Developing Security

As a developer, it is imperative to understand the path to compliance with the Payment Application Data Security Standards (PA-DSS).

The problem for most developers is the burden of both time and money, making it prohibitive for them to offer a truly secure electronic payment acceptance application without the help of a third party that specializes in secure payment applications.

Paygistix is secure solution offered by Payment Logistics that is designed to allow you, the developer, to focus on your software functionality by removing all of the burden that the PCI SSC has mandated; while also allowing you to offer flexibility and options to your end-user clients.

We invite you to use these pages to become informed of industry regulations that control your ability to market your product, become aware of a solution that meets your needs today and has the power to propel your product into tomorrow.

What's the Relationship between PCI DSS and PA-DSS?

Scope of Assessment for Compliance with PCI DSS

The PCI DSS security requirements apply to all system components. In the context of PCI DSS, system components are defined as any network component, server or application that is included or connected to the cardholder data environment. System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.

The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.

Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances and other security appliances. Server types include, but are not limited to, web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS).

Developers help their merchants achieve PCI DSS compliance by ensuring the PA-DSS compliance of their software. Paygistix helps developers comply by providing solutions to take their application out of the scope of PA-DSS.

Learn More about PA DSS

Relationship between PCI DSS and PA-DSS

Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment according to the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).

The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the PCI DSS Requirements and Security Assessment Procedures. The PA-DSS details what a payment application must support to facilitate a customer’s PCI DSS compliance.

Secure payment applications, when implemented in a PCI DSS compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches.

Learn More about PCI DSS

Learn More about PA-DSS

Scope of PA DSS

The Payment Application Data Security Standards ("PA-DSS") applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. 

PA DSS applies to payment applications that are typically sold and installed “off the shelf” without much customization by software vendors or resellers.

PA-DSS applies to payment applications provided in modules, which typically includes a “baseline” application products must module and other modules specific to customer types or functions, or customized per customer request. PA-DSS may only apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well. Note that it is considered “best practice” for software vendors to isolate payment functions into a single or small number of baseline modules, reserving other modules for non-payment functions. This best practice, though not a requirement, can limit the number of modules subject to PA-DSS and therefore reduce the scope of the PA-DSS assessment. 

Steps to Compliance