Document Comparison
PA-DSS_Program_Guide_v3_1.pdf
→
PA-DSS-v3_2-Program-Guide.pdf
96% similar
57 → 58
Pages
20692 → 20795
Words
12
Content Changes
Content Changes
12 content changes. 56 administrative changes (dates, page numbers) hidden.
Added
p. 34
Note: Administrative and No Impact changes cannot be used to transition between versions of PA-DSS.
Added
p. 41
Note: It is common for submissions to require several iterations before the application is Accepted. Adequate QA review of the submission as part of the PA-QSA’s internal QA process will help minimize the number of iterations required. Each iteration will be responded to typically within 30 days from the time that iteration was received in the Portal.
Note: All ROVs and other materials must be submitted to PCI SSC in English or with certified English translation.
Note: All ROVs and other materials must be submitted to PCI SSC in English or with certified English translation.
Modified
p. 6
PCI Report on Validation Reporting Template for PA-DSS (“ROV Reporting Template”) The ROV Reporting Template is mandatory for completing a Report on Validation and includes detail on how to document the findings of a PA-DSS Assessment.
PCI Report on Validation Reporting Template for PA-DSS (“ROV Reporting Template”) The ROV Reporting Template is mandatory for completing a Report on Validation and includes detail on how to document the findings of a PA- DSS Assessment.
Modified
p. 11
2. Applications requiring customers to disable other features required by the PCI DSS, like anti-virus software or firewalls, in order to get the Payment Application to work properly; and
2. Applications requiring customers to disable other features required by the PCI DSS, like anti-malware software or firewalls, in order to get the Payment Application to work properly; and
Modified
p. 20
PA-DSS applies to Payment Applications that do not require re-compilation after merchant- or environment-specific changes. For example, entering or changing parameters such as database names, store locations, etc., during or after installation
•but without modification to the executable modules or application code
•would not be considered "customizations." However, customer- or environment-specific changes that require modification to the source code and/or re- compilation of the executable (or other payment- processing modules) on a per-merchant basis, prior to installation in the merchant environment, are …
•but without modification to the executable modules or application code
•would not be considered "customizations." However, customer- or environment-specific changes that require modification to the source code and/or re- compilation of the executable (or other payment- processing modules) on a per-merchant basis, prior to installation in the merchant environment, are …
PA-DSS applies to Payment Applications that do not require re-compilation after merchant- or environment-specific changes. For example, entering or changing parameters such as database names, store locations, etc., during or after installation
•but without modification to the executable modules or application code
•would not be considered "customizations." However, customer- or environment-specific changes that require modification to the source code and/or re- compilation of the executable (or other payment- processing modules) on a per-merchant basis, prior to installation in the merchant environment, are …
•but without modification to the executable modules or application code
•would not be considered "customizations." However, customer- or environment-specific changes that require modification to the source code and/or re- compilation of the executable (or other payment- processing modules) on a per-merchant basis, prior to installation in the merchant environment, are …
Modified
p. 21
Non-Payment Applications that are part of a Payment Application suite, for example, a fraud- monitoring, scoring, or detection application included in a suite.
Non-Payment Applications that are part of a Payment Application suite, for example, a fraud-monitoring, scoring, or detection application included in a suite.
Modified
p. 21
Such applications can be, but are not required to be, covered by PA-DSS if the whole suite is assessed together. However, if a Payment Application is part of a suite that relies on PA-DSS Requirements being met by controls in other applications in the suite, a single PA-DSS Assessment should be performed for the Payment Application and all other applications in the suite upon which it relies. These applications should not be assessed separately from other applications they rely upon …
Such applications can be, but are not required to be, covered by PA-DSS if the whole suite is assessed together. However, if a Payment Application is part of a suite that relies on PA- DSS Requirements being met by controls in other applications in the suite, a single PA-DSS Assessment should be performed for the Payment Application and all other applications in the suite upon which it relies. These applications should not be assessed separately from other applications they rely …
Modified
p. 25
Note: Remote access
•usingtwo-factor authentication
•to the testing laboratory for Payment Application validation is acceptable.
•using
•to the testing laboratory for Payment Application validation is acceptable.
Note: Remote access
•using multi-factor authentication
•to the testing laboratory for Payment Application validation is acceptable.
•using multi-factor authentication
•to the testing laboratory for Payment Application validation is acceptable.
Modified
p. 28
PCI SSC will bill the Vendor for all PA-DSS Payment Application Acceptance Fees and the Vendor will pay these fees directly to PCI SSC.
PCI SSC will bill the Vendor for all PA- DSS Payment Application Acceptance Fees and the Vendor will pay these fees directly to PCI SSC.
Modified
p. 31
Note: Wildcards may only be substituted for elements of the version number that represent non- security impacting changes; the use of wildcards for any change that has an impact on security or any PA-DSS Requirements is prohibited.
Note: Wildcards may only be substituted for elements of the version number that represent non-security impacting changes; the use of wildcards for any change that has an impact on security or any PA-DSS Requirements is prohibited.
Modified
p. 35
Note: It is strongly recommended that the Vendor uses the PA-QSA Company that performed the last full Payment Application assessment, as changing PA- QSA Companies requires a full assessment.
Note: It is strongly recommended that the Vendor uses the PA-QSA Company that performed the last full Payment Application assessment, as changing PA-QSA Companies requires a full assessment.
Modified
p. 38
PCI SSC will invoice the Vendor for all Validation Maintenance Fees and the Vendor will pay these fees directly to PCI SSC.
PCI SSC will invoice the Vendor for all validation maintenance fees and the Vendor will pay these fees directly to PCI SSC.