Palisade Magazine

July 2008

The Payment Application Data Security Standard (PA DSS)

by Sangita Pakala, GCIH |  Discuss this article »» (3)

PA DSS fills a gap in the more well known PCI DSS standard. Today, we’ll discuss this lesser-known standard.

Remember that the biggies of the credit card industry put their heads together and came up with Payment Card Industry Data Security Standard (PCI DSS). Their aim was to protect the “Cardholder’s” data. PCI DSS was first released in 2005 and then revised in October 2006. PCI DSS has a few requirements that talk about securing web applications that deal with cardholder’s data.

To aid organizations properly secure their web applications, one of the PCI members, Visa, came up with Payment Application Best Practices (PABP). In April this year, PCI adopted the PABP guidelines and released the first version of Payment Application Data Security Standard (PA DSS)

The Basics of PA DSS

Who needs to comply?

PCI DSS was aimed at anyone who stores, processes, or transmits cardholder data. By this definition, software vendors who sell payment applications need not comply as they neither store nor process nor transmit cardholder data. But these applications eventually deal with the sensitive cardholder data and they should facilitate and not prevent PCI DSS compliance for the owner. So, the PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder’s data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

How to comply?

The whole idea of PA DSS compliance is that an application which has been validated against this standard must be capable of being implemented in a PCI-compliant manner. All software vendors need to compile and provide a PA DSS Implementation Guide to their customers. The primary goal of this guide is to outline clear instructions for implementing the application in a manner that helps make the environment PCI compliant. The application, the infrastructure, the supporting processes and the Implementation Guide have to be reviewed by third party auditors.

Who can audit?

Vendors have to get their applications audited by Payment Application Qualified Security Assessor (PA-QSA) companies. The QSA will have to carry out the following broad activities -

  1. Application security assessment - to check for vulnerabilities in the web application. The standard refers to the weaknesses mentioned in the OWASP Top 10. The QSA will have to run tools and also conduct manual tests to find all weaknesses in the application.
  2. Source code review - to discover weaknesses at the code level.
  3. Network Penetration Test (Internal and External)
  4. Wireless Penetration Test (If any wireless communication is being used by the application)
  5. Process Audit - This will include checking the security of the processes being followed. A technical audit also needs to be conducted to see what all data is being created, used, and modified by the application. The QSA will have to run forensic tools to check the data and files being used by the application.
  6. Review of the Implementation Guide - This guide is a very important part of the PA DSS compliance. The QSA should check that the guide has all the information required and in the manner specified by PCI.

The QSAs should follow the Audit Procedures document prepared by PCI. It has details of the tests to be carried out for each point in the standard.

PA DSS Requirements

  1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data
  2. Protect stored card holder data
  3. Provide secure password features
  4. Log application activity
  5. Develop secure applications
  6. Protect wireless transmissions
  7. Test applications to address vulnerabilities
  8. Facilitate secure network implementation
  9. Cardholder data must never be stored on a server connected to the internet
  10. Facilitate secure remote software updates
  11. Facilitate secure remote access to application


PA DSS addresses the weak link that was out of the scope for PCI DSS - applications. With so many applications around that deal with sensitive Cardholder data, PA DSS ensures Cardholders can rest assured.

Discussion is open for this article — there are 3 reader comments. Add yours.