10
Mar
09

PA-DSS Certified – So What?

I have written about this before, but this needs to be discussed again.

A lot of applications are becoming PA-DSS certified and yet I continue to see the same issue occur over and over again with the vendors of these applications just like we saw with the PABP certification.  These vendors all think that because their applications are PA-DSS certified that their customers are automatically PCI compliant.  Wrong!  PA-DSS certification never implies PCI DSS compliance and visa versa.  PA-DSS certification merely means that the application properly processes, stores and/or transmits cardholder data (CHD) as long as it is properly implemented.

Properly implemented?  How do I know that I have properly implemented my PA-DSS certified application?  As part of the PA-DSS certification process, the vendor must provide a guide for implementing their application so that it retains it’s certification.  And that’s the first problem.  I’m still seeing a lot of applications that do not have an implementation guide to explain what needs to be done to ensure the PA-DSS certification can be maintained.  I’m not sure how these applications got their certification without this necessary requirement, but that’s for another discussion.  So, what’s the big deal?  The big deal is that without this information, it’s impossible to know if the application has been properly implemented to secure CHD.  And without that knowledge, a QSA will have to fully assess the application to ensure that it meets the PCI DSS requirements, thus making the PA-DSS certification pointless.

Speaking of pointless, there are some applications that are certified and there is no way to implement them without customizing them.  Since the certified application is essentially just a framework, only the framework is certified.  Thus, there is no way that the certification can be maintained because there is no way to implement the application without significant modifications.  I cannot tell you the grief I encounter when I have to review such a solution top to bottom since it no longer resembles the application that was certified.

Then there is the vendor’s response when you have to go back to them with questions because the implementation guide does not exist.  It’s as though you slapped them in the face.  They are indignant and sometimes very rude regarding the fact that you have questions.  Why?  Because, they think that because the application is certified, that’s all that’s needed and you are way out of line for having questions.

So, vendors, chill.

UPDATE: We were told at our 2009 re-certification training that framework applications will no longer be allowed to be PA-DSS certified because they are only frameworks.

Advertisements

3 Responses to “PA-DSS Certified – So What?”


  1. 1 tapas
    May 17, 2012 at 1:35 AM

    Is it require to go for PA DSS certification every year for same application and version.

    We know that PCI-DSS certification is yearly so wanted to know the frequency of PA-DSS certification.

    • May 17, 2012 at 7:27 AM

      Application versions are PA-DSS certified once for a particular version. If the payment card processing portion of the application changes, then it is required to be re-certified under the PA-DSS.

  2. June 23, 2009 at 5:57 PM

    fantastic article with some great points. We are in the process of our PA-DSS and documentation is key. Appreciate someone telling it like it is.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

March 2009
M T W T F S S
« Feb   Apr »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,853 other followers


%d bloggers like this: