The updated 3.2 Payment Application Data Security Standard (PA-DSS) is scheduled to be released tomorrow, June 1st, 2016 by the PCI Council. In this article we examine what the main impacts of the update are.
The new version of PA-DSS comes into effect from 1st June 2016 and version 3.1 is retired on 31st August 2016. To help with the transition the PCI Council will be publishing a Frequently Asked Question document that will aid payment application vendors with accommodating the changes included in the new version.
Until this FAQ document is available it is advised that all Payment Application Qualified Security Assessors (PA-QSA) review and familiarise themselves with the updated standard and its support documents, including the Report on Validation (ROV) Template and Attestation of Validation (AOV).
Largely aligned with PCI Data Security Standard v.3.2
As expected the updated PA-DSS v.3.2 is designed to largely align with the updated version 3.2 of the PCI Data Security Standard (PCI DSS). For example PA-DSS Requirement 12.2 supports PCI DSS Requirement 8.3.1 for using multi-factor authentication (MFA) for non-console administrative access to the cardholder data environment.
Essentially from the PA-DSS perspective this means that the vendor can choose to either include instruction about using MFA in the payment application’s Implementation Guide, or provide MFA functionality within the payment application itself.
Additionally the PCI Council has built on PA-DSS Requirement 3.1, in that each applications’ PA-DSS Implementation Guide must include identification of all roles and default accounts within the application with administrative access.
This is intended to support users who will need to know which application accounts have administrative access, so that they are aware of the accounts they’ll need to implement MFA for by 2018.
The PCI Council has also addressed the ongoing security issue of improper installation and/or the setup of payment software. Often it is as simple as the user (or their installer) not changing the default password shipped with the product or not installing security updates.
In order to address these challenges the PCI Council has updated PA-DSS Implementation Guide requirements to tackle these issues.
The PA-DSS requires procedures for vendor notification and secure delivery of patches and updates to the user, as well as secure installation of those patches and updates to be included in each payment application’s Implementation Guide.
The Implementation Guide must also now include instructions in relation to any debugging logs that include PAN (primary account number) data. If the payment application user ever enables debugging, any logs containing PAN data must be protected, debugging must be disabled as soon as troubleshooting is complete, and lastly the data must be deleted securely when no longer needed.
Debugging logs often contain sensitive information which users of the payment applications would not necessarily be aware of, this data is sometimes not adequately protected and as a result could be exploited during a compromise.
The most common vulnerabilities continue to be ones that focus on card data theft with Point-of-Sale (POS) devices. Often these vulnerabilities can be mitigated by ensuring that secure installation and integration of the payment application software has been carried out.
The PCI Council recommends that Qualified Integrators and Resellers (QIR) review the new content to be included in PA-DSS Implementation Guides, so that they are aware of how these requirements impact what they do, and are therefore prepared to support the payment applications that they have implemented for their merchant customers.
The QIRs should also engage the vendors of the payment applications they install to find out about updates to their training materials with these new PA-DSS v3.2 requirements.
Sysnet’s Risk & Assurance service provide a wide range of security solutions including PCI DSS and PA-DSS certification. We can also assist in designing, implementing and documenting appropriate security controls, procedures and policies, all within a holistic cybersecurity framework that takes into account all applicable standards and regulations.
If you are a merchant that requires technical or PCI DSS help, please click here