PCI Electronically Signed Made Easy

Pci electronically signed

you [Music] hello everyone and welcome to our I think 35th webinar on PA DSS and PSS up actually on pcs SF this is again being an outcome off if I might say that popular demand we've been doing a lot of webinars on PCI DSS HIPAA talk to GDP or many other ideas and one of the areas that red ignored even though we do it was p8 VSS you know payment application data security standards and now the upcoming SSF software security frameworks is a framework which is now coming up so we thought let us do something on that there are so many questions so the consolidated all of it in into this webinar and I really hope you enjoy and before we start I hope you can hear me and if there is any query feel free to you know just drop a one line in the chat box and my colleague is also there with me who was Manny Manning the behind-the-scenes role and he will jump into it immediately so with that tone let us let us s initiate so these are the webinar as has been circulated to you I don't think I need to read it again but what's all about what are the requirements eligibility criterion and how does it interplay with PCI upend testing coding requirements and many of the faq switch are there associated with you know PID SS and what you can expect in the new standard so it is going to it is a jam-packed session and I hope to make the most of it and I'll be going through it very a bit on the faster pace and in case you do have any queries do you know drop me a line and I will slow down or do ask your questions and I'll take it up immediately alright so all of our past webinars and a lot of more content you can find on whether PCI or HIPPA gdpr that's our YouTube channel you can search on YouTube and it must have got that with the invite also and just there you do subscribe and you'll see a lot of content is there and you can just watch it for free now whether it's been for the past three more than three years now we've been doing the webinars and it is their life so and this is the bottom line principle of our webinars that is it's always the question that enlightens and not really the answer so with what I mean by that is is always very very important to keep asking questions so whatever your question is do drop me a line typically speaking there's an avalanche of questions and all my webinars and I take it up on the fly as much as possible but let me assure you and promise you that in case there are just too many and I'm not able to take it up immediately because you know it just extends the time too much and many of the people even attending today are many of our clients many of them are very very senior people and they would be having very tight timeline so I try and you know stick to the timelines as much as possible now so but I do get back to you I will write back to you with my contact details and you can always you know give me a call or write to me and this is a brief about me face to the name and many of you who have already met me also so again I'm the director for this time for psych myself up ECI QP AQS a CSS VC sassy risk many other things I have been in this area for more than like 25 years now have my own company with time for SEC and we are primarily into consulting data security and information security and this is a brief about my company we are based in Mumbai India but we have an office in us your very office in Singapore we have we work across New York and other states also and we are also 7,000 certified we are hundred percent vendor-neutral that's one of the key area reasons many of the companies work with us we don't sell any products but we give you advice right up to the product level but we don't have any you know kickbacks or anything understanding with any vendor we have been ranked by delights as one of the fastest growing companies and we are also certain empaneled and many other things so let me eat jump directly into my service life this is our service line we are very strong on compliance and governance that's a separate team for all these various standards like PCI DSS BCI pin PA DSS we are ourselves okay we are all set also PCI DSS PCI qpa and a PC IDs qsa rather company we are also in PA DSS so we do all the certification consulting everything and very strong on the international regulatory compliance also whether it is PCI gdpr hipposaurus octo okay going ahead this is a few of our clients partial client testing that we have so we know where I'm coming from and where my where our experience stems from okay and in the end there is a service survey after this webinar please - it will take it a lot of time and we also spend a lot of money in doing this so in our please do fill up the survey filled whatever has been your experience whether it is a positive negative give you a feedback your questions even your requests for future webinars and we will do address it thank you so much so with that we jump right into it brief on the history of PCI DSS I won't get much into it just one one slide so there is a context to this webinar this is how it was it was PCI security council was founded in 2004 otherwise before that each of those brands Visa MasterCard American Express press discover JCB they have their own data security requirements and the merchants are going crazy mulch and certain banks are going crazy you know satisfying different masters so in 2004 the PCI Security Council this security standards council was formed by these brands it's not like a governing body or something as many people feel it is in a private body or an institution if I might say that even driven by this various brands 1.0 was released in 2005 1.1 in 2006 and in 2008 1.2 was released and why I have written up till 2008 is because it started working on PCI DSS from 2008 it's been 12 years now our first client at that time was Bill desc you know it is India's number one payment processing company payment gateway company a very good company rather and it's been a pleasure to be associated with them and from one point to and all the latest version is 3.1 3.2 dot 1 sorry and this is various one of the council members the branch associated with the PCI Council as we saw Visa MasterCard JCB discover an Amex and just to give a brief because I have to show you how the various standards interplay there is PCI DSS we can start from right over here there is PCI DSS applies to any company as you must have seen there is a whole series of webinars on my on our YouTube channel office time for search and he can get get into more details on PCI DSS applies to any entity which is storing processing or transmitting card information by card it would mean debit or credit card even prepaid cards and the next would be the PA DSS payment application data security standards and that's what we are going to focus on today basically concerned with payment applications and you know there is a disability criterion also Andy CFP a PCI PE D payment pay PF pin entry devices again this is for the characteristics of the design of the pin entry device as such for during you entry off the pinned on your you know ATM or the boss devices and this is how it is PCI DSS covers all the security of environment it is big city environment specific PD SS is entry space is applications piece are specific and then again within this there is a PCI pts VCR p2 e p2 PE which contains and which is concerned with an entire solution end to end with regards to encryption key management everything so an entire solution with regards to a product that might by Inc including survey including services gets covered in p2 PE and then again that PCI pts now over here there are different standards there is pcs pc IP PSP UI which is the point of interaction which is all the you know devices associated with card entry and card usage it could be your tap devices NFC devices swipe devices everything is concerned with the the hardware part and PCI PDS pin again this is where we are a certifiable certifying company also has time for sec pci pin is basically for the secure management processing and transmission on the pin you know what once you swipe your card or you enter your card number or you you know swipe your card at an ATM or a positive ice you are supposed to be entering a pin and now this pci pts pin is concerned with the secure storage transmission off you know and the processing of the spin details that you enter when you are when you put the card for authorization and pci pts SMS with regard to the you know hardware security module the crypto devices are meant for managing and generating crypto keys and last but not the least is of course a pc SCP card production concerned with the printing and you know development of cards of the hard way you know the hard cards that you carry in your pockets and again as a company we have done PCI card production assessment for many many companies in India and overseas now where now this is where PCI DSS applicability comes into place and what is allowed and what is not now retain this slide in your mind if it if possible I will go back to this slide also so what is allowed and what is not so there is cardholder data CHD as it is called as an acronym where is the pan number or the card number and so the storage is permitted protection is required that is encryption is required and there is a cardholder name and name is there now PCI DSS requirement three point four is basically required concerned with the encryption of the card details now there is cardholder name service code is their expiration date so these are the four details for which storage is permitted and protection is required encryption is mandated only for the mandated only for the card number is not necessary to encrypt the rest but if you do it is not really a problem that's what as PCI DSS is concerned and there is something called as sensitive authentication data this is an absolute absolute no you know unless you are an issue remember that it is an absolute no-no there is no compensating controls or anything that you can show it's an absolute no-no that is an entire stripe data or the pin block which is there on your you know the the EVM the EMV cards which is there that you have there's the chip cards which is there so the storage or those chip contents or the pin blocks or the CVB all these forms under something called as a side or sensitive authentication data so that is an absolute no-no at all under any circumstance unless you are an issue or that is and this again is one of the key requirements reasons why pa DSS is there as you must have seen one of the you know of course if it is an unstructured data means like Word Excel PowerPoint then it is really you you have to maintain as to in case you are maintaining your card details in flat file or Excel or word then you have to manage it on your own but what happens if there is an application now if there is a word excel or a flat file you can always do a search or you can always you know open the files yourself in check but what about applications like there is a very very well-known you know code banking system in India and believe it or not it doesn't you know encrypt the card details now when such an organization goes in for you know PCI DSS certification it is it becomes a very big mess so how do you ensure that the applications that you are employed that you're implementing in your organization is satisfying at least the core basic requirements of PCI DSS now these are a few of the requirements that is you know card number has to be encrypted sad data is absolutely no storage require you know permitted at all so protection or encryption becomes a moot point so what about with regards to the protection required of your card details if you are purchasing an application how do you know for sure that you know those people who are you know who are giving you that application are following all these requirements for protection of the application and that is where again PA VSS comes into play so that the applications that you're that you're purchasing are following these requirements of PCI DSS there are many other requirements also I'll come to that but this was just like a starting point for that okay so this is the background for PA DSS currently the version is 3.2 and what we can see is that this applies to any third party applications there is a big eligibility criterion also and I'll open that also for you but these are a few things that it is required to be done by your buyer organizations and so if if the application performs what to say whether it is doing authorization and our settlement then it is mandatory for the application to be PA DSS certified PBS is further ensures that an application can function and can function in a PCI DSS compliant manner what do I mean by that see basically speaking I might like it there could be a company X that has made an application now remember this point I'm saying because this will come up again as a as an organization we might have you know we might be selling in our guess or prayer it is you to be used in a you know card environment and it is PCI you know PA DSS certified and all those things but what if you buy the application and you implement it in a haphazard manner maybe you have not done the hardening of the web application properly or the web platform or the operating system or the database or maybe you've not changed something very basic as you know the default accounts and stuff like that then what happens then in that case even though that application or it may be enabled the audit trails or maybe submit submitted the right you know folders for monitoring under you know file integrity monitoring requirement of PCI DSS so how do I know that you have done those things properly or not maybe you can still mess it up because you've not implemented it properly so then what happens so that is where as a PDS as well as a PDS s application you know it doesn't mean that your applicator environment is fully certified and secure because you might have still implemented it in a haphazard manner and those are the areas that the auditor will still need to check so just having okay I have got a process having five applications and all the five applications of PID SS certified so does it mean that if I go as in you know PCI qsa to do your PCI DSS or it I don't need to validate that application I need not get into the working of that application per se but how that application has been implemented tested all those things as something that I still need to check it simply means a peer DSS simply a certified application is can only mean that it is it is good enough to function in a PC VSS compliant and and running a peer DSS application doesn't make your environment PCI DSS compliant rather appear DSS application is supposed to be implemented in a PCI DSS compliant environment in a PCI DSS compliant manner and it has to be implemented as per the PD SS guide provided by the PA payment application Miranda so that is all that it means so it is a comprehensive set of requirements I'll you know for third party applications only it is distinct from PCI DSS but it is still very well aligned with PCI DSS and we'll get into that also more in detail now applicability is concerned for PA DSS it applies only to third-party application only and only if it performs one of the key requirements are not only another key requirements is that it has to be involved in either authorization and/or settlement if your application now this is in my invite to you on the webinar I had mentioned that there is something of a scam going on well this is where it is well many of the so-called you know certifying bodies PA you know DSS certifying vendors you know companies they say okay all the applications in the in the environment have to be you know PA DSS compliant and it's not the case I could be having an application that is simply drawing up and Amaya's from the card details or it could be looking into fraud risk management of the card or it could be in the anti money laundering again touching on the card details so that that that mindset is silly when it says that if a car if an application is touching card data it has to be PID SS certified that is absolutely not the case and in a short while I will open up PCI DSS PCI counsel provided eligibility criterion the actual document so you know that these are the these requirements are not something that I'm cooking up from the top of my head or as per my experience because the bottom line is what the counsel says not what Narendra says or Vista InfoSec or any other company says the buck stops with what the council has to say not anybody else so be a DSS ensures that an application in a compliant manner okay I'll pull up that charge now they said this is the assessment environment for the PA DSS applications also now P DSS applications the second point please is something that you you know really need to think about or you know get in line on this is the area where typically speaking okay my way of drawing a line is very bad okay so I'm doing this with my mouse and my keypad so please bear with me okay so it's in the scope PC API DSS validated payment applications are still in the scope of PCI DSS this is mandatory it it is not that okay or three applications and it is PA DSS certified we get into arguments on this with many customers not arguments like discussion heated discussions because they are saying we have PhDs as certified applications why do you need to be in the in the scope that is how it is because you might have implemented it in a haphazard manner just the architecture the PID assess as a certification validates the architecture of the application it doesn't validate or it cannot really validate it how you implemented it now if I saw as an Assessor I cannot challenge whether that application is PDS as certified or not if it as a certification it has a certification that's about it I cannot then challenge that this I you know this I want to say this architecture of the application might still be risky know if it is a certified certified but where it is implemented that scope that environment crystalline in scope of my assessment as AK USA so as an Assessor as an Assessor I have to look into those things again I have shared sir shared a cell here also the payment application is implemented one into a PCI DSS compliant environment so remember this P getting a PID aces application doesn't make you PCI DSS compliant rather the PID aces application has to be implemented in a PCI DSS compliant vironment and the application is implemented as per the PID aces implementation guide released by whom not by the council released by the vendor all the other systems components whether it is server database web servers application servers firewalls network devices of that concerned with that PA DSS applications are still in scope so as an Assessor my focus will be on the applications implementation in accordance with the implementation right and nothing else all right so that said let us let us move on okay now pavement rant compliance programs are there for PA DSS again many a time it is you know there is okay the other side of it the other side of it isn't you know many a times we see have seen regulators it could be the RBI it could be body like NPC I am where I'm not pointing at either of them these are highly professional and these organizations know what they are talking about and they might say to a particular you know gateway provider or to you know independent service organization or service provide their in the ecosystem off payments and tell them that this application that you're using needs to get PA DSS certified or a tested or assessed now these applications might not be in the eligibility criteria of PCI Council but you still need to get it done now how does that impact is something I will come to okay now give me a minute I'll just pull up that eligibility sheet that I you know mentioned so many times you you okay I hope you can see this sheet which has been circulated by the PCI Council it is not as I said my own thing now understand a few things first of all be very clear on the criterion for the purposes of PA DSS a payment legible for review is defined as an application that stores processes or transmit card data and now just to make it clear again below is what you can see is the eligibility criterion for an application to get validated and certified as a PA DSS certifiable application ok this is not something that I have cooked up this is something from accounts Tillett itself so the first thing is is for the purposes of PDS as a payment eligible for PA DSS for review and listing the bottom line over here is reviewing listing I'll explain to you what it means is an application that stores processes or transmits card data is sold and distributed now the next part is again the following a list of questions is designed for further differentiating whether or not an application is eligible for review and listening by the PCI Council as part of the PA DSS program now look at these questions ok now these questions are not an or it is an you know any of these questions if the answer is yes it means that you cannot be reviewed and listed and be known as a PA DSS certifiable application okay so these are any if any is if the answer to any of the following questions is yes the application is not eligible for validation under hideousness first if it is a beta version second does the application handle card data but the application itself doesn't do any sort of authorization of settlement now this thing is very critical my dear friends see the reason is there are applications that handle car data but they are not doing any sort of authorization or settlement so but if the if the application so if half of that is true again you are not eligible for PA DSS certification now the next thing as you can see does the application require source code sorry does the application facilitate authorized a settlement but has no access to the cardholder data or sensitive authentication data so for example there are payment applications are there they are accepting the card data but then immediately now from the pause device itself it is getting encrypted and gets directly transmitted to the the bank for authorization and settlement or whatever the case it doesn't the the application in itself is not having any visibility into the card data itself so in that case again it is not temporary the next thing is buried itself or the organization for attempt that application cannot be PA DSS certified and listed on the ETI council website now is the application a back of a system for reporting grm reward fraud scoring anti money laundering all those things developed in-house developed and sold to a system customer single customer or developed as a part of a library look at this this application depend on other software to meet application a single module but not submitted as a part of a suit or an application as a SAS provider there are many cloud system providers this is extremely important again if an application is a cloud model and not being sold it the you cannot get listed as a PA DSS certified application we get so many inquiries for this I need to have my application listed because it's a SAS product no it cannot be done so what is the way it I'll come back to that also please quickly just go through this if you have any queries you can just drop it in so any web app any mobile labs all those things that it is not dedicated so only two pavement acceptance all these things the app the council can actually reject any of these things is a yes your application cannot be listed on the PCI council website okay be very clear on that so what I'm doing now is that okay a couple of okay there's a Sri there he is asked for this document as a handout so you ask can you receive my friend so what I'm doing is that I'm uploading this particular document as a handout for the people of this webinar feel free to download it and again it's there on the council website for a free download again but as you are my such lovely people who have attended my webinar so this this thing you're a handout for you and in case you're you know you are watching this thing as a part of a recording on YouTube do drop me a mail and we will mail it across to you also so jumping right back into my presentation okay and that's where the presentation is on the PDS applicability there so these other things also are not required to be what is the applicability for be a DSS any operating system database systems bag holder system in a back office systems you know for which are using which are storing the cardholder data for the purpose of anything else then what you have seen earlier it could be even something like a rudimentary something like CRM reporting freed of fraud risk management money laundering all those applications cannot be listed under a PC a PID SS applicability on the PD SS on the PCI console website okay again for zoo if al you put in a question how do you identify which application has to be PDS is to be to be approve to compliance well my friend I think I just did a few slides for that the eligibility criterion and I'm update uploading that as a handout now so you can you know read it at your own leisure also one sec you yeah so I've uploaded I am just started the uploaded a document which applications applicable for PDA so this is the same document that I should show you like a couple of minutes back so for sale and others please feel free to download it there is the scoping for PID SS how do you scope a PID SS it's not just our application what what do you mean by the application so coverage of all the applications payment application functionality including but not limited to end-to-end payment functions how it is being done input and output error conditions interface and connection to other file system components what data is being sent out to whom it is being sent out all those things the card data flow the data flow diagram and you actually might need to depending on the applications actually prove it to the auditor that is this is how the card flow data data flow happens encryption mechanisms key management become mechanisms authentication mechanisms all those things get verified as a part of you know PC off of the assessment okay now there is another crucial thus I asking a question what is the link for downloading two things first I have already uploaded this document as a handout secondly just go to PCI security standards or to RG go to the document section select PID SS and there you can see the documents for downloading including what I've just shown you but as I said you don't even need a link you can just download from what I've given you or you can just go to PCI security standards dot o-r-g I'm typing out the link now okay there is Allen he's asked ended up another question does the payment application in the EDC terminal need to be PA DSS compliant if it has PCI pts no PCI pts if their application already has you know then it is not really required to be done and if it is already there in place then it is not required to be done but in all these things whatever it always say Allen is that in all these things always always get confirmation from your payment brand or your acquirer whom's or is going to an authorized or best thing is always a payment brand if it is an EDC terminal then you know it could be associated with one or two brands so just ask those brands that this is what it is do you still want me to get you know PCI DSS certified technically no practically they might still ask you to so we always say you know to get go ahead for it okay you are saying along that is there any reference in the PCI Council website well there are how I say that see as a order ourselves as a piece a PCI qsa and a PA q SI and PCIP and all those things we have a lot of Assessor meetings so many of these questions the PCI counsel is one of the best bodies I've ever seen and supremely professional and over there they have a mass they have a very nice very nice session with all the q essays QPS and whatever and be a kewpie ace all those things and all these questions are taken apart there now I don't think those that content is open for the general public but as I said the best thing is that you can ask your blind I'm giving you my opinion as an auditor and a certifying body myself so but I would always say get it certified get it clarified again not because I'm not sure about it but more often than not we have seen the payment brands for their own you know better known reasons I am NOT saying that they are wrong about it for their own reasons might still ask you to do that like we were seeing payment brands asking Organa applications who are not into authorization and settlements still asking them to get certified so that's a different story so that's what I would request you to do that thank you again for your question silent please do drop in any more if you have okay scoping copy a DSS again this becomes a very painful topic but this is something that is extremely important it's a very tedious process it's not just okay many many a time people who come to us for be a DSS certification they ask us they are under the impression that we are only going to do way back sick and a mobile apps take and certify the applications and it gets listed absolutely no that is one of the areas one of the points that means to be checked but that is absolutely the nono and that is in not even 10% of the entire effort that goes into a PID SS certification so that's not really just the case okay so what all gets covered in the scoping for VA DSS compliance now again this content I have taken from the PA DSS documentation in itself so this is not my humble opinion so you know why I keep repeating that that this is not my humble opinion because humble opinions are subjective by nature and I then reserve the right to be misunderstood or me wrong or having misunderstood myself but in that case this is a document that is directly from the horse's mouth so that's why I make it very clear again that doesn't mean that I don't know what I'm talking about I've been in this industry for like twenty five more than 25 26 years now or 26 years 27th year in progress now so I definitely know what I'm talking about but that said this document is not from me this this content what you are seeing now is from the council that there has to be coverage of the guidance that the application vendor is supposed to be provided to to ensure that one the customer knows how to implement the payment application in a p8 DSS compliant manner the app the customer is clearly told that certain payment applications may probably eight they're PCI DSS compliant so the implementation guide becomes like the Bible for the application the do's and don'ts how you are supposed to be running the application what you are not supposed to be doing what changes if you do it will compromise and well then I like like you buy a TV or whatever or a laptop or something and they there is a sticker over there that the warranty void if removed so what is the warranty void if removed for your application are the things that needs to be clarified very very clearly in your implementation document now it also needs to be the guidance also needs to be provided even when there are even when there are specific settings which cannot be controlled by the payment application vendor something like patching something like you know the hardening or the database so it is very well possible that you have designed your database of your application take into consideration some database settings for securing the database per se now add the time of implementation maybe your applique or organization implemented the proper database hardening techniques but some administrator violated it then what happens you need to be very clear of the responsibility of the customer and not the payment application vendor as I said again the updates and the patches supplied from the you know underlying infrastructure like Windows Linux Oracle pipes or the antivirus requirements or the firewall requirements or the very quirements were in a Web Application Firewall requirements in the coverage of all the selected platforms to be reviewed including in the versioning and what version is certified coverage of all tools for access you know of the cardholder data it should be very clear on the reporting tool logging tools in the application itself and scope should also look into it also covers feather all the tools that is ancillary to it it's not just a data flow so when I'm or it'll also be looking at the reporting tools logging tools I'll also be looking at the related software components which is included in that software in the PID SS software now coverage of any other payment applications required for the payment for the full implementation it can also be that you might say that okay for my application to work properly I need to have maybe a tableau platform implemented or some sort of a rational row sort of an implementation to be done or some specific ERP product to be implemented so all those things needs to be included as a part of your scoping and your audit and also is your versioning methodology we have lost count how many times the software developers try to get a bit too smart in the way the versioning is done so that they are you know say they are able to sidestep the regular PID SS certification requirements so going ahead the PID SS requirement finally there are 14 requirements and this is a free download the entire standard down to the standard you can download for free from the P from the PCI security standards website and these are the requirements protecting the that this is all the requirements pertaining to the application remember this okay if you have read PCI DSS as a standard this is PA DSS all these photon requirements are required from that application provide secure authentication protect start holder data do not retain full track data so this is something that has to be met by us and application that is why PCI counsel insists on off-the-shelf products to get certified now okay facilitate secure network implementation cardholder data must never be stored on a you know server connected to the Internet remote access to the application payment application all these things encrypting sensitive traffic as traffic so you know by default if you are having like a hub-and-spoke feature in your application the data has to be encrypted by default you cannot tell that the the the user or that application to instable ensure the VPNs in place your your application in itself also be in a position to encrypt the data and the 13 and 14 is the training programs the implementation guides for your personal customers resellers and integrators of your application I don't really have time to get into it in detail but if you are more interested in knowing about these requirements more in detail again I've passed you the link earlier do go to PCI security standards or tourgee go into document section select PID SS and download the documentation and the completion steps in case you're looking at PID sa certification first thing the confirmation of the scope now this thing has to be validated by the auditor it cannot be using it and Auditor accepting it and then as an auditor perform the PBS's application there is like how in PCI DSS there is an ROC in P IDs as there is an ROV report on validation and then there is finally an attestation of validation both by the eunok USA and the software vendor and after the completion is there assuming your application is you know eligible for listing on a p8 ESS on the PCI counsel website the all these documents have to be given to the council they will raise an invoice for you running into a few thousand dollars that has to be paid by the software vendor and then the council will go through all the documentation validate the eligibility criterion and if you satisfy all that and the payments are due then it gets listed now this last one that I said is very very important because many a time there are applications that get audited against ba DSS and they are not eligible for PA DSS listing on the council website in that case what happens is that as an organization I can issue a certificate to you that this as an auditor I have checked and confirmed that this application is PA DSS cert if PA DSS compliant but that application cannot get listed on the council website so if the eligibility criterion that we discussed earlier is not to be done is not eligible in any manner in any small area also if you're not eligible for it the council will reject your application in that case you can collect a certificate from your auditor so if you appoint us we can give you a certificate that as per our attestation this XYZ company of yours this application of yours in this version is PA DSS you know attested or compliant but not certified because again for that you have to go to the council so a few the examples of documentation that you need to provide at a time of attestation or audit look at this software installation guide training material operator manual implementation guide internal documents data flow diagrams flow chart you also need to provide you know this application is not just the under documentation basis or auditor will need to install this application in his own laboratory or in the vendors laboratory that is in the vendors environment but it's not something that is just done using documentation and screenshots it has it is implemented in the auditors environment or in the you know developers environment and validated change control mechanisms everything has to be checked so this is the validation process it is valid for three years with an annual review that has to be done select the PA qsa I hope you select us and we have review a payment application if it is payment application is compliant after audit we submitted for we submit to you the report on validation the dogs to the PCI Council the PCI Council issues an acceptance letter to the vendor that is you and and then finally the payment application gets listed on the website if there is payment application is not compliant we submit the findings to the vendor the meta you know remediates application and then the circle goes on and on and these are the revalidation requirements in case you are worried wandering rather so on the renewal date the vendor must prepare an annual attestation letter saying that okay no genius has been made so minor changes has been made it does not impact me a DSS environment so then again you know the definition what is meant by you know minor and major is listed that is any change made that can make any changes to the any of the fourteen requirements of PBS's cannot be counted as a minor change it could be what data is stored how it is stored how the encryption is managed how the keys are managed although so if you're like adding a company name or a company logo at the top or top of the application it is fine those are minor changes but you introduce a new module in the application flow so the application flow chart has change those are major changes and then that requires a recertification by the PA qsa so next coming to the upcoming that is PCI software circus software security framework not many slides I know I'm out of time but I'll just take like five seven minutes more and take you through this again if you have any queries you can always drop me a line it was published originally in jan 2010 so published documents were published in June 2009 it came up for you know RFC request for comments in gen 2019 June 2019 the standard came out an application for becoming a SS f SS er companies you know we are a PA q is say in the going ed you'll become an SS f SS ur company came up in 2019 October then SS program opened up in the Q first or 2020 and the first SS the program's listing is expected in the q3 of 2020 and then by 2021 June 2020 one new app so as of now PA DSS applications for new applications are acceptable are accepted okay then again by 2022 and by 2023 2022 that is the by q3 the PA DSS program closes until then you are well you are you you are what to say eligible for even applying for PA VSS certification but if you are coming up with a new application I would really suggest you that you can go ahead you go ahead with the SSI program and get your applications listed over there and that will be the best the best approach so your application becomes like future proof that's it okay there are many questions now okay that is ro knock his ass tonight's question if I use payment processor let's say PayPal standard do I need peer to pass be a DSS so if your application is not accepting card data at all not involved in authorization or settlement or so this is nice question by the way so and if your application is passing on that details using an iframe or some something to a payment gateway for you know debiting for accepting the card details debiting and that just settling out the money with you and at the end of the end of week or whatever then you need not get PCI PA DSS compliant for your application okay because your application as you saw earlier is not you know require is not getting into any sort of accepting of card data or authorization or settlement or per se so it's not required to get PA DSS certified okay there are many more questions and as I promised you I will get back to you on this but I really need to finish this session now so what are the stakeholders need to know will remain listed until the end of October existing PA DSS will remain on the list of validated PID aces until their expiry dates or until the end of October 2022 at that time we'll they'll be moved to the existing this is what happens so if you ask that you get your CEO getting certified now or you're due to get certified and what happens after credit 20 - they'll be moved to another list called as acceptable only for pre-existing deployments that is after October 2022 you cannot have you cannot be rolling out your PID SS certified applications anymore but if there is it's a working application anywhere before 2022 October then it is valid after October 2022 you cannot roll out new deployments of your PID SS application and their new submission for PID SS validation will be accepted only until 2021 and the validation will then expire out that application that validation assuming that you get certified on by 2021 it will expire but October 2022 and once the SSS SSS are qualified and listed the vendors can become they can begin the validation process and PCI Council at that time will list both the secured S&C qualified vendors or the SSF you know qualified vendors or and the validated payment applications on their website and if you are an existing member of the PCI Council like a QA C or a PA qsa you can become an SS F that is secure security framework software security framework Assessor then you are qualified to become to do both the secured slc assessments or the secure you know software assessments are both and for both secure and secure programs you have to meet the qualifications requirements again you are there on the the listing is there on the PCI security standards website until then qsa is eligible for only doing a secure SSL C and from for accepting the applications the PCI concert is already started and the restraining has already started by early 2020 and it is already started rather and there is for everyone as you've already seen and they will continue the PAP SS continue a program will country and continue to be supported by until the end of 2020 2022 as you have seen and after that will be moved into a separate listing so moving ahead I'll just quickly jump into secure coding requirements okay Alan this is again thank you for your questions Alan a good question over here that I've received if a client has already purchased a PID SS a PID SS application and have made changes in the branding Dutra does this impact the PDSA scope how does this till what extent okay so if you have purchased a PA VSS application and only the branding color scheme and all those things have changed no no no need for getting PA DSS validated again because everybody does that where it is needed to be done is when any of the requirement as you saw the 14 requirements as you have seen if any impact is there to that that is a payment flow changes encryption changes storage changes new model landed edited validated all those things updated that's when revalidation is required okay Josh nice question again can you share the presentation of course here what happens as since you've registered for this thing we will also be getting the first look at the recording so before the rest of the world you get a 15 days head start on that so you will be getting a recorded session also before it gets hosted on YouTube so quickly on secure coding requirements as per PID SS okay I'll jump on these things how not to secure code okay okay I'll jump this thing there are like most of the breaches happens in a PCI DSS environment primarily because of faulty applications the applications gets compromised that's where the environment gets compromised that's where PA DSS came up with that standard and there are many web applications coding standards are there you can use any of them there is Vasek graphic over Stockton is there see a symmetry standards are there science standards are there you can go through any and all of them this is where the overlap with the pci-dss comes will happen so with the PID SS happens pci-dss 6.5 and there are many other sub requirements pin over at 605 6.6 talks about you know development of secure web applications if your applications are PU DSS validated then most of this requirements get covered gets covered by default because you have used the right standards for secure development of your applications and there is again the ongoing application validation requirements for from emerging application threats so web graph is required so whether it's a PDS s application or not yes yes ricky-ricky right so Ricky also uh he took the word some amount so Ricky is also asking one one question that is do I need to have a graph you would even if there is a PDS application absolutely Ricky even if you have a PDS s application in place and it is exposed to the net a graph is mandatory as for PCI DSS requirements and again PCI DSS again and PA DSS as a sum up it applies only to commercial software's not for customized software so that means me to the end and I've got slightly about and I'm very happy to see that almost all of you have stuck till the end that shows how much interesting and important this was for you so thank you again for attending doo-doo-doo please as I request you please fill up that survey that comes up as you exit this so we now a couple of few quick things for you to desire our past webinars that has happened and you can see there are so many great webinars already hosted on our YouTube channel tons of resources all for free and as so many of you must have already seen the thirty-third is three webinars before even the representative from the PCI Council nothing but Naga was there he's one of the associate directors in the PCI Council even he was there as a in talk series with us and if you want to see that also even that is there on a PC icon on our playlist of PCI webinars on our website on our YouTube channel last one that we had was Govind Govind 19 and business continuity and this is what we did now this is our YouTube channel it's doing very well rather there are many subscribers to it and this is a Facebook page do subscribe to it so it gets lot of you know tidbits of news channels and content and this is our LinkedIn page do connect with us on a LinkedIn page and be a part of the group on business continuity pci-dss and get a first look at lot of articles and blog contains and this is our if this is my contact details do drop us a line and we will get back to you so thank you so much and we will look how to seeing you again next next month and the next webinar that is due to open your ideas as to what you think should be there as the next topic so thank you again for being there and have a wonderful day and week ahead stay safe bye bye