Document Comparison
PA-DSS_Program_Guide_v3.pdf
→
PA-DSS_Program_Guide_v3_1.pdf
98% similar
57 → 57
Pages
20613 → 20692
Words
19
Content Changes
Content Changes
19 content changes. 53 administrative changes (dates, page numbers) hidden.
Added
p. 2
• updated to reflect updates to respective processes
• Added section and Appendix B for wildcard versioning Former Appendix B
• changed to Appendix C (Identification of Certified Payment Application Builds)
• Updated criteria and process for delta assessments
• Updated section on Payment Application change types “Change Documentation” section
• added to clarify process requirements
• Clarified PA-QSA Company laboratory requirements
• Added Appendix D: PA-QSA Change Impact
July 2015 3.1 Harmonization with other Program documents and general clarification to align content with the current version of PA-DSS
• Added requirement for PA-QSA Change Impact document to be included with High Impact change submittals
• Added section and Appendix B for wildcard versioning Former Appendix B
• changed to Appendix C (Identification of Certified Payment Application Builds)
• Updated criteria and process for delta assessments
• Updated section on Payment Application change types “Change Documentation” section
• added to clarify process requirements
• Clarified PA-QSA Company laboratory requirements
• Added Appendix D: PA-QSA Change Impact
July 2015 3.1 Harmonization with other Program documents and general clarification to align content with the current version of PA-DSS
• Added requirement for PA-QSA Change Impact document to be included with High Impact change submittals
Modified
p. 13
Note: PCI SSC does not assess or validate Payment Applications for PA-DSS compliance; assessment and validation is the role of the PA-QSA Company. Listing of a Payment Application on the List of Validated Payment Applications signifies that the applicable PA-QSA Company has determined that the application complies with the PA-DSS, that the PA-QSA Company has submitted a corresponding ROV to PCI SSC, and that the ROV, as submitted to PCI SSC, has satisfied all requirements of the PCI SSC for …
Modified
p. 16
1. The Vendor selects a PA-QSA Company from the Council‘s list of recognized PA-QSA Companies and negotiates the cost and any associated PA-QSA Company confidentiality and non-disclosure agreement with the PA-QSA Company;
1. The Vendor selects a PA-QSA Company from the Council‘s PA-QSA List and negotiates the cost and any associated PA-QSA Company confidentiality and non-disclosure agreement with the PA- QSA Company;
Modified
p. 22
If one or more PA-DSS Requirements cannot be met by the Payment Application directly, they may be satisfied indirectly by controls tested as part of the PCI PTS validation. For a hardware device to be considered for inclusion in a PA-DSS Assessment, the hardware device MUST be validated as a PCI PTS approved POI device and be listed on the PCI SSC‘s Approved PTS Devices List. The PTS validated POI device, which provides a trusted computing environment, will become a …
If one or more PA-DSS Requirements cannot be met by the Payment Application directly, they may be satisfied indirectly by controls tested as part of the PCI PTS validation. For a hardware device to be considered for inclusion in a PA-DSS Assessment, the hardware device MUST be validated as a PCI PTS approved POI device and be listed on the PCI SSC‘s Approved PTS Devices List. The PTS validated POI device, which provides a trusted computing environment, will become a …
Modified
p. 23
Once the PA-QSA Company‘s validation of the Payment Application is complete and is subsequently accepted by the PCI SSC, the PTS validated hardware device will be listed as a dependency for the Payment Application on the PA-DSS List of Validated Payment Applications.
Once the PA-QSA Company‘s validation of the Payment Application is complete and is subsequently accepted by the PCI SSC, the PTS validated hardware device will be listed as a dependency for the Payment Application on the List of Validated Payment Applications.
Modified
p. 23
All published PCI SSC information and documents relevant to PA-DSS are available on the Website. All completed Payment Application related materials such as install CDs, manuals, the PA-DSS Implementation Guide, the Vendor Release Agreement and all other materials related to the Assessment and participation in the PA-DSS Program must be delivered to the PA-QSA Company performing the assessment, not to PCI SSC.
All published PCI SSC information and documents relevant to PA-DSS are available on the Website. All completed Payment Application related materials such as install media, manuals, the PA-DSS Implementation Guide, the Vendor Release Agreement and all other materials related to the Assessment and participation in the PA-DSS Program must be delivered to the PA-QSA Company performing the assessment, not to PCI SSC.
Removed
p. 26
Confirming that the testing laboratory uses only test card numbers.
Modified
p. 26
Confirming that the testing laboratory is capable of running authorization and/or settlement functions and that processes include examination of output from all functions.
Ensuring that production data (live PAN) is not used for testing and development Confirming that the testing laboratory is capable of running authorization and/or settlement functions and that processes include examination of output from all functions.
Modified
p. 28
Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
Modified
p. 31
Only those applications that have had the Vendor’s wildcard versioning methodology assessed to PA-DSS v3.0 by a PA-QSA Company are eligible for wildcard usage, and listing on the PCI SSC website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the application listing on the Website. See Appendix B, Payment Application Software Version Methodology for additional information regarding the …
Only those applications that have had the Vendor’s wildcard versioning methodology assessed to PA-DSS v3 by a PA-QSA Company are eligible for wildcard usage, and listing on the Website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the application listing on the Website. See Appendix B, Payment Application Software Version Methodology for additional information regarding the use of …
Modified
p. 31
Include details about how, for all PA-DSS Requirements not included in the delta assessment, the PA-QSA verified that those Requirements were not affected by the change; Include Payment Application functionality testing; and Be completed using the same version of the PA-DSS as used for the full validation•for example, a listed Payment Application originally validated against PA-DSS v2.0 cannot have a delta assessment performed using PA-DSS v3.0, and vice-versa.
Include details about how, for all PA-DSS Requirements not included in the delta assessment, the PA-QSA verified that those Requirements were not affected by the change; Include Payment Application functionality testing; and Be completed using the same version of the PA-DSS as used for the full validation•for example, a listed Payment Application originally validated against PA-DSS v2.0 cannot have a delta assessment performed using PA-DSS v3, and vice-versa.
Modified
p. 34
If the Vendor has chosen to use a wildcard versioning methodology for managing No Impact changes, the wildcard usage must adhere to the requirements in this Program Guide, be consistent with that documented as part of the Vendor’s versioning methodology and be validated by the PA-QSA Company as part of the PA-DSS Assessment (PA-DSS v3.0 or above only). Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC, nor will the changes result …
If the Vendor has chosen to use a wildcard versioning methodology for managing No Impact changes, the wildcard usage must adhere to the requirements in this Program Guide, be consistent with that documented as part of the Vendor’s versioning methodology and be validated by the PA-QSA Company as part of the PA-DSS Assessment (PA-DSS v3.0 or above only). Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC, nor will the changes result …
Modified
p. 36
The Vendor prepares and submits a Vendor Change Analysis (for example, using the PA- QSA Change Impact document in Appendix D is acceptable) to the PA-QSA Company that performed the last Full validation of the application.
The Vendor prepares and submits a Vendor Change Analysis (for example, using the PA- QSA Change Impact document in Appendix D is acceptable) to the PA-QSA Company that performed the last full validation of the application.
Modified
p. 37
Note: The PA-QSA Change Impact document in Appendix D is mandatory for the PA-QSA Company for submitting Administrative, No Impact and Low Impact changes to PCI SSC but may also be used by Vendors as a Vendor Change Analysis.
Note: The PA-QSA Change Impact document in Appendix D is mandatory for the PA-QSA Company for submitting Administrative, No Impact, Low Impact and High Impact changes to PCI SSC but may also be used by Vendors as a Vendor Change Analysis.
Modified
p. 38
For any change affecting the listing of a validated Payment Application, the applicable fee will be invoiced and must be received by PCI SSC for the changes to be Accepted and added to the PCI SSC List of Validated Payment Applications. Upon Acceptance, PCI SSC will sign and return a copy of the Attestation of Validation to both the Vendor and the PA-QSA Company.
For any change affecting the listing of a validated Payment Application, the applicable fee will be invoiced and must be received by PCI SSC for the changes to be Accepted and added to the List of Validated Payment Applications. Upon Acceptance, PCI SSC will sign and return a copy of the Attestation of Validation to both the Vendor and the PA-QSA Company.
Modified
p. 41
Once PCI SSC receives the ROV and all other required materials and applicable fees, PCI SSC reviews the ROV from a quality assurance perspective. If the ROV meets all applicable quality assurance requirements (as documented in the QSA Qualification Requirements and related program materials), PCI SSC sends a countersigned PA-DSS Attestation of Validation to both the Vendor and the PA-QSA Company, and adds the application to the List of Validated Payment Applications.
Once PCI SSC receives the ROV and all other required materials and applicable fees, PCI SSC reviews the ROV from a quality assurance perspective, typically within 30 calendar days of payment of invoice, and determines if it is acceptable. Subsequent iterations will also be responded to, typically within 30 calendar days of receipt. If the ROV meets all applicable quality assurance requirements (as documented in the QSA Qualification Requirements and related program materials), PCI SSC sends a countersigned PA-DSS Attestation …
Modified
p. 41
There must be consistency between the information in documents submitted for review via the portal and the “Details” fields within the Portal. Common errors in submissions include inconsistent application names or contact information, incomplete or inconsistent documentation, application dependencies being insufficiently explained, and tested platforms/operating systems being insufficiently explained. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may not be Accepted for review by the PCI SSC.
There must be consistency between the information in documents submitted for review via the Portal and the “Details” fields within the Portal. Common errors in submissions include inconsistent application names or contact information, incomplete or inconsistent documentation, application dependencies being insufficiently explained, and tested platforms/operating systems being insufficiently explained. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may not be Accepted for review by the PCI SSC.
Modified
p. 44
If a Payment Application included on the PCI SSC List of PA-DSS Validated Payment Applications is compromised due to PA-QSA Company and/or Employee error, that PA-QSA Company and/or Employee may immediately be placed into Remediation or its status revoked.
If a Payment Application included on the List of PA-DSS Validated Payment Applications is compromised due to PA-QSA Company and/or Employee error, that PA-QSA Company and/or Employee may immediately be placed into Remediation or its status revoked.
Modified
p. 53
B.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of PA-DSS, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for the Payment Application …
B.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of PA-DSS, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for the Payment Application …