I’m working with a software vendor who is developing a payment application. They are about to begin the PABP certification process and I’ve got a question around the PA-DSS/PABP that someone can hopefully answer.

The PABP document from Visa’s website doesn’t make any mention that a PABP compliant payment application needs to have Host IDS or file integrity monitoring software. Is that the case? My interpretation of the PABP is that software vendors don’t need to include Host IDS and file integrity monitoring software because it is not mentioned in the PABP documentation. I know the PCI DSS requires merchants to have Host IDS and file integrity monitoring on in-scope systems, but this is a software vendor, not a merchant so the PCI DSS doesn’t apply.


I'd appreciate any thoughts or comments on this.

Thanks!

I would think that if the vendor is selling boxed software that the merchant installs and runs, then it would only need to work with file integrity monitoring software, IDS, and A/V.

If, on the other hand, the vendor is selling a complete turn-key solution, I would expect all of the required aspects of the PCI-DSS to be covered by the vendor's solution.

I believe the PABP was written for the former, not the latter, of my 2 cases.

I agree with EPCHK.

I'm not an assessor but we've got a couple PABP validated applications.

The way I see it, one critical job of a payment app developer is to ensure that use of their app will not prevent the customer (merchant) from operating in a PCI DSS compliant manner. This is a pervasive theme in PABP and you see it specifically in PABP 8.1 (even though 8.1 does not call out file integrity monitoring in particular like it does NAT, AV, etc...)

Articulating exactly where the payment app stops and where operating environment controls should start is excellent content for the product's PABP Implementation Guide (PABP 14.1).

If they are selling an integrated turn-key system (EPCHK's second point), then they are not only selling a payment app, they are selling a chunk of the merchant operating environment as well. I believe they would then want to characterize their product in terms of both a PABP compliant app as well as what, if any, of the PCI DSS requirements they are potentially helping their customer to achieve with the integrated solution.

The PABP and PA-DSS have assumed that aspects of the PCI DSS would be better off controlled by the implementer versus the software vendor.

HIDS and critical file monitoring fall into these areas because there are so many viable solutions available to the implementer.

So, what the software vendor should do is assist the implementer by identifying, in their implementation guide, those critical files that should be monitored as well as identifying those log or error messages that might indicate a security issue with the application. This sort of information is invaluable in fine tuning HIDS and file monitoring solutions.

There is another potential legal aspect to this thread.

In Australia, and perhaps other jurisdictions, it is against trade practices law to sell something that must have another specific product in order for it to work as intended.

e.g.
Selling a PABP Certified app, and requiring, say Tripwire, as a must have could be illegal. Bundling the products isn't illegal (as far as I know), nor is requiring a generic type of capability (e.g. FIM) , but mandating a specific product (Tripwire) must be licensed and installed can run into trade practices issues.

Usual 'I am not a lawyer' disclaimer should be assumed right about here!

lyalc