About PA DSS

Formerly known as the Payment Application Best Practices (PABP), the Payment Application Data Security Standard (PA-DSS) is a global security standard that the Payment Card Industry Security Standards Council (PCI SSC) has created.  It was implemented to offer definitive data standard for software vendors developing payment apps. It was mainly designed to make sure that whatever third-party apps banks, merchants, or any payment institute use for processing or storing sensitive cardholder data satisfy the required security guidelines. To follow a secure guideline throughout the development cycle, the PA DSS security framework was introduced by the council for all payment app developers.

The framework is applicable to applications that

  1. Store, transmit, process cardholder data as part of settlement or authorization.
  2. Are distributed, licensed, or sold to third parties.

 

Requirements of PA DSS

For PA-DSS compliance, software providers must ensure that their applications are audited by PA-DSS Qualified Security Assessors. PA-DSS requirements are mentioned below:

  • Avoid retaining full magnetic stripe, PIN block data, or card validation code or value.
  • Provide secure password features.
  • Protect stored cardholder data.
  • Log application activity.
  • Develop secure software applications.
  • Protect wireless transmissions.
  • Test applications to address vulnerabilities.
  • Enforce secure network implementation.
  • Avoid storing cardholder data on a server that is connected to the Internet.
  • Ensure secure remote software updates.
  • Ensure secure remote access to applications.
  • Ensure to encrypt sensitive traffic over public networks.
  • Encrypt all non-console administrative access.
  • Maintain training programs and instructional documentation for customers, resellers, and integrators.

 

Migration to SSF

Since the online landscape is constantly changing where online shopping and credit/debit card payments are used a lot, PCI SSC proposed many changes for payment applications in the DSS framework.

Until 28th October 2022, the PA-DSS program will be fully functional and supported without any modification to the current process of handling PA-DSS validated apps. Until the expiry dates, these apps will be on the list of PA-DSS Validated Payment Apps and vendors can submit changes to them as per the normal process. After the expiry date, the PA-DSS v3.2 will formally expire and PCI Software Security Framework (SSF) will replace it.

 

Software Security Framework (SSF)

The unique approach of the PCI Software Security Framework (SSF) supports both traditional as well as modern payment software which includes mobile and cloud platforms. This framework was created to validate both traditional and modern payment software by using an objective-based approach for confirming application security and development practices. Merchants uses PA DSS to ensure PCI DSS compliance as it provides software development and lifecycle management principles. Also, PA DSS provides a strict criterion of validating apps that take part in settlement or authorization as per its requirements.

To support different payment methods, the payment application software is undergoing various changes so the objective-focused approach is essential. With this approach, we can offer security for modern payment apps, minimize attacks, and reduce vulnerabilities.

For supporting a wide range of payment software types, technologies, and development methods, PCI SSC announced the release of the new PCI Software Security Framework (SSF) in 2019. After October 2022, PCI SSC has planned the official retirement of PA DSS, the benchmark standard.

As an independent collection of payment security standards, PCI SSF include elements of PA DSS and supports existing ways to ensure good application security and various new payment software and development processes.

 

PA DSS – SSF Migration

PA DSS – SSF Migration

Source: https://www.pcisecuritystandards.org

 

Vendors with PA-DSS Validated Software

As stated earlier, the current PA-DSS validated applications will stay on the list of validated payment applications till their expiry and vendors may submit any required changes to them as per the normal process till October 2022.

After October 2022, these apps would be transferred to the “Acceptable Only for Pre-Existing Deployments” tab present on the List of Validated Payment Applications and this will mark the closure of the PA-DSS program. Until the end of June 2021, submissions of new payment applications will be accepted for PA-DSS validation and the validation would be retired at the 31st October 2022.

Vendors can start the validation process of their payment software and software lifecycle management practices after SSF Assessors are qualified and mentioned on the PCI SSC website.  As per PCI SSC anticipation, assessments would start in the first quarter of 2020. On the PCI SSC website, both Validated Payment Software and Secure SLC Qualified Vendors would be listed.

 

Qualified Security Assessors (QSAs) and Payment Application Qualified Security Assessors (PA-QSAs)

QSAs, PA-QSAs, and others may apply to become Software Security Framework Assessors (SSF Assessors), who are qualified to perform Secure SLC assessments, Secure Software assessments, or both.

PA-QSAs who have the SSF Assessor qualification requirements can take computer-based training and an exam for both the Secure Software and Secure SLC Programs in order to become new assessors .

QSAs can take computer-based training only for Secure SLC. PCI SSC has started accepting applications from assessors from late 2019, followed by training in early 2020. SSF Assessor Companies will then be listed on the PCI SSC List of SSF Assessors.

 

Merchants, Service Providers, Acquirers

Till October 2022, all PA-DSS validated apps would be supported by the PA-DSS program without affecting any user and they will be on the list until their expiry dates .

The payment software that meets the Secure Software Standard in validation will be placed on the PCI SSC List of Validated Payment Software. This list will replace the existing list of Validated Payment Applications once PA-DSS is retired after October 2022.

A PCI SSC List of Secure SLC Qualified Vendors is included in the SSF that identifies payment software vendors following software lifecycle development practices evaluated by a Secure SLC Assessor and meet the Secure SLC Standard upon validation.

 

References:

  1. https://www.pcisecuritystandards.org/documents/Transitioning_from_PA-DSS_to_SSF_Resource_Guide.pdf?agreement=true&time=1608130223666
  2. https://blog.pcisecuritystandards.org/understanding-the-pci-software-security-framework-new-educational-resources

 

Credits:

Mr. Manit Mewara, Mr. Dhananjay Deo, and Mr. Kishor Sonawane

 

Author,

Omkar Gaikwad,

Audit & Compliance Team,

Varutra Consulting Pvt. Ltd.