Payment Application (PA) DSS
Compliance
Versos provides the required services based on Payment Application Data
Security Standard “PA DSS”, proven method, previous experience, and a unique
set of skills with extensive experience to ensure that our clients’ receive
the most comprehensive and cost-effective outcome. The following details our
comprehensive PA DSS methodology that has been developed in partnership with
ControlCase :
Scoping
This step plays a key role in scoping and planning the engagement. First,
it defines the business goals that are to be fulfilled by the application
along with the application architecture. Second, it defines the software
components such as the programming language, operating platform, database
software, lines of code, and other relevant information. The key objective
of this step is to determine application evaluation scheme (e.g. from a
single platform & database or a combination of multiple platforms &
databases)
|
 |
AssessmentTo uncover any gaps in relation to each PA DSS
requirement, we examine the information security controls for the
application configuration & deployment environment. The assessment will
include a review of the technology software components, architectural
review, supporting technical documentation, and technical evaluations
| Architectural Review |
We review the application design structure
from various security control mechanisms, including:
- Payment dataflow throughout the application
- Sensitive data protection in storage and in transit
|
| Vulnerability Scanning & Penetration
Testing |
We conduct tests using automated tools and
manual checks to identify susceptibilities associated with networks,
hosts and application. |
| Configuration Review |
We check the parameters of critical
processes enabled by systems, network devices, and application |
| Application Review |
We examine the application current
information security controls and uncover any gaps. The review includes:
- Payment Security Controls: the objective of this review is to
assess the controls over the payment transactions processed within and
through the application. This includes confidentiality, integrity,
accuracy, completeness and availability of data.
- Application interaction checks. This include checks between system
components such as the web service, back-end data sources and any
third-party developed components (e.g. ActiveX DLL libraries)
- Weak Implementation of User credentials
- Role/Privilege Bypass
- Privilege Escalation
- Unauthorized Resource access
- SQL injection
- Cross Site Scripting
- Session hijacking
- Browser Refresh issues
- Information spilling through error messages
- Insecure storage of credentials
- Vulnerabilities related to Caching
- Parameter manipulation checks
- Broken access control checks
- Data encoding/encryption checks
|
| Code Review |
To ensure that the application is developed
in a secure way, we examine the code using automated tools and manual
checks. The tests adhere to the security checklists and guidelines
including OSSTMM and OWASP. The code review includes:
- Authentication
- Authorization
- Data/Input Validation
- Cookie Management
- Error Handling/Information Leakage
- Application Logging
- Cross Site Reference Forgery defense (CSRF)
- Encryption and key management
- Secure Code Environment
- Session management
|
| Supporting Technical Documentation |
We review all supporting technical
documentation for ensuring PA DSS requirements are fulfilled, this also
includes the application implementation guide |
Remediation
Versos experts assist the client throughout the remediation phase in
remediation of gaps. In addition, Versos tracks the PA DSS gaps and provide
monthly status dashboard to the client on remediation steps.
PA DSS Certification
After going internal quality procedures, client will be issued a PA DSS
compliant report “Report on Validation”. Thereafter, appropriate
certification will be submitted to PCI Council.
PA DSS Ongoing Compliance & Certification
Versos PCI Compliance Manager combined with the compliance scanner and
managed compliance services will streamline the process to assist you in
remaining compliant to PA DSS on a continual basis. After going through
internal quality procedures, the client will be issued a PA DSS Annual
Report on Validation ”ROV” compliant report upon review by the PCI Security
Council.
- Development team self service for identifying cardholder data: we will
provide software tools which can be run in a self service mode by
development teams on periodic basis to ensure that key PA DSS requirements
around storage of prohibited data are being met. In addition, we will also
provide the methodology to integrate with appropriate existing tools that
may exist.
- Continuous Monitoring: Using a combination of technology, process and
people, we will keep a track of all PA DSS control points for the
application and provide continuous PA DSS posture reports throughout the
year. During this time, client will be notified to perform actions if
their posture is falling out of compliance with the latest regulations.
Examples of monitoring activities include,
- Quarterly notification and follow-up to appropriate personnel to
perform PA DSS activities (such as code reviews and application tests
upon change to any code). These notification and follow-up would be a
combination of portal generated and personnel generated follow-ups;
- Periodic questionnaires to collect compliance data;
- Periodic review of evidence throughout the year to identify any
non-compliances and notification to client for remediation; and
- Completion of the required forms annually: we will annually complete
the required PA DSS forms required to be submitted to the PCI Council for
product versions that have undergone little to no change from a PA DSS
security perspective. New versions of products with major changes that
require a complete certification will undergo through the PA DSS process.
Versos also offers the following PCI Services
PCI DSS Merchant
Management Programme
Internal PCI DSS Compliance
Programme
|
