A question came up on an email list about PA DSS software. There is still a lot of confusion about what it takes for an application to be PA DSS certified and what organizations need to have their software certified. Hopefully, I can clear up some of the confusion with this post.
PA DSS stands for Payment Applicatin Data Security Standard. In July 2010 all merchants using a third party payment application must be using a PA DSS certified application. Be aware that all merchants must currently be PCI Compliant which includes other methods and procedures to attain. Simply using a PA DSS certified application does not make a merchant PCI compliant.
Any application licensed for use by a third party that collects , processes or stores card data is in scope of PA DSS. Getting compliant with PA DSS means that application vendor has followed standard security implementations outlined by OWASP. It also means the specific version has been tested in a “laboratory” by a PA DSS QSA certified by the PCI Security Standards Council.
There is confusion about what organizations must certify their applications, particularly open source vendors. The key is in the wording; Software vendors and others that develop secure payment applications that are sold, distributed, or licensed to third parties. While open source vendors do not sell their applications, they are distributed and licensed to third parties. Quite often the application is also drastically altered by third part developers for their clients.
The first key component is to not store sensitive information after authorization. While some applications might store the data then delete it after authorization, the QSA testing procedure centers around determining if that data has been deleted and is unrecoverable either through debug or log files. A QSA might try to generate error conditions that cause error logs to be saved on a server where they can be extracted by other means. Any and all historical data that may retain the credit card data must be deleted. If credit card data is stored, it must be protected. Expired data must be securely purged from the system.
The point being that even if an application does not store credit card data inside a database, it does not mean that the data is not stored somewhere. There are other requirements for PA DSS and we will cover them in future installments herre on PCI Guard Dog.
its really great blog. Thx to the auther