PA-DSS Certified – So What?

I have written about this before, but this needs to be discussed again.

A lot of applications are becoming PA-DSS certified and yet I continue to see the same issue occur over and over again with the vendors of these applications just like we saw with the PABP certification.  These vendors all think that because their applications are PA-DSS certified that their customers are automatically PCI compliant.  Wrong!  PA-DSS certification never implies PCI DSS compliance and visa versa.  PA-DSS certification merely means that the application properly processes, stores and/or transmits cardholder data (CHD) as long as it is properly implemented.

Properly implemented?  How do I know that I have properly implemented my PA-DSS certified application?  As part of the PA-DSS certification process, the vendor must provide a guide for implementing their application so that it retains it’s certification.  And that’s the first problem.  I’m still seeing a lot of applications that do not have an implementation guide to explain what needs to be done to ensure the PA-DSS certification can be maintained.  I’m not sure how these applications got their certification without this necessary requirement, but that’s for another discussion.  So, what’s the big deal?  The big deal is that without this information, it’s impossible to know if the application has been properly implemented to secure CHD.  And without that knowledge, a QSA will have to fully assess the application to ensure that it meets the PCI DSS requirements, thus making the PA-DSS certification pointless.

Speaking of pointless, there are some applications that are certified and there is no way to implement them without customizing them.  Since the certified application is essentially just a framework, only the framework is certified.  Thus, there is no way that the certification can be maintained because there is no way to implement the application without significant modifications.  I cannot tell you the grief I encounter when I have to review such a solution top to bottom since it no longer resembles the application that was certified.

Then there is the vendor’s response when you have to go back to them with questions because the implementation guide does not exist.  It’s as though you slapped them in the face.  They are indignant and sometimes very rude regarding the fact that you have questions.  Why?  Because, they think that because the application is certified, that’s all that’s needed and you are way out of line for having questions.

So, vendors, chill.

UPDATE: We were told at our 2009 re-certification training that framework applications will no longer be allowed to be PA-DSS certified because they are only frameworks.


3 Responses to “PA-DSS Certified – So What?”

  1. 1 tapas
    May 17, 2012 at 1:35 AM

    Is it require to go for PA DSS certification every year for same application and version.

    We know that PCI-DSS certification is yearly so wanted to know the frequency of PA-DSS certification.

    • May 17, 2012 at 7:27 AM

      Application versions are PA-DSS certified once for a particular version. If the payment card processing portion of the application changes, then it is required to be re-certified under the PA-DSS.

  2. June 23, 2009 at 5:57 PM

    fantastic article with some great points. We are in the process of our PA-DSS and documentation is key. Appreciate someone telling it like it is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009

%d bloggers like this: