PA DSS and PA DSS Compliance
April 21, 2020

What Is PA DSS? Overview + PA DSS Compliance

Security & Compliance
Static Analysis

Security is critical when it comes to credit card payments. That's why you need to know what is PA DSS, how it is related to PCI DSS, and how to ensure PA DSS compliance. 

Why PCI DSS Is Important

It is expected that all payment applications that handle credit card information are safe and secure for customers to use. That's why PCI DSS is important.

All major credit card companies rely on the Payment Card Industry Security Standards Council (PCI SSC). This ensures that payment applications are protected from potential software vulnerabilities.

The PCI SSC works to ensure safety and security by enforcing standards, like PCI DSS. Every organization that handles credit cards need to comply with PCI DSS. This ensures customers’ data is handled in a secure manner.

Related Blog: How API Management Improves PCI DSS >>

PA DSS: Part of PCI DSS

The Payment Application Data Security Standardis part of PCI DSS. Software vendors that make and sell payment applications need to follow the standard. This ensures the security of all the software components of an application that processes payment card data.

If payment applications are not compliant with the standard, it could result in major fines. It also leaves customers’ personal information vulnerable to data breaches. For that reason, it is important that you understand the payment security standard and how you can meet payment application compliance requirements.

What Is PA DSS?

PA DSS — the Payment Application Data Security Standard — is a global security standard. It applies to the development of payment application software. It used to be known as the Payment Application Best Practices (PABP).

Important Requirements for PA DSS Compliance

The payment security standard requirements apply to storing, processing, and transmitting cardholder data and sensitive authentication data.

The following requirements are required for all organizations who handle credit card information:

  1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
  2. Protect stored cardholder data.
  3. Provide secure authentication features.
  4. Log payment application activity.
  5. Develop secure payment applications.
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities and maintain payment application updates.
  8. Facilitate secure network implementation.
  9. Cardholder data must never be stored on a server connected to the internet.
  10. Facilitate secure remote access to payment applications.
  11. Encrypt sensitive traffic over public networks.
  12. Secure all non-console administrative access.
  13. Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators.
  14. Assign PA-DSS responsibilities for personnel. And maintain training programs for personnel, customers, resellers, and integrators.

Protect your payment application from cybersecurity vulnerabilities. Get the white paper to learn how.

Get the White Paper

How to Achieve PA DSS Compliance?

Here's how to achieve payment application compliance by using a SAST tool, such as Klocwork.

The payment security standard provides requirements for developing payment application software. But only Requirement 5 — Develop secure payment applications — is directly involved.

1. Comply With Requirement 5

Requirement 5 outlines the process for how to develop secure payment applications. It requires that development processes are “based on industry standards and/or best practices”. Code must be reviewed to ensure that it has been developed according to secure coding guidelines.

2. Apply Coding Standards

To ensure compliance, the standard requires best-practice secure coding guidance. This includes OWASP, CWE, and CERT. The results of code reviews and any resulting code changes also need to be documented.

3. Train Developers in Secure Coding

So, it is important that developers are trained in secure programming practices. This will mean they can identify potential coding flaws that can lead to application vulnerabilities.

4. Use SAST Tools to Enforce It Automatically

Unfortunately, even the most experienced developers can miss subtleties in code that can cause security issues. This is where automated SAST tools become essential. More on SAST >>

A good SAST tool — like Klocwork — enforces best practice coding knowledge. Klocwork automatically scans code — as it is created — to immediately alert developers to security issues. Plus, you can track the status of issues. A change record will be automatically created for traceability and auditing purposes.

Why Use Klocwork For PA DSS Compliance?

If your payment application is coded in C, C++, Java, or C# then Klocwork is the best static analysis tool to help with your payment software compliance.

It comes with a suite of compliance checkers that will identify and report on security issues in your code. This helps you to meet the payment security standard requirements and PCI DSS.

Some of the features that make Klocwork the best static code analyzer for payment security standard are:

  • Fully documented rule enforcement and message interpretation.
  • Extensive example code, showing how to address software vulnerabilities.
  • Fully configurable rules processing.

To see how Klocwork can help you accelerate compliance with industry standards. Sign up for our next live demo to learn how Klocwork can help with compliance.

Ensure CompliancE WITH KLOCWORK