I have written about this before, but this needs to be discussed again.
A lot of applications are becoming PA-DSS certified and yet I continue to see the same issue occur over and over again with the vendors of these applications just like we saw with the PABP certification. These vendors all think that because their applications are PA-DSS certified that their customers are automatically PCI compliant. Wrong! PA-DSS certification never implies PCI DSS compliance and visa versa. PA-DSS certification merely means that the application properly processes, stores and/or transmits cardholder data (CHD) as long as it is properly implemented.
Properly implemented? How do I know that I have properly implemented my PA-DSS certified application? As part of the PA-DSS certification process, the vendor must provide a guide for implementing their application so that it retains it’s certification. And that’s the first problem. I’m still seeing a lot of applications that do not have an implementation guide to explain what needs to be done to ensure the PA-DSS certification can be maintained. I’m not sure how these applications got their certification without this necessary requirement, but that’s for another discussion. So, what’s the big deal? The big deal is that without this information, it’s impossible to know if the application has been properly implemented to secure CHD. And without that knowledge, a QSA will have to fully assess the application to ensure that it meets the PCI DSS requirements, thus making the PA-DSS certification pointless.
Speaking of pointless, there are some applications that are certified and there is no way to implement them without customizing them. Since the certified application is essentially just a framework, only the framework is certified. Thus, there is no way that the certification can be maintained because there is no way to implement the application without significant modifications. I cannot tell you the grief I encounter when I have to review such a solution top to bottom since it no longer resembles the application that was certified.
Then there is the vendor’s response when you have to go back to them with questions because the implementation guide does not exist. It’s as though you slapped them in the face. They are indignant and sometimes very rude regarding the fact that you have questions. Why? Because, they think that because the application is certified, that’s all that’s needed and you are way out of line for having questions.
So, vendors, chill.
UPDATE: We were told at our 2009 re-certification training that framework applications will no longer be allowed to be PA-DSS certified because they are only frameworks.
PCI Guru 