Want to learn more about the certification process with Sterling?

Our Tech Express Certified Developer Center will give you all the answers you’ll need.

Why PCI and PA-DSS Matter

Right now, credit card processors are contacting your customers, requiring them to update to a Payment Card Industry (PCI) compliant environment, or use a Payment Application – Data Security Standard (PA-DSS) compliant application.

This means that software companies who do not develop PA-DSS compliant solutions will soon be left behind their competitors who do, and will rapidly lose their reseller base.

PCI Compliance and Application Security

The PCI Data Security Standard (PCI-DSS) is a combination of best practices and associated requirements covering security management, policies, procedures, network architecture, software design, and other protective measures. These requirements apply to all entities that store, process, and/or transmit cardholder data. The high-level requirements as detailed by the PCI Security Standards Council (PCI-SSC) are as follows:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

PA-DSS – Payment Application Data Security Standard

  1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
  2. Protect stored cardholder data.
  3. Provide secure authentication features.
  4. Log payment application activity.
  5. Develop secure payment applications.
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities.
  8. Facilitate secure network implementation.
  9. Cardholder data must never be stored on a server connected to the Internet.
  10. Facilitate secure remote access to payment application.
  11. Encrypt sensitive traffic over public networks.
  12. Encrypt all non-console administrative access.
  13. Maintain instructional documentation and training for customers, resellers, and integrators.