SPIguard Blog
PA-DSS – Things to remember
The deadline for PA-DSS (in North America) is approaching (June 30, 2010) and payment application vendors are rushing to get their applications validated.
Most are mis-informed about what it takes to get an application validated and think this is a 10 day project. PA-DSS has specific requirements that specify what you need for a successful validation:
- Standardized processes and procedures
- Documentation detailing processes and procedures, evidence of their implementation and other documentation
- A secure application
The biggest issue with vendors that I have seen are the processes and documentation. A lot of payment application vendors do not have even basic documentation such as secure coding standards, security policies or processes such as change control process, code review process etc. Given this situation, it is a stretch to expect validation to be completed in 2 months, let alone 2 weeks.
My suggestion to payment application vendors would be to read the PA-DSS Assessment Procedures document and try to understand what level of detail needs to be provided. The QSA has to look for specific things in the PA-DSS Implementation Guide and other documentation.
In some cases, the QSA is required to examine documents such as change logs to verify if the implementation matches the defined processes and procedures. The whole point of the exercise is not just to see if the application is secure, but also verify that the vendor follows secure and standard practices in both their day to day operations and also in application development. For more information check out Tips for a successful PA-DSS validation.
It is imperative that vendors plan and provide enough time for the validation and also remember that all the processes and procedures will ultimately make the vendors and their applications more secure.
Be sure to check out our PA-DSS Validation Service.
