PA-DSS otherwise known as Payment Application Data Security Standards
I'm looking to see how many teams out there deal with the PCI council and create applications that handle credit card data.
I would like to discuss and connect with those teams and their PA-DSS/PCI-DSS personnel, if possible, how they have implemented the PA-DSS requirements into their scrum/sprint teams and practices.
Thank you in advance.
Here is an article that I have written on Security as part of the Definition of Done. I have also done a lot of PCI work in the past and worked with the PCI council as my last company was managing the infrastructure for Payment processors and we had to be PCI and HIPAA compliant.
Eric, I had the opportunity to read your article and it's great from a theoretical POV.
However, I'm looking to hear more from those who have practical experience implementing PA-DSS 3.2 for their companies' payment applications in conjunction with their internal scrum team practices.
I'm looking to hear more from those who have practical experience implementing PA-DSS 3.2 for their companies' payment applications in conjunction with their internal scrum team practices.
Is the implementation of PA-DSS 3.2 a complex problem for which there are many unknowns?
Ian, The PA-DSS 3.2 requirements are such that there are supposed to be checks and balances in place during the SDLC as well as a separation of duties. The reasons for this are to prevent malicious code from being published to customers that would either compromise customers SAD, PAN, or credit card data in any way. Likewise there are proscriptions that apply to other aspects of a merchants business that process credit card transactions. Wireless access points, physical access to systems, etc.
I'm seeking input from any teams or individuals that have been or currently are involved in the design, implementation, and deployment of payment applications to an already existing customer base.
I work for a Payments company.
Here are somethings in place in our company:
- Team members follow annual PCI-DSS training to ensure that they are up to date with their knowledge.
- To ensure that code quality meets PCI standards, every team member is provided with a list of Secure Coding Guidelines, code reviews are in place, so there are any violations in the new code, hopefully it is caught in the code review.
- We have some monitoring tool which triggers an email if any Sensitive data makes it to DB, logs...
- There is ofcourse an annual audit of the compliance.
Does it help?