Results 1 to 3 of 3
  1. #1

    Does PA-DSS certified software have any bearing on an ASV scan?

    I'm going to become PCI-DSS compliant since I'll have an ASV scan my site, but I'm unsure if PA-DSS interlinks with PCI-DSS compliance when running a scan.

    If the software you're using hasn't been PA-DSS certified by a PA-QSA - as in, the software hasn't had full implementation of the PA-DSS security standards yet, does an ASV scan actually LOOK for any of the PA-DSS stuff, or can we pretty much consider what an ASV scan looks for completely separate from PA-DSS?

  2. #2
    Join Date
    Aug 2003
    Chesapeake, VA

    The ASV scan is only an external vulnerability scan against your public-facing IP's. If you have potential vulnerabilities like unnecessary open ports or cross-site scripting vulnerabilities, etc. - that is the kind of data that is picked up by an ASV scan. You can also think of an ASV scan as the basic "low hanging fruit" detection scan.

    Also keep in mind that while the ASV scan is useful and important - by itself it does not make your organization automatically compliant with PCI-DSS.

    PA-DSS are the standards for "payment applications" that are sold to third parties. PA-DSS auditing attempts to provide assurance that a payment application (such as shopping cart or billing software) meets the PA-DSS guidelines and is a "secure" payment application. The goal is to try to encourage all merchants to use PA-DSS certified applications to improve their security.

    One item to keep in mind is that PA-DSS does NOT apply to custom, in-house software. So for example, if you built you own payment application (shopping cart, billing system, POS tool) that would not need to go through PA-DSS. You still need to be compliant with PCI DSS, however, which has its own requirements which impact how the software must operate to be compliant.
    Last edited by cdgcommerce; 01-17-2014 at 05:24 PM. - Trusted Merchant Account Solutions since 1998
    Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
    We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance.
    Learn more today at - we look forward to helping your business grow!

  3. #3
    Join Date
    Apr 2003
    Las Vegas, NV -- USA
    Most likely this is saying the same thing a cdgcommerce but a shorter answer is:

    All software that touches CC data must be PA-DSS compliant -- not certified. All merchants that process CC's must be PCI DSS compliant. Part of PCI DSS compliance are quarterly scans by an AVS vendor if the merchant touches the Internet. While PA-DSS software certification is not a requirement, it does make it easier for merchants to validate PCI DSS compliance; without it, the software must be validated by the merchant for PA-DSS compliance.

    Well, not much shorter. Sorry. PCI is complex.
    --Steve (blog)

    Shift4 Corporation -- Secure payment processing

Similar Threads

  1. Replies: 0
    Last Post: 08-23-2010, 12:11 PM
  2. How do you know if you software is really PCI PA-DSS compliant?
    By kabam in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-03-2009, 08:07 PM
  3. Does a .net domain have any bearing with Shopping Carts?
    By Cspace in forum Ecommerce Hosting & Discussion
    Replies: 2
    Last Post: 03-03-2005, 11:23 AM
  4. software scan port open ?
    By traixanha in forum Hosting Security and Technology
    Replies: 3
    Last Post: 01-04-2005, 12:46 AM
  5. Load Bearing Wall - Removal and Replacement
    By Chachi in forum Web Hosting Lounge
    Replies: 19
    Last Post: 01-07-2003, 08:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts