PA-DSS vs PCI-DSS

[Levis]

Hi,
I´d like to ask you to provide me little help with PA-DSS. You can find my presumptions bellow. Please let me know if are they correct or not.

1) PA-DSS is derived from the PCI-DSS and should not be considered as a separate standard. It´s a subset under the PCI-DSS and appears from it. There is not necessary to update the statements with 3rd party providers, merchants, etc... by PA-DSS requirements in case of these statements contains of PCI-DSS requirements.

2) Concerning the compliance of payment application with PA-DSS. Only the software developer is responsible to hire PA-QSA and certificate the application. Merchant, which uses the payment application is not educated and experienced to perform PA-DSS self-assessment, analogous to SAQ.

Are these my presumptions correct ?

Thank you very much for your help.

[lyalc]

1. In general, yes. PA-DSS certifies that the payment application security functionality expected by PCI DSS is delivered when installed according to the vendor's PA-DSS Implementation Guide. PA-DSS does not guarantee the application is operated in a PCi compliant manner, just that the application will not prevent PCI compliance.

2. In the event you buy or deploy a payment applicaiton, then it should be certified as PA-DSS compliant, or your QSA will need to assess the application to ensure the same security functionality is implemented in a PCi compliant manner.

In other words, PA-DSS can reduce the amount of compliance effort by not requiring the retesting, every year, of the application's security functionality.

If you are using an SAQ, then you either need PA-DSS certified apps, or you need to make that same determination about the application's security functionality yourself, with the potential for making a misleading statement in the associated Attestation of Compliance. Engaging a QSA can assist with an SAQ if you wish.

lyalc

[wconway]

Quote:

Originally Posted by lyalc

1. PA-DSS certifies that the payment application security functionality expected by PCI DSS is delivered when installed according to the vendor's PA-DSS Implementation Guide. PA-DSS does not guarantee the application is operated in a PCi compliant manner, just that the application will not prevent PCI compliance.

Lyalc makes an important point. PA-DSS apps do not make you PCI compliant. You need to install them per the vendor's Implementation Guide, and they must be installed in a PCI-compliant environment. In my experience, you the merchant will be well served to get the vendor's Implementation Guide before you commit to it. Examine it carefully and understand what you will need to to to benefit from the PA-DSS validation. Also, check the version. PA-DSS is version-specific. I've seen merchants buying the wrong version and being very disappointed.

[Levis]

Wconway and Lyalc - Thank you for your help.

I have an addition question regarding the responsibility for PA-DSS certification. As an acquirer we have to meet the requirements of payment card associations. One of the mandate is to ensure, that our merchants will use only PA-DSS certified payment applications by particular date. Our merchants mostly using the payment applications, which haven´t been assessed yet against the PA-DSS. From your praxis, who is pushing the vendor to hire PA-QSA and get the payment application certified – MERCHANT, which uses the payment application of the mentioned software vendor or the ACQUIRER of this merchant who must report the status of merchant payment application?

Many thanks for your help, I really appreciate it.

Levis

[wconway]

The "push" for PA-DSS is coming from Visa primarily. See this Visa publication.

[Levis]

Thanks, that´s what i need.

One more question, from your sight, does 3D secure application fall to the scope of PA-DSS ?