• Did you know that nearly 57% of organizations stated that by not listing their application,
    they have noticed the potential impact after a breach is higher than the expense
    of going through the PA DSS compliance process ?

    Did you know 90% applications were found to store passwords in memory
    before going for a PA DSS Compliance ?

    Did you know that approx. 89% of antivirus vendors aren't familiar with architecture,
    vulnerabilities and threats of POS and payment systems ?
  • Did you know that 62% of applications do not log application user activity ?

    Did you know that 45% of survey showed that organizations
    have faced card-present frauds ?

    Did you know that 76% insecure authentication
    attempts originate from outside the customer environment ?

PA DSS Consulting and Implementation

Our PA-DSS consulting services helps organizations developing commercial payment applications through the entire cycle of PA-DSS in an effortless manner. Our consulting team comprising of Subject Matter Experts have the knowledge and skills to provide the consultancy and implementation services for the standard implementation. We also provide Integrated Standards Management System in case you have multiple standards in place in your organisation and need an integrated approach to the exercise.

Our Approach to helping you manage your application InfoSec risks with PA-DSS:

We spend significant time with your senior management in defining scope which includes timelines, responsibilities and budget for the implementation.

The gap assessment would be conducted with respect to PA-DSS version 3. As a part of gap analysis, our team will be reviewing your organization's existing processes in alignment to the PA-DSS guide.

During this phase, we would evaluat whether secure coding practices are implemented during the development of the payment application. Coverage would be also on the below points but not restricted to:

  1. Flow of cardholder data through the application
  2. Security features in the application:
    • Logging
    • User Authentication
    • Input Validation, etc.

Purpose of this phase is to evaluate vulnerable services or vulnerable parameters, so that we can identify if a hacker can compromise your applications which will lead to a reputation attack. We not only perform automated scans but we also do manual assessment of the parameters on these pages where we also do hunt for business logic attacks.
Our team would be following the OWASP Testing Guideline for conducting the application security testing.Technical review of the application components, payment transaction logs and cardholder data storage, to ensure prohibited data (track, CVV2, CID, CVC2) is not being stored. We shall test the application for the below given 6 categories for the application vulnerability testing and possible security flaws:

  1. Test the Authentication Mechanism
  2. Test for Session Management Mechanism
  3. Test Access Controls
  4. Test for input based vulnerabilities
  5. Configuration Management Testing
  6. Test for Business Logic Flaws

Purpose of this phase is to identify the gaps on the network devices specified under the scope of assessment which are implemented on the network and securely configuring them to prevent any sort of external attack to traverse through the network. In this phase, we shall test the network devices using the below approach:

  1. Fetch the configurations
  2. Analyse configuration against the baseline
  3. Gap Identification:
    • Test for Insufficient Password Recovery
    • Test for Insufficient Transport Layer Protection
    • SSL/TLS Testing (SSL Version, Key Length, Algorithms, Digit. Cert. Validity)
    • File Extensions Handling
    • Old, Backups & Unreferenced Files
    • Infrastructure and Application Admin Interfaces
    • Testing unknown vulnerabilities (Missing patches, Default Accounts, etc.)
    • And many more…

Conduct forensic analysis on the system components which process, store or transmit cardholder data within the test environment. The following forensic analysis will be conducted –

  1. Memory Forensics: Will capture the contents of the system RAM as a part of live forensics and will be reviewing whether sensitive authentication data like CVV2, track 2 data are deleted from the RAM on completion of the transaction.
  2. Hard Disk Forensics: Purpose of conducting Hard Disk Forensics is to identity whether the 16-digit card number is stored in hard disk in clear text. For this, vendor will capture the contents of hard disk in a forensic sound manner and searching whether the card number used for conducting test transactions are stored anywhere in the system.

As we believe it is just as important to fix bugs as it is to find them, our consultants will provide you with document outlining remediation guidance. We will further support your team for queries during actual remediation of weaknesses.

With all data in hand, our team then creates the document set as per PA-DSS requirements. Your inputs required ONLY to validate the same.

Once all controls are confirmed to be in place, we help you get certified with external auditors for PA-DSS.