PA-DSS Compliance Services

There are a number of pre-qualification questions that determine whether an organisation needs to be certified against the PA-DSS.

Nettitude is proud to be one of a handful of companies worldwide that has been certified by the PCI Security Council to deliver PA-DSS functions to companies that write payment applications.

What is PA-DSS?

Organisations that create applications which process payment card data and deliver authorisation or settlement functions may be required to go through PA-DSS (Payment Application Data Security Standard). PA-DSS is a highly specialised subsection of the Payment Card Industry Data Security Standard (PCI DSS) that focuses heavily around the heart of payment card processing.

Who needs to comply with PA-DSS?

One of the most frequently asked questions about PA-DSS eligibility, surrounds in-house developed applications. If an application is written in house, and delivers authorisation and settlement functions, it will not be required to go through PA-DSS. The Payment Application Security Standard is focused on software companies that produce payment applications for commercial purposes. As a consequence, applications that are sold to two or more organisations, may be required to undertake PA-DSS assessment.

The subject matter can be complex, when an application relies on other third party applications or databases. As a consequence, Nettitude recommends that customers contact Nettitude for a free of charge consultation to discuss PA-DSS eligibility, and how compliance can be achieved.

PA-DSS Gap Analysis Services

The recommended approach for organisations embarking on PA-DSS compliance is to have a formal Gap Analysis. During this exercise Nettitude measures an organisation’s payment application against the requirements defined in the PA-DSS.

A Gap Analysis typically involves a Nettitude PA-QSA travelling to an organisation’s offices and conducting a provisional assessment of the application. This exercise identifies all areas where the application is compliant, and areas which are non-compliant. Additionally, Nettitude reviews user guides, implementation guides and all other documents that are required for PA-DSS compliance.

The Gap Analysis is effectively a backwards facing assessment of the application, against what the Payment Card Data Security Standard requires.

Using this data Nettitude will produce the following documents:

  • A high level review of the Payment Application.
  • Identification of all inputs and outputs from the application.
  • A detailed report itemizing areas of compliance and non-compliance.

As part of the Gap Analysis, Nettitude will also provide a forward facing roadmap on how the gaps can be bridged. This document provides strategic guidance on how to enhance the application and process card data in a more secure manner. At the same time, Nettitude will produce a defined project-plan with key milestones that can be realistically achieved.

PA DSS Assessment

PA-DSS assessment relies heavily on penetration testing, code review and forensic techniques so as to unearth the inner most workings of a payment application. Nettitude has one of the strongest pedigrees in the industry within these subject matter areas, and has been operating at the pinnacle of the penetration testing industry for a number of years.

Nettitude’s pragmatic advice and guidance, combined with its strong project management abilities, makes it the partner of choice for many organizations pursuing both PCI DSS and PA DSS compliance.

How Much Will It Cost?

Unfortunately, there is no set formula for PA-DSS assessment. Factors that will determine the length of time for PA-DSS assessment include the complexity of the application, the architecture of the application, and the functions that the application delivers.

PA-DSS requires Nettitude to build a fully functioning lab environment of the payment application, and test all of the possible functions that the application could deliver. This can result in many hundreds of routines, with forensic information being collected at every phase.

In Nettitude’s experience, basic PA-DSS assessments could be conducted in two weeks, with longer assessments running into months. Nettitude provides a free of charge consultation for all organisations embarking on PA-DSS compliance.

Intelligent Cyber Security and Risk Management   0845 5200 085    solutions@nettitude.co.uk