The global mobile payment market is expected to reach $3Tn by 2024. In 2012, 20% of the US population was estimated to be using mobile payments (Source: eMarketer) and 1.31 billion users globally are expected to use mobile payment apps by 2023 (Source: Merchant Savvy). Consumers have been increasingly using mobile apps for a whole range of activities and payment really stands at the centre of it all as any purchases or transactions would involve payments. Crime rates have also increased by leaps and bounds. A survey by Gallup found that 71% were worried about the safety of their private or financial details. Hence, security of payment applications is important. We give you a lowdown on PA DSS, one of the most important security standards for payment applications.
PA DSS, which stands for Payment Application Data Security Standard, is a global security standard for software vendors of payment applications and is focused on preventing storing of secure data like card verification code (CAV2, CVC2, CVV2, CID), pin, magnetic stripe etc. Its goal is to ensure that software vendors build payment applications that are secure and safe for end-users. This compliance is required to be followed by companies which produce, sell, distribute or act as third parties responsible for payment authorization and settlement.
PA DSS Scope
PA DSS is applicable to companies that are in the business of producing or selling payment applications. The compliance covers:
- A whole gamut of functionalities like authorization, settlement, input & output, error conditions, interfaces and connections to files, systems, data flows, encryption techniques, authentication methods etc.
- Mandatory support for compliance, implementation, and environment settings to be provided to customers, resellers, and integrators by the software vendor. These details need to be given even when a specific setting cannot be controlled by the vendor or is the sole responsibility of the customer
- All selected platforms of the reviewed application version
- All tools used by the application for reporting, logging purposes, etc.
- All application related software components including third-party requirements and dependencies
- Any other applications required for the completion of the installation of the said application
- The vendor’s versioning methodologies
PCI DSS v/s PA DSS
Both PA DSS and Payment Card Industry Data Security Standards (PCI DSS) are parts of the Payment Card Industry Security Standards Council (PCI SSC). The application of PCI DSS is for all companies that store, process or transmit cardholder data. PA DSS is specifically applicable to companies which sell, produce, or distribute payment applications. As an example, if a company is developing an application for its own purpose, PCI DSS comes into play. But when the application usage becomes wider, PA DSS gains prominence. PA DSS compliance works independently of PCI DSS.
PCI SSC is an industry body covering 5 credit card brands: Mastercard, Visa, Discover, American Express, and JCB. Financial institutions, processor companies, software developers, payment merchants etc. are all a part of this body. Security standards are regularly updated and specific requirements are shared to ensure compliance.
PA DSS Compliance
Organizations are to follow certain guidelines to ensure data security. They must not retain magnetic stripe, card validation codes, or pins. Detailed activity logs are to be maintained, robust credential features are to be implemented, and secure wireless transmissions are to be followed. Applications must be tested regularly, upgrades must be installed as per schedules, and detailed documentations are to be maintained.
The compliance journey usually follows the below process:
Phase 1 – Gap Analysis:
A thorough review is conducted and use cases are validated. Penetration testing is conducted to identify any security loopholes. Attacks are simulated to test the system.
Phase 2 – Final Validation:
Here, an audit is conducted and compliance review reports are generated.
PA DSS Requirements
PA DSS compliance mandates companies to ensure the following:
- Do not retain pin, CVV, magnetic stripe etc.
- Securely store cardholder’s data
- Devise secure authentication features
- Keep a track of activity logs
- Develop secure applications for payment
- Protect wireless transmissions
- Continuously test for vulnerabilities and have regular updates
- Ensure secure network implementation
- Do not store data on a server connected to the Internet
- Facilitate secure remote access to application
- Encrypt sensitive data over public networks
- Secure non-console admin access
- Maintain documentation, guides, and instructions for PA DSS compliance across customers, resellers, and integrators
- Assign relevant responsibilities to team members and have regular, complete training for all stakeholders
How AppSealing can help you get PA DSS compliance
One of the leaders in mobile application security, AppSealing’s experienced team, and custom solutions can help you detect and block all vulnerabilities and loopholes in your mobile applications. Our Runtime Application Self Protection (RASP) offering can help you keep an eye on threats in real-time, so you can block them and be completely PA DSS compliant.
Our recently launched Data encryption solution uses Whitebox algorithms that leverage AES 256 encryption, the strongest encryption standard in the world for 100% coverage of all attack vectors. Runtime protection features for Assets/Resource in Android, Encryption keys, API keys, Authentication Tokens, Sensitive user data, and Gaming resources.
You can block threats as they come into the system, so you are always one step ahead of attackers. Known as well unknown threats are covered, statistical data and insights are readily available at your fingertips and you can take quick actions to make your payment applications more secure in the future.
Our solutions can help you reduce risks and protect your applications inside out, so your customers can transact with your business with utmost confidence. We encrypt data, protect applications from malicious code insertions and keep them away from man-in-the-middle attacks. We protect applications by incorporating the latest security regulations. Our easy-to-use features and intuitive real-time dashboards help companies get complete visibility into their mobile application security strategy. So, you can focus on enhancing customer relations and developing better products, while all security aspects are handled by us. Contact us today to get started.
Frequently Asked Questions
1. What is the difference between PCI DSS and PA-DSS?
Companies that store, transmit or process cardholder information need to comply with PCI DSS. PA DSS on the other hand applies to vendors that create and sell payment applications.
2. Are PA-DSS applications in scope for PCI-DSS?
PCI DSS assessment covers all applications validated to PA-DSS as well as any application that stores,processes or transmits card information.
3. What is allowed by PA-DSS?
PA-DSS aims to guide software developers in their endeavor to develop secure payment applications that do not store data such as CVV2, full magnetic stripe, or PIN data. PA-DSS allows assessments to be performed only by Payment Application Qualified Security Assessors (PA-QSAs) appointed by (PA-QSA) companies. The assessors must follow the testing procedures listed in the Payment Application Data Security Standard document when conducting assessments.
4. How long is the PA-DSS certification compliance valid?
The certification is valid for three years if just the annual questionnaire is applicable to your business. If quarterly scans are applicable to your business, the certification is valid for three months until it is time for the next quarterly scan.
5. How can you tell if a payment application is PA-DSS validated?
You can check the PCI SSC website for the list of Validated Payment Applications. Only applications that are present in the list are PA DSS validated.
6. Where should PA-DSS be applied?
PA-DSS should be applied to all software vendors who develop payment applications that process, store or transmit cardholder data or sensitive authentication data.