I can't be alone in my predicament at present dealing with the annual revalidation of an application grandfathered from PABP 1.3, as over 300 listed application share the same revalidation date of 2 Dec 2009 with us.

My QSA is insisting that as any change that has been done since the original audit that touches on a message that contains CHD could potentially affect the PA-DSS requirements they must be considered to be Major Updates and so we must have a full audit.

We have provided a detailed Change Analysis report detailing the changes made, reasons for making the change and testing procedures followed. Any proposed changes that were deemed by our Security Review Panel to have a potential significant impact on PA-DSS requirements have been excluded from the current system and planned for a future one that will be re-audited.

Our application is an EFT Switch and so virtually every code change touches messages with CHD. Even the mandated changes from Visa and Mastercard were identified as being Major Updates!

Is this a case of the QSA being over cautious? Is it out of step with what the other 300+ application vendors are facing from their QSA's? Do we have any presidents to refer to or avenue for challenge to avoid the time and expense of a full re-audit?

Thanks

This is just my opinion, so take it for what it is worth - not much. The real people to answer this are at the PCI SSC and the card brands. However, based on our training, here is my interpretation of what we have been told.

As defined by the PCI SSC, if there has been a significant change to the processing, storage or transmission of cardholder data in an application, then the application must be re-certified against the latest PA-DSS assessment standard. A significant change has been defined as any change that effects the cardholder data flow within the application.

The dilemma you face is that since yours is an application that does nothing but process, store and transmit cardholder data then, as you point out, almost any change likely creates a situation that requires re-certification. That would include changes mandated by the card brands as well as any enhancements or bug fixes.

As a result, I would agree with your PA-QSA.