Our council puts forth the PA DSS security framework for all payment applications developers to follow.
Payment Application Data Security Standard is a subspace of Payment Card Industry Data Security Standards (PCI DSS) that is applicable to any application developer or payment application integration services that stores, processes or transmits card holder data as a part of authorization or settlement, It is primarily tailored to ensure that any third-party application that is used by merchants, banks or any payment institute and processes or stores all the sensitive cardholder data meets all the essential security guideline as required. The council put forth the PA DSS security framework for all payment applications developers to follow a secure guideline during the development cycle.
The applicability for any application can be summarized as below:
Stores, processes, or transmits cardholder data as part of authorization or settlement.
Sold, distributed, or licensed to third parties.
If an organization fails to meet the PA DSS guidelines, they run a risk of losing monetary resources to fine as well as public disclosure of breaches.
As your PA DSS compliance partner, Delta Tech Africa will assist and assess you at each step of your compliance activity, right from scope definition until the application is certified and listed as validated payment application on the PCI SSC.
Define the “in scope” and “out of scope” components of the environment in terms of which PA DSS requirements, included in, connected to, or affecting the security of thecardholder data environment (CDE).
Identify the relevant aspects of the software/process or both, and requirements and materials necessary to perform the assessment effectively.
Post scope finalization, Qualified professionals will start with the validation process, determining the gaps in the payment application that store,process or transmit cardholder data and/or sensitive authentication data against all applicable PA DSS documents.
As per the PA DSS compliance requirement, the validation would follow code review and log file analysis as well as the database analysis. An application penetration testing determining the security posture of the application will be conducted.
Post gap assessment and follow-up with necessary remediation support, the payment application would be again assessed for final validation testing.
Upon the final audit, we share the following with our client:
Report of Compliance (ROV).
Attestation of Compliance (AOV).
PA DSS certification is valid for a period of three years, although after successful PA DSS validation, the payment application needs to be revalidated annually. This require conducting awareness trainings and performing vulnerability assessment on quarterly or half yearly basis.