PA DSS Certification and 5 Critical Points you Need to Know | NDB Advisory

PA DSS Certification is fast becoming a hot topic in today’s business environment, and for very good reason. Advances in technology have resulted in an explosion of Software as a Service (SaaS) vendors, e-commerce sites, along with many other web, mobile and other wireless portals and platforms that facilitate credit card transactions. As such, these very applications that are responsible for conducting authorization and settlement functions, and that are also being sold, licensed, or distributed to other parties, will require PA DSS certification.  As such, PCI-QSA and PA-QSA veteran Charles Denyer of NDB Advisory provides 5 critical “must know” points for successfully understanding PA DSS certification.

1. Understanding the relationship between PA-DSS and PCI-DSS.  In short, becoming PA-DSS compliant does NOT make an entity PCI-DSS compliant.  Remember, the actual PA-DSS certified application will then still need to be implemented into a PCI-DSS compliant environment, either yours or the entity or entities that are using your PA-DSS application.

2. Determining if your application is truly in scope for PA-DSS. Want to know if your application is in scope and required to undergo PA-DSS certification?  Read pages 5 and 6 of the PCI PA-DSS Requirements and Security Assessment Procedures, v.2.0, which can be found at pcisecuritystandards.org.  These two (2) pages give excellent examples and explanations of what constitutes and does not constitute a requirement for PA-DSS certification.

3. The importance of the two PA-DSS appendices, which are the (a) Implementation Guide (IG) and the (b) Laboratory instructions for testing and validating an actual live environment of the application itself.  Let’s not forget the two (2) of the most important components of PA-DSS compliance are actually the Appendix A and B. These appendices are not simple instructions, afterthoughts, or additional optional guidelines, rather, they speak to the heart of PA-DSS compliance, thus you’d be wise to learn more about them. In short, Appendix calls for an Implementation guide to be in place, while Appendix B requires a number of activities for ensuring that the actual payment application undergoes an extremely thorough and comprehensive set of tests in an actual laboratory environment.  You can obtain the actual PA DSS requirements guidelines at pcisecuritystandards.org.

4. Understanding the need for policies and procedures. Sure, the vast majority of PA-DSS certification is technical and can be challenging, but don’t forget that a fair number of policies and procedures will also need to written. Contacting a highly-qualified PA-QSA will be most helpful in this situation, as they should have templates to provide your organization.

5. Recognizing that a PA-DSS assessment is significantly different from a PCI-DSS assessment. Though it would be a stretch to call them oil and water, there are significant and meaningful difference between the two. Remember, PA-DSS certification is about the application specifically, while PCI-DSS compliance is a higher-level, broader reaching mandate that covers an organization, or a specific platform within an organization that processes, stores, or transmits cardholder data.

Call today and speak directly with PCI-QSA | PA-QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles will take the time to discuss your PA-DSS certification needs along with any other general Payment Card Industry Data Security Standards (PCI DSS) questions, comments, or concerns you or your organization may have.