We Don’t Talk about *Bruno* the PA-DSS

By: Nathan Sweaney, Security Advisor for the RSPA 

The PCI juggernaut can be overwhelming, and even experts in the field get overwhelmed with acronyms, regulations, and similar-but-slightly-different documents. At a high level though, there are several primary focuses that everything else falls under. One of these that is often overlooked is the PCI Payment Application Data Security Standard (PA-DSS). At the RSPA Inspire 2022 conference, a conversation sprang up around the PA-DSS and how it applies to the RSPA community.   

In short, the PA-DSS is focused on validating secure payment applications.  It was designed to complement the PCI DSS (Data Security Standard) that focuses on securing merchant environments. The card brands require that all merchants comply with the PCI-DSS and use payment applications that comply with the PA-DSS. PIN entry devices, or PIN pads, are governed by additional standards like the PCI PIN Transaction Security (PCI PTS) and point-to-point encryption (P2PE). 

Ultimately, the goals of these various standards are to enforce security controls on the manufacturers of those systems. If you develop a payment application or a PIN device, you need to be very familiar with these requirements. But merchants can simply purchase compliant solutions and not worry about determining how secure they are.   

History and Future
The PA-DSS initially began as VISA’s Payment Application Best Practices (PABP) that included a list of validated applications. In 2008, it was expanded and adopted by the PCI Security Standards Council, with enforcement shared by all the card brands. Subsequent versions have clarified the scope of the standard and increased the requirements. The most recent version, PA-DSS 3.2, was released in 2016 and is set to expire in October 2022. 

The Software Security Framework (SSF) is a new standard that is replacing the PA-DSS. It was released in 2019, and currently all payment applications seeking certification must be assessed against the SSF rather than the PA-DSS. The goal of the SSF is to cover a wider range of security concerns and to serve as a framework for a broader scope of applications. It is currently the most comprehensive standard focused on application security, and I believe that we will begin to see its adoption outside of the retail solutions industry.  

Most merchants generally don’t care about all the various security standards and requirements. They just want to install a secure solution so they can operate their business. Resellers and integrators, serving as their trusted advisors, must stay aware of the relevant standards and understand how they apply to the products they sell. In most cases, this just means verifying that the products are listed on the PCI website as a validated payment application. Product vendors should be able to provide assistance with confirming those details.   

It is worth noting that the certification process for applications is specific to product version numbers and that those certifications expire. It is critical that resellers ensure they are installing currently certified solutions.  

Applications that were certified against the PA-DSS are still valid until the certification expires. Those can be found here: https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications  

Applications that have been certified against the new SSF can be found here: https://www.pcisecuritystandards.org/assessors_and_solutions/payment_software 

As always, please reach out to me if you have questions or concerns about validated payment applications or any other security-related issues.