PCI PA-DSS RequirementsFor hardware vendors

PCI PA-DSS requirements for hardware vendors

UL is world leader in advancing safety. Through it's transaction security unit (UL

Transaction Security), UL is the world's leading provider of PCI security services. We pride

ourselves on our leadership in this and other fields. We are accredited to supply services

for all the PCI programs and programs outside the PCI umbrella.

This PCI PA-DSS primer has been created with two purposes in mind:

i. to assist hardware vendors to understand the PA-DSS ecosystem, and

ii. to identify how UL can benefit hardware vendors to be more vertically integrated into

the security certification market via PCI PA-DSS to achieve greater sales.

UL is a source of expertise when it comes to the PCI program. You can utilize our experts

to understand more about PTS PTS SRED, PCI P2PE, and for devices focused on the mPOS

market; Visa Ready Partner Program for mPOS and MasterCard Mobile POS Program.

What is PCI all about?All PCI programs are concerned with the protection of cardholder data. The diagram

below identifies data that must be protected. The PCI Security Standards Council runs

a number of programs on behalf of the PCI card brands. These programs focus on

different elements of the ecosystem and are constantly being reviewed and enhanced to

match the security threat environment.

PCI security servicesUL's streamlined PCI PA-DSS certification services get your product to market faster.

page 2

How does PA-DSS help a mer-chant with PCI DSS compliance? The cost and effort of PCI compliance is

top of mind for most large merchants.

Recent fraud events and U.S. interest

in EMV, means merchant are more

interested in PCI PTS devices than ever

before. Clear-text cardholder data on POS

systems is difficult to secure. In the same

way PCI PTS gives merchants comfort

that their device will protect PIN data,

PA-DSS confirms the hardware vendor has

gone to the additional effort to protect

all cardholder data. This reduces the

effort and cost for a merchants QSA while

performing a PCI DSS assessment.

Isn’t SRED enough?Many hardware vendors only focus on

SRED and do not understand the added

value of PA-DSS.

Devices with PCI PTS SRED will only

provide support to encrypt cardholder

data before it leaves the secure area of the

device. However PA-DSS not only focuses

on software functionalities, it covers

a number of other areas which are not

assessed during PCI PTS SRED evaluation.

• The hardware vendor provides an

implementation guide which would

include detailed guidance on how to

configure and deploy their devices in

a merchant environment in a PCI DSS

compliant state

• The device does not support any feature

that would store, transmit or process

cardholder data in a manner that would be

non-complaint to PCI DSS. SRED does not

guarantee the device would not support

any insecure feature.

• Logical management of the device is

supported in a secure manner with audit

trails

• Troubleshooting requests received by the

hardware vendor are handled in a PCI DSS

complaint manner

• The hardware vendor follows a

documented software development

process to ensure their code running

on the device has gone through proper

security review and testing

• The hardware vendor follows a

documented vulnerability and patch

management process that ensures their

code on the device is kept up-to-date with

security patches

QSAs and merchants already understand

the extra value provided by PA-DSS.

Security is greater enhanced when

combined with encrypted cardholder data.

Benefits and challenges for hardware vendors

The challenge faced by hardware vendors, is it is typically other third party creating payment application that run on the PCI PTS device. There are two alternative solution to this:

i. The hardware vendor also creates the payment application; orii. The hardware vendor assist third party payment application vendors understand how the PCI PTS device’s security properties can be used to achieve PA-DSS

UL transaction Security offers services and training to assist hardware vendors and payment application vendors to work together to achieve PA-DSS compliance is the shortest time possible.

page 3

PCI PA-DSS requirements for hardware vendors

Operational Audit PCI DSS – Secure cardholder data and security governance PCI PIN – PIN encryption and cryptographic governance

Product Approval PCI PTS – Secure Payment HardwarePA-DSS – Payment Application Software

Product/Solution Implementation

PCI P2PE – Point to point encryption solutions as defined by PCI SS

This table classifies the PCI program and provides a should description of its focus and

assessment process.

page 4

PCI PA-DSS requirements for hardware vendors

The Fine Print – PCI Rules

What PCI DSS v3 says about PA-DSS

Relationship between PCI DSS and PA-DSS

Applicability of PCI DSS to PA-DSS Applications

Use of a Payment Application Data Security Standard (PA-DSS) compliant application

by itself does not make an entity PCI DSS compliant, since that application must be

implemented into a PCI DSS compliant environment and according to the PA-DSS

Implementation Guide provided by the payment application vendor.

All applications that store, process, or transmit cardholder data are in scope for an

entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.

The PCI DSS assessment should verify the PA-DSS validated payment application is

properly configured and securely implemented per PCI DSS requirements. If the payment

application has undergone any customization, a more in-depth review will be required

during the PCI DSS assessment, as the application may no longer be representative of

the version that was validated to PA-DSS.

The PA-DSS requirements are derived from the PCI DSS Requirements and Security

Assessment Procedures (defined in this document). The PA-DSS details the requirements

a payment application must meet in order to facilitate a customer’s PCI DSS compliance.

Secure payment applications, when implemented in a PCI DSS-compliant environment,

will minimize the potential for security breaches leading to compromises of PAN, full

track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN

blocks, along with the damaging fraud resulting from these breaches.

To determine whether PA-DSS applies to a given payment application, please refer to the

PA-DSS Program Guide, which can be found at www.pcisecuritystandards.org.

Applicability of PCI DSS to Payment Application Vendors

PCI DSS may apply to payment application vendors if the vendor stores, processes,

or transmits cardholder data, or has access to their customers’ cardholder data (for

example, in the role of a service provider).

What PA-DSS v3 says about Hardware Terminals

PA-DSS Applicability to Payment Applications on Hardware Terminals

This section provides guidance for vendors who wish to gain PA-DSS validation for

resident payment applications on hardware terminals (also known as standalone or

dedicated payment terminals). There are two ways for a resident payment application on

a hardware terminal to achieve PA-DSS validation:

page 5

PCI PA-DSS requirements for hardware vendors

1. The resident payment application

directly meets all PA-DSS requirements

and is validated according to standard

PA-DSS procedures.

2. The resident payment application does

not meet all PA-DSS requirements, but the

hardware that the application is resident

on is listed on the PCI SSC’s Approved PIN

Transaction Security (PTS) Devices List

as a current PCI PTS approved Point of

Interaction (POI) device. In this scenario,

it may be possible for the application to

satisfy PA-DSS requirements through

a combination of the PA-DSS and PTS

validated controls.

The remainder of this section applies only

to payment applications that are resident

on a validated PCI PTS approved POI

device.

If one or more PA-DSS requirements

cannot be met by the payment application

directly, they may be satisfied indirectly

by controls tested as part of the PCI PTS

validation.

For a hardware device to be considered for

inclusion in a PA-DSS review, the hardware

device MUST be validated as a PCI PTS

approved POI device and be listed on the

PCI SSC’s Approved PTS Devices List. The

PTS validated POI device, which provides

a trusted computing environment, will

become a “required dependency” for the

payment application, and the combination

of application and hardware will be listed

together on the PA-DSS List of Validation

Payment Applications.

When conducting the PA-DSS assessment,

the PA-QSA must fully test the payment

application with its dependent hardware

against all PA-DSS requirements. If the

PA-QSA determines that one or more

PA-DSS requirements cannot be met by

the resident payment application, but they

are met by controls validated under PCI

PTS, the PA-QSA must:

1. Clearly document which requirements

are met as stated per PA-DSS (as usual);

2. Clearly document which requirement

was met via PCI PTS in the “In Place” box

for that requirement;

3. Include a thorough explanation as to

why the payment application could not

meet the PA-DSS requirement;

4. Document the procedures that were

conducted to determine how that

requirement was fully met through a PCI

PTS validated control;

5. List the PCI PTS validated hardware

terminal as a required dependency in

the Executive Summary of the Report on

Validation.

Once the PA-QSA’s validation of the

payment application is complete and is

subsequently accepted by the PCI SSC,

the PTS validated hardware device will be

listed as a dependency for the payment

application on the PA-DSS List of Validated

Applications.

Resident payment applications on

hardware terminals that are validated

through a combination of PA-DSS and PCI

PTS controls must meet the following

criteria:

1. Be provided together to the customer

(both hardware terminal and application),

OR, if provided separately, the application

vendor and/or the integrator/reseller must

package the application for distribution

such that it will operate only on the

hardware terminal it has been validated to

run on.

2. Enabled by default to support a

customer’s PCI DSS compliance.

3. Include ongoing support and updates to

maintain PCI DSS compliance.

4. If the application is separately sold,

distributed, or licensed to customers,

the vendor must provide details of the

dependent hardware required for use with

the application, in accordance with its

PA-DSS validation listing.

Want to know more? UL's PCI and security experts are happy to assist.

Please visit our website for locations and contact details or email info@ul-ts.com.