci_pa_dss_v2-0.pdf

3. https://www.pcisecuritystandards.org/documents/PA-DSS-v3_2-Program-Guide.pdf