Implementation of PA-DSS

In order for a site to become PCI DSS compliant, PA-DSS compliant applications must be used, and these applications must be installed in a PA-DSS compliant manner. Also, steps must be taken to make sure that any remaining trace of non-compliant application or data is securely removed from the system.

The goal of this implementation guide is not to repeat or explain the entire PA-DSS 3.2 specification. A large portion of PA-DSS is aimed at how software developers should design their products in order to help merchants become PCI-DSS compliant. Of course, there would be no added value in re-stating these requirements here. Therefore, the topics discussed here will only be those that apply to resellers and support technicians installing the application as well as merchants using the application. The list of topics covered in this guide is in accordance with Appendix A: Summary of Contents for the PA-DSS Implementation Guide, from the PCI PA-DSS Requirements and security assessment Procedures, Version 3.2 (May 2016).

Compliance with PA-DSS Standard

The current version of Maitre’D that is certified as PA-DSS compliant is:

Maitre’D 7.08.000.000

All versions of Maitre’D 7.08 released afterwards are also compliant with PA-DSS

List of topics covered

• Delete sensitive authentication data stored by previous payment application versions. • Delete any sensitive authentication data (pre-authorization) gathered as a result of troubleshooting the payment application. • Securely delete cardholder data after customer-defined retention period. • Protect keys used to secure cardholder data against disclosure and misuse. • Implement key-management processes and procedures for cryptographic keys used for encryption of cardholder data. • Implement secure key management functions. • Provide a mechanism to render irretrievable cryptographic key material or cryptograms stored by the payment application. •Use unique user IDs and secure authentication for administrative access and access to cardholder data. • Use unique user IDs and secure authentication for access to PCs, servers, and databases with payment applications. • Implement automated audit trails. • Facilitate centralized logging. • Use only necessary and secure services, protocols, components, and dependent software and hardware, including those provided by third parties. • Securely implement wireless technology. • Secure transmissions of cardholder data over wireless networks. • Store cardholder data only on servers not connected to the Internet. • Implement two-factor authentication for all remote access to payment application that originates from outside the customer environment. • Securely deliver remote payment application updates. • Securely implement remote access software. • Secure transmissions of cardholder data over public networks. • Encrypt cardholder data sent over end-user messaging technologies. • Encrypt non-console administrative access.

Throughout this document, some of the topics above may be combined to facilitate reading, understanding and application of required measures. In some cases, topics may not apply to Maitre’D directly. In such cases, the reason why the topic does not apply will be explained.