The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). It ensures software vendors that develop payment applications adhere to a very strict set of rules governing the safe storage and transmission of credit card data. Before our software could pass the standards and be listed on the approved list of software at PCI Security Standards Council’s website, we were required to pass an extensive list of requirements.
What Does this Mean?
In order to become compliant, our business practices, software development processes and our software code had to be reviewed by a 3rd party that specializes in software security. Once they verified everything passed their detailed testing, they then submitted our application to the PCI Council for approval.
What types of things would they review?
- Change Control – Our policies and procedures were reviewed to ensure we follow industry best practices when it comes to making changes to the software and ensuring the new change will not negatively affect any existing functionality.
- Code Review – Our policies and procedures were reviewed to ensure we properly conducted internal code reviews.
- External Vulnerabilities – Our policies and procedures were reviewed to ensure we have a set schedule to review external vulnerabilities (i.e. software vulnerabilities in other software like Microsoft Windows, etc.) and whether they could impact our software (and if they could, how do we respond to that).
- Secure Practices – They review our documentation on secure coding practices and ensure that we not only stay up-to-date with the latest security best practices but that we are also following them.
- Test Plans – Besides ensuring our development team is following industry best practices, they also ensure our QA and testing teams also have documented test plans and are also following industry best practices.
- QA Examples – They also review the QA documents on several software changes to ensure we are properly testing all areas that require testing.
- Network Diagrams – Because data is not only being stored in the database but is also being transferred across the local network and out to the internet, network diagrams are reviewed to ensure there aren’t any areas where there can be a data breach.
- Credit Card Data Flow – Besides reviewing our documentation and interviewing members of our development and QA departments, the 3rd party company also does extensive testing to ensure that at no time is the credit card susceptible to eavesdropping or hacking.
- Implementation Guide – And finally, once they verify everything we do at Blue Cow Software is in compliance, they verify our documentation on the steps you need to follow are also compliant.
So as you can see, the process to become PA-DSS Compliant not only verifies you can safely store and process credit card data in our software, but it also verifies that our software and our company policies follow industry standard best practices.
To see if your software company is compliant, visit PCI Security Standards Council’s List of Validated Payment Applications. If they are not listed here, then they are not compliant. But as you can see from above, being PA-DSS certified like we are, is more than just whether you can process credit cards securely. It also means our company has been reviewed by an independent 3rd party to verify our policies and procedures are what they are supposed to be.