Does PA-DSS certified software have any bearing on an ASV scan?
I'm going to become PCI-DSS compliant since I'll have an ASV scan my site, but I'm unsure if PA-DSS interlinks with PCI-DSS compliance when running a scan.
If the software you're using hasn't been PA-DSS certified by a PA-QSA - as in, the software hasn't had full implementation of the PA-DSS security standards yet, does an ASV scan actually LOOK for any of the PA-DSS stuff, or can we pretty much consider what an ASV scan looks for completely separate from PA-DSS?
The ASV scan is only an external vulnerability scan against your public-facing IP's. If you have potential vulnerabilities like unnecessary open ports or cross-site scripting vulnerabilities, etc. - that is the kind of data that is picked up by an ASV scan. You can also think of an ASV scan as the basic "low hanging fruit" detection scan.
Also keep in mind that while the ASV scan is useful and important - by itself it does not make your organization automatically compliant with PCI-DSS.
PA-DSS are the standards for "payment applications" that are sold to third parties. PA-DSS auditing attempts to provide assurance that a payment application (such as shopping cart or billing software) meets the PA-DSS guidelines and is a "secure" payment application. The goal is to try to encourage all merchants to use PA-DSS certified applications to improve their security.
One item to keep in mind is that PA-DSS does NOT apply to custom, in-house software. So for example, if you built you own payment application (shopping cart, billing system, POS tool) that would not need to go through PA-DSS. You still need to be compliant with PCI DSS, however, which has its own requirements which impact how the software must operate to be compliant.
Last edited by cdgcommerce; 01-17-2014 at 05:24 PM.
CDGcommerce.com - Trusted Merchant Account Solutions since 1998
Many thousands of successful, growing businesses benefit from our expertise every day. You can, too!
We help merchants to eliminate gateway costs, reduce & mitigate fraud and achieve streamlined PCI compliance. Learn more today at http://www.cdgcommerce.com - we look forward to helping your business grow!
Most likely this is saying the same thing a cdgcommerce but a shorter answer is:
All software that touches CC data must be PA-DSS compliant -- not certified. All merchants that process CC's must be PCI DSS compliant. Part of PCI DSS compliance are quarterly scans by an AVS vendor if the merchant touches the Internet. While PA-DSS software certification is not a requirement, it does make it easier for merchants to validate PCI DSS compliance; without it, the software must be validated by the merchant for PA-DSS compliance.