PCI PA-DSS Requirements. For hardware vendors

Transcription

1 PCI PA-DSS Requirements For hardware vendors

2 PCI security services UL's streamlined PCI PA-DSS certification services get your product to market faster. UL is world leader in advancing safety. Through it's transaction security unit (UL Transaction Security), UL is the world's leading provider of PCI security services. We pride ourselves on our leadership in this and other fields. We are accredited to supply services for all the PCI programs and programs outside the PCI umbrella. This PCI PA-DSS primer has been created with two purposes in mind: i. to assist hardware vendors to understand the PA-DSS ecosystem, and ii. to identify how UL can benefit hardware vendors to be more vertically integrated into the security certification market via PCI PA-DSS to achieve greater sales. UL is a source of expertise when it comes to the PCI program. You can utilize our experts to understand more about PTS PTS SRED, PCI P2PE, and for devices focused on the mpos market; Visa Ready Partner Program for mpos and MasterCard Mobile POS Program. What is PCI all about? All PCI programs are concerned with the protection of cardholder data. The diagram below identifies data that must be protected. The PCI Security Standards Council runs a number of programs on behalf of the PCI card brands. These programs focus on different elements of the ecosystem and are constantly being reviewed and enhanced to match the security threat environment. page 2

3 Operational Audit Product Approval Product/Solution Implementation How does PA-DSS help a merchant with PCI DSS compliance? The cost and effort of PCI compliance is top of mind for most large merchants. Recent fraud events and U.S. interest in EMV, means merchant are more interested in PCI PTS devices than ever before. Clear-text cardholder data on POS systems is difficult to secure. In the same way PCI PTS gives merchants comfort that their device will protect PIN data, PA-DSS confirms the hardware vendor has gone to the additional effort to protect all cardholder data. This reduces the effort and cost for a merchants QSA while performing a PCI DSS assessment. Isn t SRED enough? Many hardware vendors only focus on SRED and do not understand the added value of PA-DSS. Devices with PCI PTS SRED will only provide support to encrypt cardholder data before it leaves the secure area of the device. However PA-DSS not only focuses on software functionalities, it covers a number of other areas which are not assessed during PCI PTS SRED evaluation. The hardware vendor provides an implementation guide which would include detailed guidance on how to PCI DSS Secure cardholder data and security governance PCI PIN PIN encryption and cryptographic governance PCI PTS Secure Payment Hardware PA-DSS Payment Application Software PCI P2PE Point to point encryption solutions as defined by PCI SS This table classifies the PCI program and provides a should description of its focus and assessment process. configure and deploy their devices in a merchant environment in a PCI DSS compliant state The device does not support any feature that would store, transmit or process cardholder data in a manner that would be non-complaint to PCI DSS. SRED does not guarantee the device would not support any insecure feature. Logical management of the device is supported in a secure manner with audit trails Troubleshooting requests received by the hardware vendor are handled in a PCI DSS complaint manner The hardware vendor follows a documented software development process to ensure their code running on the device has gone through proper security review and testing The hardware vendor follows a documented vulnerability and patch management process that ensures their code on the device is kept up-to-date with security patches QSAs and merchants already understand the extra value provided by PA-DSS. Security is greater enhanced when combined with encrypted cardholder data. Benefits and challenges for hardware vendors The challenge faced by hardware vendors, is it is typically other third party creating payment application that run on the PCI PTS device. There are two alternative solution to this: i. The hardware vendor also creates the payment application; or ii. The hardware vendor assist third party payment application vendors understand how the PCI PTS device s security properties can be used to achieve PA-DSS UL transaction Security offers services and training to assist hardware vendors and payment application vendors to work together to achieve PA-DSS compliance is the shortest time possible. page 3

4 The Fine Print PCI Rules What PCI DSS v3 says about PA-DSS Relationship between PCI DSS and PA-DSS Applicability of PCI DSS to PA-DSS Applications Use of a Payment Application Data Security Standard (PA-DSS) compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor. All applications that store, process, or transmit cardholder data are in scope for an entity s PCI DSS assessment, including applications that have been validated to PA-DSS. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS. The PA-DSS requirements are derived from the PCI DSS Requirements and Security Assessment Procedures (defined in this document). The PA-DSS details the requirements a payment application must meet in order to facilitate a customer s PCI DSS compliance. Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches. To determine whether PA-DSS applies to a given payment application, please refer to the PA-DSS Program Guide, which can be found at Applicability of PCI DSS to Payment Application Vendors PCI DSS may apply to payment application vendors if the vendor stores, processes, or transmits cardholder data, or has access to their customers cardholder data (for example, in the role of a service provider). What PA-DSS v3 says about Hardware Terminals PA-DSS Applicability to Payment Applications on Hardware Terminals This section provides guidance for vendors who wish to gain PA-DSS validation for resident payment applications on hardware terminals (also known as standalone or dedicated payment terminals). There are two ways for a resident payment application on a hardware terminal to achieve PA-DSS validation: page 4

5 1. The resident payment application directly meets all PA-DSS requirements and is validated according to standard PA-DSS procedures. 2. The resident payment application does not meet all PA-DSS requirements, but the hardware that the application is resident on is listed on the PCI SSC s Approved PIN Transaction Security (PTS) Devices List as a current PCI PTS approved Point of Interaction (POI) device. In this scenario, it may be possible for the application to satisfy PA-DSS requirements through a combination of the PA-DSS and PTS validated controls. The remainder of this section applies only to payment applications that are resident on a validated PCI PTS approved POI device. If one or more PA-DSS requirements cannot be met by the payment application directly, they may be satisfied indirectly by controls tested as part of the PCI PTS validation. For a hardware device to be considered for inclusion in a PA-DSS review, the hardware device MUST be validated as a PCI PTS approved POI device and be listed on the PCI SSC s Approved PTS Devices List. The PTS validated POI device, which provides a trusted computing environment, will become a required dependency for the payment application, and the combination of application and hardware will be listed together on the PA-DSS List of Validation Payment Applications. When conducting the PA-DSS assessment, the PA-QSA must fully test the payment application with its dependent hardware against all PA-DSS requirements. If the PA-QSA determines that one or more PA-DSS requirements cannot be met by the resident payment application, but they are met by controls validated under PCI PTS, the PA-QSA must: 1. Clearly document which requirements are met as stated per PA-DSS (as usual); 2. Clearly document which requirement was met via PCI PTS in the In Place box for that requirement; 3. Include a thorough explanation as to why the payment application could not meet the PA-DSS requirement; 4. Document the procedures that were conducted to determine how that requirement was fully met through a PCI PTS validated control; 5. List the PCI PTS validated hardware terminal as a required dependency in the Executive Summary of the Report on Validation. Once the PA-QSA s validation of the payment application is complete and is subsequently accepted by the PCI SSC, the PTS validated hardware device will be listed as a dependency for the payment Want to know more? UL's PCI and security experts are happy to assist. Please visit our website for locations and contact details or info@ul-ts.com. application on the PA-DSS List of Validated Applications. Resident payment applications on hardware terminals that are validated through a combination of PA-DSS and PCI PTS controls must meet the following criteria: 1. Be provided together to the customer (both hardware terminal and application), OR, if provided separately, the application vendor and/or the integrator/reseller must package the application for distribution such that it will operate only on the hardware terminal it has been validated to run on. 2. Enabled by default to support a customer s PCI DSS compliance. 3. Include ongoing support and updates to maintain PCI DSS compliance. 4. If the application is separately sold, distributed, or licensed to customers, the vendor must provide details of the dependent hardware required for use with the application, in accordance with its PA-DSS validation listing. page 5