> PA-DSS Sales Sheet (pdf)

 
> Visa Mandates Use of Secure Payment Software (pdf)

 


Security Assessment Services: Payment Application Data Security Standard (PA-DSS)

DRG offers payment application software providers independent assurance services to support the assessment, remediation, and compliance validation of Visa Payment Application Data Security Standard (PA-DSS)
 
Overview
The goal of the PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited payment card data and help ensure merchant PCI compliance.
 
The PA-DSS program is managed by the PCI Security Standards Council (SSC) and is the successor to the Payment Application Best Practices (PABP) program, formerly under the supervision of Visa Inc. PA-DSS provides an industry-defined set of requirements that help software vendors create secure payment applications that do not store prohibited payment card data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.
 
To be considered secure, these applications must:
  • Not retain full magnetic stripe data or CVV2 data
  • Protect stored data
  • Provide secure password features
  • Log application activity
  • Support secure application development best practices
  • Protect wireless transmissions
  • Address vulnerabilities identified through testing
  • Facilitate secure network implementations
  • Never store cardholder data on a server connected to the Internet
  • Facilitate secure remote access to application
  • Encrypt sensitive data over public networks
We help software providers like shopping cart vendors, payment service providers, and payment software companies to achieve compliance, by offering PA-DSS pre-assessment application development and post-assessment remediation services in addition to flexible compliance validation programs and payment terms. Utilizing our extensive range of PA-DSS services, DRG clients are able to more efficiently utilize their development resources and protect payment card data during the transaction process.
 
Scope of PA-DSS Services
DRG tailors its PA-DSS compliance assessment and validation programs to meet the desired scope and requirements of each company. PA-DSS assessments address systems and applications where cardholder data is stored, processed or transmitted during the transaction authorization and settlement lifecycle. Other areas of your network that store, transmit or permit access to cardholder data may also be included. Validated payment applications are eligible for inclusion in the prestigious "List of PA-DSS Validated Payment Applications" located on the PCI SSC web site.
 
The DRG Advantage
DRG differentiates its service from competitors by providing our customers pre-assessment preparation and planning, ongoing guidance and direction based upon years of experience and customized service. We keep you informed throughout the engagement. In addition, we offer multi-year customer programs with long-term discounts and manageable low cost monthly payment plans.
 
Here is a brief example of how we conduct our PA-DSS security assessment:
  1. Work with you to define the most appropriate scope for your review
  2. Provide pre-assessment preparation, guidance and documentation
  3. Plan and review the work and test program prior to onsite visits to most effectively utilize your time and critical resources
  4. Collect key documents, such as software development process and implementation guide, in advance to be prepared for our onsite work
  5. Conduct onsite interviews and testing work in a professional manner
  6. Provide early notification when we identify deficiencies or security vulnerabilities that require remediation
  7. Provide recommendations or remediation services and assistance as required to ensure your compliance as quickly and cost-effectively as possible
  8. Provide a preliminary report on compliance so you may review and comment on our findings before we finalize your report
DRG understands and supports the payment card industry's goal to protect cardholder data and to ensure that merchants, service providers and payment application software developers maintain the highest information security standards. DRG is committed to provide the highest standard of quality work in order to support payment application providers who wish to consistently implement the proper application of PCI measures and controls - and ultimately ensure the protection of valuable consumer credit card data.
 
Please contact DRG with questions or to begin the PA-DSS compliance assessment and validation process: pa-dss@drgsf.com or call (650) 638-3350
 
Back to Top