| st step toward PA-DSS compliance is to get familiar | | | | 14. Maintain instructional documentation and training |
| with the compliance standard that applies to you: the | | | | programs for customers, resellers and integrators. |
| Payment Application Data Security Standard (or | | | | Most ISVs then have two options from here: achieve |
| PA-DSS for short). PA-DSS applies to software | | | | PA-DSS compliance by undergoing an audit by a |
| developers and integrators of applications that store, | | | | Qualified Security Assessor (QSA) or go out of scope |
| process or transmit payment cardholder data as part | | | | of PA-DSS. |
| of authorization or settlement. It also applies to these | | | | To stay in scope of PA-DSS, software vendors must |
| applications that are sold, distributed or licensed to third | | | | undergo the process of validating their application or |
| parties. | | | | applications. This involves a security audit from a |
| PA-DSS requirements include: | | | | PA-DSS Qualified Security Assessor (QSA), as well |
| 1. Do not retain full magnetic stripe, card validation code | | | | as any development changes needed to bring the |
| or value (CAV2, CID, CIV2, CW2) or PIN block data | | | | application into compliance. ISVs are required to pay |
| 2. Provide secure password features | | | | $1,250 annually (per software application) to have their |
| 3. Protect stored cardholder data | | | | solution listed as a validated PA-DSS-compliant solution. |
| 4. Log application activity | | | | Each payment card brand has their own terms for |
| 5. Develop secure applications | | | | PA-DSS compliance. We’ve written a |
| 6. Protect wireless transmissions | | | | comprehensive article on the different PCI compliance |
| 7. Test applications to address vulnerabilities | | | | deadlines for each payment card brand, along with |
| 8. Facilitate secure network implementation | | | | their different PCI compliance requirements. |
| 9. Do not store cardholder data on a server | | | | To go out of scope of PA-DSS, ISVs need to transfer |
| connected to the Internet | | | | the responsibility of handling sensitive cardholder data |
| 10. Facilitate secure remote software updates | | | | to a third party. Some payment processing companies |
| 11. Facilitate secure remote access to application | | | | offer hosted solutions where sensitive credit and debit |
| 12. Encrypt sensitive traffic over public networks | | | | card data bypasses your software all together and is |
| 13. Encrypt all non-console administrative access | | | | transmitted directly to the payment processor. |