See what changes your payment application vendor should make.  

By: David Page

If you’re a payment application vendor, then you’re mandated to follow the PA-DSS. The PCI Security Council has released version 3.2 of the Payment Application Data Security Standard (PA-DSS).

Applications vendors are encouraged to review and incorporate these changes into their payment applications and implementation guides as soon as possible. Version 3.2 is effective June 1, 2016 and PA-DSS version 3.1 retires on August 31, 2016.

Most of the changes in PA DSS 3.2 will reflect the changes in PCI DSS 3.2.

PA-DSS 3.2 What is the PA-DSS?

The Payment Application Data Security Standard is similar to the PCI DSS, but it’s addressed to payment application vendors. Put simply, it’s the data security standard for vendors that sell POS machines and other payment applications.

PA-DSS version 3.2 includes a set of changes that all payment application vendors will be required to make.
Here is a list of the biggest changes to PA-DSS 3.2.

Multi-factor authentication is required

Similar to the PCI DSS, PA-DSS 3.2 now requires multi-factor authentication for all non-console access within and outside the network. Basically, if you use remote access, inside and outside your business’s network, you’re now required to use multi-factor authentication to access it. It’s now also clarified as multi-factor authentication instead of just two-factor authentication.

SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

Changes to the Implementation Guide

Some changes have been made to requirements for the Implementation Guide. The guide must now include instructions that any debugging logs that include PAN data must be protected and securely deleted when no longer needed.

Testing procedures have also been updated to include the identification of all roles and default accounts in the payment application.

One final change to the guide is a new requirement has been added to include instructions to securely install patches and updates.

Other changes

A couple of additional changes include:
  • Training for developers must be up to date and occur at least annually
  • A legitimate business need is required for full PAN display
Whether you’re a payment application vendor or you work with one, make sure you or your third party vendors are up to date with the PA DSS.

If you don’t, you could be held liable should a data breach hit you or one of the businesses you work with.

Need a PA DSS audit? Talk to us!

David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.

SecurityMetrics Guide to PCI DSS Compliance