PCI PA-DSS

Expert guidance for payment application validation.

As a payment application vendor, your product offerings and development procedures impact the compliance and real-world security of your entire customer base. Like it or not, your customers’ compliance and security could affect your bottom-line.

In order to help manage this risk, the Payment Card Industry Security Standards Council (PCI SSC) developed the Payment Application Data Security Standard (PA-DSS).

Who Needs It

Any payment application developer who sells a non-customized application to multiple customers needs to have that application validated against the PA-DSS. Traditional PCI Data Security Standard (PCI DSS) compliance may not apply directly to payment application vendors since most vendors do not directly store, process or transmit cardholder data.

Since these payment applications are used by customers to store, process and transmit cardholder data, and customers are required to be compliant with the PCI DSS, payment applications should facilitate, and not prevent, customers’ PCI DSS compliance.

Common ways payment applications prevent compliance include:

  1. Storage of magnetic stripe data or equivalent data on the chip in the customer’s network after authorization;
  2. Requiring customers to disable security features required by the PCI DSS, like anti-virus software or firewalls, in order to get the payment application to work properly; and
  3. Use of unsecured methods to connect to the application, for example for vendors and integrators to provide support to the customer.

Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card verification codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks along with the damaging fraud resulting from these breaches.

What We Do

Partnering with Sikich, a leading Payment Application Qualified Security Assessment (PA-QSA) firm in the ever-changing PA-DSS market, allows you to leverage an experienced team with a vast knowledge base that will help you implement the practices of the PA-DSS in your real-word environment and become compliant with the standard.

Whether you have two customers or two million, a single developer or an international team, Sikich has the tools and experience to help you secure and validate your application so you and your customers can sell more and worry less.

Our assessment team evaluates your design and development practices in the creation and maintenance of your application. Our PA-DSS assessment process begins with a discovery process that provides a detailed gap analysis report as a benchmark of the PA-DSS requirements. As you work toward remediation of these gaps, our team guides your efforts along the way.

After you have remedied all gaps, Sikich performs an audit to validate all requirements are in place. Provided your policies and procedures, development practices and application meets all of the requirements, we will author and submit a detailed Report on Validation (ROV) along with a summarized Attestation of Validation (AOV) to the PCI Security Standards Council (PCI SSC) on your behalf.

Secure and validate your
application with expert help.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you’d like, you’ll also be able to send additional details after you submit your information here.

  • This field is for validation purposes and should be left unchanged.