Versos ... Providing what matters
 


Payment Card Industry Data Security Standard (PCI DSS) Services

 

Payment Application (PA) DSS Compliance

Versos provides the required services based on Payment Application Data Security Standard “PA DSS”, proven method, previous experience, and a unique set of skills with extensive experience to ensure that our clients’ receive the most comprehensive and cost-effective outcome. The following details our comprehensive PA DSS methodology that has been developed in partnership with ControlCase :

Scoping

This step plays a key role in scoping and planning the engagement. First, it defines the business goals that are to be fulfilled by the application along with the application architecture. Second, it defines the software components such as the programming language, operating platform, database software, lines of code, and other relevant information. The key objective of this step is to determine application evaluation scheme (e.g. from a single platform & database or a combination of multiple platforms & databases)


Assessment

To uncover any gaps in relation to each PA DSS requirement, we examine the information security controls for the application configuration & deployment environment. The assessment will include a review of the technology software components, architectural review, supporting technical documentation, and technical evaluations

Architectural Review We review the application design structure from various security control mechanisms, including:
  • Payment dataflow throughout the application
  • Sensitive data protection in storage and in transit
Vulnerability Scanning & Penetration Testing We conduct tests using automated tools and manual checks to identify susceptibilities associated with networks, hosts and application.
Configuration Review We check the parameters of critical processes enabled by systems, network devices, and application
Application Review We examine the application current information security controls and uncover any gaps. The review includes:
  • Payment Security Controls: the objective of this review is to assess the controls over the payment transactions processed within and through the application. This includes confidentiality, integrity, accuracy, completeness and availability of data.
  • Application interaction checks. This include checks between system components such as the web service, back-end data sources and any third-party developed components (e.g. ActiveX DLL libraries)
  • Weak Implementation of User credentials
  • Role/Privilege Bypass
  • Privilege Escalation
  • Unauthorized Resource access
  • SQL injection
  • Cross Site Scripting
  • Session hijacking
  • Browser Refresh issues
  • Information spilling through error messages
  • Insecure storage of credentials
  • Vulnerabilities related to Caching
  • Parameter manipulation checks
  • Broken access control checks
  • Data encoding/encryption checks 
Code Review To ensure that the application is developed in a secure way, we examine the code using automated tools and manual checks. The tests adhere to the security checklists and guidelines including OSSTMM and OWASP. The code review includes:
  • Authentication
  • Authorization
  • Data/Input Validation
  • Cookie Management
  • Error Handling/Information Leakage
  • Application Logging
  • Cross Site Reference Forgery defense (CSRF)
  • Encryption and key management
  • Secure Code Environment
  • Session management
Supporting Technical Documentation We review all supporting technical documentation for ensuring PA DSS requirements are fulfilled, this also includes the application implementation guide

Remediation

Versos experts assist the client throughout the remediation phase in remediation of gaps. In addition, Versos tracks the PA DSS gaps and provide monthly status dashboard to the client on remediation steps.

PA DSS Certification

After going internal quality procedures, client will be issued a PA DSS compliant report “Report on Validation”. Thereafter, appropriate certification will be submitted to PCI Council.

PA DSS Ongoing Compliance & Certification

Versos PCI Compliance Manager combined with the compliance scanner and managed compliance services will streamline the process to assist you in remaining compliant to PA DSS on a continual basis. After going through internal quality procedures, the client will be issued a PA DSS Annual Report on Validation ”ROV” compliant report upon review by the PCI Security Council.

  • Development team self service for identifying cardholder data: we will provide software tools which can be run in a self service mode by development teams on periodic basis to ensure that key PA DSS requirements around storage of prohibited data are being met. In addition, we will also provide the methodology to integrate with appropriate existing tools that may exist.
     
  • Continuous Monitoring: Using a combination of technology, process and people, we will keep a track of all PA DSS control points for the application and provide continuous PA DSS posture reports throughout the year. During this time, client will be notified to perform actions if their posture is falling out of compliance with the latest regulations. Examples of monitoring activities include,
    • Quarterly notification and follow-up to appropriate personnel to perform PA DSS activities (such as code reviews and application tests upon change to any code). These notification and follow-up would be a combination of portal generated and personnel generated follow-ups;
    • Periodic questionnaires to collect compliance data;
    • Periodic review of evidence throughout the year to identify any non-compliances and notification to client for remediation; and
       
  • Completion of the required forms annually: we will annually complete the required PA DSS forms required to be submitted to the PCI Council for product versions that have undergone little to no change from a PA DSS security perspective. New versions of products with major changes that require a complete certification will undergo through the PA DSS process.

 

Versos also offers the following PCI Services

PCI DSS Merchant Management Programme
Internal PCI DSS Compliance Programme