See what changes your payment application vendor should make.
If you’re a payment application vendor, then you’re mandated to follow the PA-DSS. The PCI Security Council has released version 3.2 of the Payment Application Data Security Standard (PA-DSS).
Applications vendors are encouraged to review and incorporate these changes into their payment applications and implementation guides as soon as possible. Version 3.2 is effective June 1, 2016 and PA-DSS version 3.1 retires on August 31, 2016.
Most of the changes in PA DSS 3.2 will reflect the changes in PCI DSS 3.2.
The Payment Application Data Security Standard is similar to the PCI DSS, but it’s addressed to payment application vendors. Put simply, it’s the data security standard for vendors that sell POS machines and other payment applications.
PA-DSS version 3.2 includes a set of changes that all payment application vendors will be required to make.
Similar to the PCI DSS, PA-DSS 3.2 now requires multi-factor authentication for all non-console access within and outside the network. Basically, if you use remote access, inside and outside your business’s network, you’re now required to use multi-factor authentication to access it. It’s now also clarified as multi-factor authentication instead of just two-factor authentication.
See also: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates
Some changes have been made to requirements for the Implementation Guide. The guide must now include instructions that any debugging logs that include PAN data must be protected and securely deleted when no longer needed.
Testing procedures have also been updated to include the identification of all roles and default accounts in the payment application.
One final change to the guide is a new requirement has been added to include instructions to securely install patches and updates.
A couple of additional changes include:
Whether you’re a payment application vendor or you work with one, make sure you or your third party vendors are up to date with the PA DSS.
If you don’t, you could be held liable should a data breach hit you or one of the businesses you work with.