SPIguard Blog
Roles and responsibilities in a PA DSS assessment
When we start an engagement (PA DSS, PCI DSS, Security consulting), we try to let our clients know what SPIguard’s role is in it. All parties in the engagement should be on the same page regarding their roles and responsibilities to avoid confusion and frustration.
For PA DSS engagements, SPIguard is in the role of an auditor (the official term being assessor). In this role, the QSA will provide the software vendor (client) with a list of items required to validate compliance. This will include the PA DSS Implementation Guide, installation guides, other documents that describe the processes and procedures and evidential documents and the software itself.
The software vendor is responsible for providing the documents requested by the QSA and any installation CDs/packages for the software. If the software vendor needs any clarifications on the PA DSS requirements or the list of items requested by the QSA, they can ask the QSA. The QSA is expected to answer those questions.
SPIguard also works with software vendors (in either a Compliance validation or gap analysis engagement) to identify gaps in the software vendors documentation, processes or software and help them identify solutions to help them meet requirements.
The following is an extract from the PA DSS program guide published by the PCI SSC and describes the roles and their responsibilities:
Software Vendors
Software vendors (“vendors”) develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and then sell, distribute, or license these payment applications to third parties (customers or resellers/integrators).
Vendors are responsible for:
- Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers’ PCI DSS compliance. (The application cannot require an implementation or configuration setting that violates a PCI DSS requirement.)
- Following PCI DSS requirements whenever the vendor stores, processes or transmits cardholder data (for example, during customer troubleshooting)
- Creating a PA-DSS Implementation Guide, specific to each application, according to the requirements in the Payment Application Data Security Standard
- Educating customers, resellers, and integrators on how to install and configure the payment applications in a PCI DSS compliant manner.
- Ensuring payment applications meet PA-DSS requirements by successfully passing a PA-DSS review as specified in PCI PA-DSS Requirements and Security Assessment Procedures
Vendors submit their payment applications and supporting documentation to the PA-QSA for review. Any agreements and costs associated with the assessment are negotiated between the vendor and the PAQSA. Vendors provide permission for their PA-QSA to submit resulting PA-DSS compliance reports to PCI SSC.
PA-QSAs
PA-QSAs are QSAs that have been qualified and trained by PCI SSC to perform PA-DSS reviews. Note that all QSAs are not PA-QSAs – there are additional qualification requirements that must be met for a QSA to become a PA-QSA.
PA-QSAs are responsible for:
- Performing assessments on payment applications in accordance with the Security Assessment Procedures and the PA-QSA Validation Requirements
- Providing an opinion regarding whether the payment application meets PA-DSS requirements
- Providing adequate documentation within the ROV to demonstrate the payment application’s compliance to the PA-DSS
- Submitting the ROV to PCI SSC, along with the Attestation of Validation (signed by both PA-QSA and vendor)
- Maintaining an internal quality assurance process for their PA-QSA effort
It is the PA-QSA’s responsibility to state whether the payment application has achieved compliance. PCI SSC does not approve ROVs from a technical compliance perspective, but performs QA reviews on the ROVs to assure that the reports adequately document the demonstration of compliance.
Related PA-DSS services that may be offered by PA-QSAs
None of these services are required or recommended by PCI SSC. This list is included to provide examples of the types of services that may be offered by PA-QSAs. If these services are of interest to your company, please contact PA-QSAs for availability and pricing. Example PA-DSS related services include:
- Guidance on designing payment applications in accordance with PA-DSS
- Review of a software vendor’s software design, response to questions via e-mail or phone, and participation in conference calls to clarify requirements
- Guidance on preparing the PA-DSS Implementation Guide
- Pre-assessment (“gap” analysis) services prior to beginning formal PA-DSS assessment
- Guidance for bringing the payment application into compliance with PA-DSS if gaps or areas of non-compliance are noted during the assessment
