PA DSS V 3.2 to SUNSET by 2022
The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. It is primarily tailored to ensure that any third-party application that is used by merchants, banks, or any payment institute and processes or stores all the sensitive cardholder data meets all the essential security guidelines as required. The council put forth the PA DSS security framework for all payment applications developers to follow a secure guideline during the development cycle.
The applicability for any application can be summarized as below:
- Stores, processes, or transmits cardholder data as part of authorization or settlement
- Sold, distributed, or licensed to third parties.
To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:
- Do not retain full magnetic stripe, card validation code or value, or PIN block data.
- Provide secure password features.
- Protect stored cardholder data.
- Log application activity.
- Develop secure applications.
- Protect wireless transmissions.
- Test applications to address vulnerabilities.
- Facilitate secure network implementation.
- Do not store cardholder data on a server connected to the Internet.
- Facilitate secure remote software updates.
- Facilitate secure remote access to applications.
- Encrypt sensitive traffic over public networks.
- Encrypt all non-console administrative access.
- Maintain instructional documentation and training programs for customers, resellers, and integrators.
Considering the rapidly changing online landscape—chock-full of online shopping and credit card payments—PCI SSC announced that more changes are on the way for payment applications in the DSS framework.
The PA-DSS Program will remain open and fully supported until October 28, 2022, with no changes to how existing PA-DSS validated applications are handled. They will remain on the list of PA-DSS Validated Payment Applications until their expiry dates, and per the normal process, vendors can submit changes to them until the PA-DSS v3.2 expiry date. At that point, the PA-DSS v3.2 will be formally retired and replaced by the PCI Software Security Framework (SSF).
The PCI Software Security Framework (SSF)takes a unique approach to support both traditional and modern payment software including cloud and mobile platforms. The framework was developed to allow for validation of both modern as well as traditional payment software and uses an “objective-based” approach to confirm application security and development practices. PA DSS helps merchants maintain PCI DSS compliance by supporting software development and lifecycle management principles. In addition, PA DSS has a strict eligibility criterion that the application taking part in authorization and (or) settlement shall only be validated as per its requirements.
The payment application software is constantly evolving in order to facilitate the variety of payment methods and hence the objective focused security approach is the need of the hour. This approach shall provide security for modern payment software, reduce vulnerabilities, and abate cyberattacks.
To support a broader array of payment software types, technologies, and development methods, PCI SSC announced the release of the new PCI Software Security Framework (SSF) in 2019. After October 2022, PCI SSC has planned the official retirement of PA DSS, the benchmark standard.
PCI SSF is an independent collection of payment security standards that includes elements of PA DSS. SSF supports existing ways to demonstrate good application security and a variety of new payment software and development processes.
Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates, and per the normal process vendors can submit changes to them until the end of October 2022.
At that time PA-DSS validated payment applications will be moved to the “Acceptable Only for Pre-Existing Deployments” tab on the List of Validated Payment Applications, and the PA-DSS Program will close. Submissions of new payment applications for PA-DSS validation will be accepted until 30 June 2021, and validation will expire at the end of October 2022.
Once SSF Assessors are qualified and listed on the PCI SSC website, vendors can begin the validation process for their software lifecycle management practices and payment software. PCI SSC anticipates assessments will begin in Q1 2020. PCI SSC will list both Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website.
QSAs, PA-QSAs, and others may apply to become Software Security Framework Assessors (SSF Assessors), which can be qualified to perform Secure SLC assessments, Secure Software assessments, or both.
For both the Secure SLC and Secure Software Programs, PA-QSAs that meet the SSF Assessor Qualification Requirements may complete computer-based training and the corresponding exam, rather than the instructor-led training and exam required for new assessors.
QSAs are eligible for computer-based training for Secure SLC only. PCI SSC has started accepting applications from assessors in late 2019, followed by training in early 2020. SSF Assessor Companies will be recognized on the PCI SSC List of Software Security Framework Assessors.
The PA-DSS Program will continue to support PA-DSS validated applications through the end of October 2022, with no impact on users. Existing PA-DSS validated applications will remain on the List of Validated Payment Applications until their expiry dates.
Payment software that is validated as meeting the Secure Software Standard will be recognized on the PCI SSC List of Validated Payment Software, which will supersede the current List of Validated Payment Applications when PA-DSS will be retired at the end of October 2022.
The SSF also includes a PCI SSC List of Secure SLC Qualified Vendors, which identifies payment software vendors with software lifecycle development practices that have been evaluated by a Secure SLC Assessor and validated as meeting the Secure SLC Standard.
Mr. Manit Mewara, Mr. Dhananjay Deo, and Mr. Kishor Sonawane
Audit & Compliance Team,
Varutra Consulting Pvt. Ltd.