A payment application software vendor must have their payment application undergo a PA-DSS validation. The result of this will be the generation of a Report on Validation (RoV) that will validate this type of payment application with the various PA-DSS control requirements, itemized below:
Do not retain full magnetic stripe, card validation code or value
Protect stored cardholder data
Provide secure authentication features
Log payment application activity
Develop secure payment applications
Protect wireless transmissions
Test payment applications to address vulnerabilities
Facilitate secure network implementation
Cardholder data must never be stored on a server connected to the Internet
Facilitate secure remote access to payment application
Encrypt sensitive traffic over public networks
Encrypt all non-console administrative access
Maintain instructional documentation and training programs for customers, resellers, and integrators
A key component of the PA-DSS validation, and often overlooked, is the PA-DSS Implementation Guide. This must be completed prior to a review. Dara Security can assist in the development of the Implementation Guide required for PA-DSS validation to ensure it contains all needed details.
Dara Security's consultants are experts in understanding both the technical aspects as well as the business aspects of payment applications. As a QSA and PA-QSA certified company, Dara Security understands the full payment lifecycle from the application level to implementation within a merchant's cardholder data environment.