What Is PA DSS?
It is expected that all payment applications that handle credit card information are safe and secure for customers to use. Because of this, all major credit card companies rely on the Payment Card Industry Security Standards Council (PCI SSC) to ensure that payment applications are protected from potential software vulnerabilities.
The PCI SSC works to ensure safety and security by enforcing standards — like the Payment Card Industry Security Standard (PCI DSS) — that every organization that handles credit cards need to comply with to ensure customers’ data is handled in a secure manner.
As part of PCI DSS, software vendors that make and sell payment applications need to follow the Payment Application Data Security Standard (PA DSS). This is to ensure the security of all the software components of an application that processes payment card data.
If payment applications are not compliant with the Payment Application Data Security Standard, it could result in major fines and leave customers’ personal information vulnerable to data breaches. For that reason, it is important that you understand what is PA DSS and how you can meet PA DSS compliance requirements.
What Is PA DSS?
The Payment Application Data Security Standard (PA DSS) — formerly known as the Payment Application Best Practices (PABP) — is a global security standard for the development of payment application software. Its requirements apply to the storage, processing, and transmission of cardholder data, and sensitive authentication data.
The 14 PA DSS top-level requirements that all organizations that handle credit card information need to comply with.
1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
2. Protect stored cardholder data.
3. Provide secure authentication features.
4. Log payment application activity.
5. Develop secure payment applications.
6. Protect wireless transmissions.
7. Test payment applications to address vulnerabilities and maintain payment application updates.
8. Facilitate secure network implementation.
9. Cardholder data must never be stored on a server connected to the internet.
10. Facilitate secure remote access to payment applications.
11. Encrypt sensitive traffic over public networks.
12. Secure all non-console administrative access.
13. Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators.
14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.
How Do SAST Tools Help With PA DSS Compliance?
Even though the Payment Application Data Security Standard provides requirements for how payment application software must be developed, only Requirement 5 — Develop secure payment applications. — is directly involved in the development of the software.
The Payment Application Data Security Standard Requirement 5 outlines the process for how to develop secure payment applications. It requires that development processes are “based on industry standards and/or best practices”. Code must be reviewed to ensure that it has been developed according to secure coding guidelines.
The Payment Application Data Security Standard compliance document explicitly calls out best practice secure coding guidance including OWASP, CWE, and CERT. The results of code reviews and any resulting code changes need to be documented.
So, it is important that developers are trained in secure programming practices. This will mean they can identify potential coding flaws that can lead to application vulnerabilities.
Unfortunately, even the most experienced developers can miss subtleties in code that can cause security issues. This is where automated SAST tools become essential.
A good SAST tool — like Klocwork — encapsulates best practice coding knowledge and automatically scans code — as it is created — to immediately alert developers to security issues. Furthermore, as issues are raised their status can be tracked and a change record automatically created for traceability and auditing purposes.
Why You Should Use Klocwork For PA DSS Compliance
If your payment application is coded in C, C++, Java, or C# then Klocwork is the best static analysis tool to help with your PA DSS compliance.
It comes with a suite of compliance checkers that will identify and report on security issues in your code, helping you to meet the Payment Application Data Security Standard requirements and PCI DSS. Some of the features that make Klocwork the best static code analyzer for payment application software are:
- Fully documented rule enforcement and message interpretation.
- Extensive example code, showing how to address software vulnerabilities.
- Fully configurable rules processing.
To see how Klocwork can help you accelerate compliance with industry standards — like PA DSS — request your free trial.