pci pa-dss requirements - ul...the security certification market via pci pa-dss to achieve greater...
TRANSCRIPT
PCI PA-DSS RequirementsFor hardware vendors
PCI PA-DSS requirements for hardware vendors
UL is world leader in advancing safety. Through it's transaction security unit (UL
Transaction Security), UL is the world's leading provider of PCI security services. We pride
ourselves on our leadership in this and other fields. We are accredited to supply services
for all the PCI programs and programs outside the PCI umbrella.
This PCI PA-DSS primer has been created with two purposes in mind:
i. to assist hardware vendors to understand the PA-DSS ecosystem, and
ii. to identify how UL can benefit hardware vendors to be more vertically integrated into
the security certification market via PCI PA-DSS to achieve greater sales.
UL is a source of expertise when it comes to the PCI program. You can utilize our experts
to understand more about PTS PTS SRED, PCI P2PE, and for devices focused on the mPOS
market; Visa Ready Partner Program for mPOS and MasterCard Mobile POS Program.
What is PCI all about?All PCI programs are concerned with the protection of cardholder data. The diagram
below identifies data that must be protected. The PCI Security Standards Council runs
a number of programs on behalf of the PCI card brands. These programs focus on
different elements of the ecosystem and are constantly being reviewed and enhanced to
match the security threat environment.
PCI security servicesUL's streamlined PCI PA-DSS certification services get your product to market faster.
page 2
How does PA-DSS help a mer-chant with PCI DSS compliance? The cost and effort of PCI compliance is
top of mind for most large merchants.
Recent fraud events and U.S. interest
in EMV, means merchant are more
interested in PCI PTS devices than ever
before. Clear-text cardholder data on POS
systems is difficult to secure. In the same
way PCI PTS gives merchants comfort
that their device will protect PIN data,
PA-DSS confirms the hardware vendor has
gone to the additional effort to protect
all cardholder data. This reduces the
effort and cost for a merchants QSA while
performing a PCI DSS assessment.
Isn’t SRED enough?Many hardware vendors only focus on
SRED and do not understand the added
value of PA-DSS.
Devices with PCI PTS SRED will only
provide support to encrypt cardholder
data before it leaves the secure area of the
device. However PA-DSS not only focuses
on software functionalities, it covers
a number of other areas which are not
assessed during PCI PTS SRED evaluation.
• The hardware vendor provides an
implementation guide which would
include detailed guidance on how to
configure and deploy their devices in
a merchant environment in a PCI DSS
compliant state
• The device does not support any feature
that would store, transmit or process
cardholder data in a manner that would be
non-complaint to PCI DSS. SRED does not
guarantee the device would not support
any insecure feature.
• Logical management of the device is
supported in a secure manner with audit
trails
• Troubleshooting requests received by the
hardware vendor are handled in a PCI DSS
complaint manner
• The hardware vendor follows a
documented software development
process to ensure their code running
on the device has gone through proper
security review and testing
• The hardware vendor follows a
documented vulnerability and patch
management process that ensures their
code on the device is kept up-to-date with
security patches
QSAs and merchants already understand
the extra value provided by PA-DSS.
Security is greater enhanced when
combined with encrypted cardholder data.
Benefits and challenges for hardware vendors
The challenge faced by hardware vendors, is it is typically other third party creating payment application that run on the PCI PTS device. There are two alternative solution to this:
i. The hardware vendor also creates the payment application; orii. The hardware vendor assist third party payment application vendors understand how the PCI PTS device’s security properties can be used to achieve PA-DSS
UL transaction Security offers services and training to assist hardware vendors and payment application vendors to work together to achieve PA-DSS compliance is the shortest time possible.
page 3
PCI PA-DSS requirements for hardware vendors
Operational Audit PCI DSS – Secure cardholder data and security governance PCI PIN – PIN encryption and cryptographic governance
Product Approval PCI PTS – Secure Payment HardwarePA-DSS – Payment Application Software
Product/Solution Implementation
PCI P2PE – Point to point encryption solutions as defined by PCI SS
This table classifies the PCI program and provides a should description of its focus and
assessment process.
page 4
PCI PA-DSS requirements for hardware vendors
The Fine Print – PCI Rules
What PCI DSS v3 says about PA-DSS
Relationship between PCI DSS and PA-DSS
Applicability of PCI DSS to PA-DSS Applications
Use of a Payment Application Data Security Standard (PA-DSS) compliant application
by itself does not make an entity PCI DSS compliant, since that application must be
implemented into a PCI DSS compliant environment and according to the PA-DSS
Implementation Guide provided by the payment application vendor.
All applications that store, process, or transmit cardholder data are in scope for an
entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.
The PCI DSS assessment should verify the PA-DSS validated payment application is
properly configured and securely implemented per PCI DSS requirements. If the payment
application has undergone any customization, a more in-depth review will be required
during the PCI DSS assessment, as the application may no longer be representative of
the version that was validated to PA-DSS.
The PA-DSS requirements are derived from the PCI DSS Requirements and Security
Assessment Procedures (defined in this document). The PA-DSS details the requirements
a payment application must meet in order to facilitate a customer’s PCI DSS compliance.
Secure payment applications, when implemented in a PCI DSS-compliant environment,
will minimize the potential for security breaches leading to compromises of PAN, full
track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN
blocks, along with the damaging fraud resulting from these breaches.
To determine whether PA-DSS applies to a given payment application, please refer to the
PA-DSS Program Guide, which can be found at www.pcisecuritystandards.org.
Applicability of PCI DSS to Payment Application Vendors
PCI DSS may apply to payment application vendors if the vendor stores, processes,
or transmits cardholder data, or has access to their customers’ cardholder data (for
example, in the role of a service provider).
What PA-DSS v3 says about Hardware Terminals
PA-DSS Applicability to Payment Applications on Hardware Terminals
This section provides guidance for vendors who wish to gain PA-DSS validation for
resident payment applications on hardware terminals (also known as standalone or
dedicated payment terminals). There are two ways for a resident payment application on
a hardware terminal to achieve PA-DSS validation:
page 5
PCI PA-DSS requirements for hardware vendors
1. The resident payment application
directly meets all PA-DSS requirements
and is validated according to standard
PA-DSS procedures.
2. The resident payment application does
not meet all PA-DSS requirements, but the
hardware that the application is resident
on is listed on the PCI SSC’s Approved PIN
Transaction Security (PTS) Devices List
as a current PCI PTS approved Point of
Interaction (POI) device. In this scenario,
it may be possible for the application to
satisfy PA-DSS requirements through
a combination of the PA-DSS and PTS
validated controls.
The remainder of this section applies only
to payment applications that are resident
on a validated PCI PTS approved POI
device.
If one or more PA-DSS requirements
cannot be met by the payment application
directly, they may be satisfied indirectly
by controls tested as part of the PCI PTS
validation.
For a hardware device to be considered for
inclusion in a PA-DSS review, the hardware
device MUST be validated as a PCI PTS
approved POI device and be listed on the
PCI SSC’s Approved PTS Devices List. The
PTS validated POI device, which provides
a trusted computing environment, will
become a “required dependency” for the
payment application, and the combination
of application and hardware will be listed
together on the PA-DSS List of Validation
Payment Applications.
When conducting the PA-DSS assessment,
the PA-QSA must fully test the payment
application with its dependent hardware
against all PA-DSS requirements. If the
PA-QSA determines that one or more
PA-DSS requirements cannot be met by
the resident payment application, but they
are met by controls validated under PCI
PTS, the PA-QSA must:
1. Clearly document which requirements
are met as stated per PA-DSS (as usual);
2. Clearly document which requirement
was met via PCI PTS in the “In Place” box
for that requirement;
3. Include a thorough explanation as to
why the payment application could not
meet the PA-DSS requirement;
4. Document the procedures that were
conducted to determine how that
requirement was fully met through a PCI
PTS validated control;
5. List the PCI PTS validated hardware
terminal as a required dependency in
the Executive Summary of the Report on
Validation.
Once the PA-QSA’s validation of the
payment application is complete and is
subsequently accepted by the PCI SSC,
the PTS validated hardware device will be
listed as a dependency for the payment
application on the PA-DSS List of Validated
Applications.
Resident payment applications on
hardware terminals that are validated
through a combination of PA-DSS and PCI
PTS controls must meet the following
criteria:
1. Be provided together to the customer
(both hardware terminal and application),
OR, if provided separately, the application
vendor and/or the integrator/reseller must
package the application for distribution
such that it will operate only on the
hardware terminal it has been validated to
run on.
2. Enabled by default to support a
customer’s PCI DSS compliance.
3. Include ongoing support and updates to
maintain PCI DSS compliance.
4. If the application is separately sold,
distributed, or licensed to customers,
the vendor must provide details of the
dependent hardware required for use with
the application, in accordance with its
PA-DSS validation listing.
Want to know more? UL's PCI and security experts are happy to assist.
Please visit our website for locations and contact details or email [email protected].