PA-DSS: Payment Application Data Security Standart

New articles about PA-DSS

2010-05-21T12:56:00.000-07:00

This week gives us 2 interesting articles about PA-DSS

1. PCI Compliancy And The PA-DSS Protects Those Involved In E-Commerce

2. PA-DSS – Things to remember

latest certified PA-DSS applications. 11 may 2010

2010-05-11T12:21:00.000-07:00

by the 11 th of may we have 7 new certified applications from 6 vendors:
4 of them are completely new and 3 are re qualified versions of old applications.
5 of them are POS applications and 1-Payment Gateway 1-Payment Midleware.

1. (NEW)AccuPOS 10 by Attitude Positive
2. (NEW)AccuPOS 11 by Attitude Positive
3. (NEW)Star~Lite by Auto~Star Compusystems, Inc.
4. (REQUALIFICATION)ICON 9.0X by Civica
5. (REQUALIFICATION) ChargeItPro 3.03 by Payment Processing Partners, Inc.
6. (NEW)ProfitMaster Payment Interface (PPI) by ProfitMaster Canada
7. (REQUALIFICATION) InFusion 3.50 SP3
by Partech

all information was taken from official site of PCI Council by the 11th may of 2010

Prepare to "Jackpotting Automated Teller Machines Redux"

2010-05-11T07:00:00.000-07:00

In near BlackHat event 2010 in Las Vegas Barnaby Jack will show us a presentation about remotely and locally attacking ATM's and also an example of ATM rootkit. I hope it will be wery interesting because Jack's presentation in 2009 was halted by ATM Vendor because those vulnerabilities was 0-days and very critical. So get ready !

Here is some text from announcement:

"Jackpotting Automated Teller Machines Redux"

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.

I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the care presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.

I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

Passport® with PA-DSS Point of Sale System is using by Heartland, RBS WorldPay and many others

2010-05-11T06:34:00.000-07:00

More Networks Certify Passport® with PA-DSS Point of Sale System

"GREENSBORO, N.C. – May 5, 2010 – Heartland Payment Systems (Dallas) for CITGO, Marathon and unbranded customers, along with RBS WorldPay, have approved Passport with PA-DSS point of sale system software for retailers on their networks. They join BP, Chevron, Concord (Gulf, Sinclair, Sunoco, Valero and unbranded), ExxonMobil, NBS/Cenex, and Shell software applications that are already shipping."

Passport has the most networks approved with a PA-DSS validated application for convenience store operators.

PA-DSS and opensource part 2

2010-05-04T12:02:00.000-07:00

another one article about opensource PA-DSS applications

latest certified PA-DSS applications. 3 may 2010

2010-05-03T12:00:00.000-07:00

by the 3rd of may there are 7 new certified applications:

1. ActiveRetail Enterprise by Argility

2. IVR for Payment Gateway (IVRFPG) by Bay Talkitec

3. CAGE by Innovative Control Systems

4. OPERA Enterprise Solution by Mircos

5. X-Series TMS by Panasonic

6. VersaPOS by Systime Computer Systems

7. VenuemasterВІ by Ticketmaster UK

all information was taken from official site of PCI Council

Application Security and pa-dss certification

2010-04-26T14:58:00.000-07:00

I've posted my presentation from cardexpo. Firstly it is about importance of application security in a PCI Security area and of cause about a PA-DSS standard and advantages for application vendors and merchants for getting PA-DSS compliance.

Application security and pa dss certification

View more presentations from Alexander Polyakov.

Hacking ATM

2010-04-23T09:11:00.000-07:00

really good presentation by Dimitris Petropoulos about ATM and HSM hacking which combines all known and new attacks on PIN algoritms. Must see for everyone who is interested in PIN (IN)security :)

NEW TOPIC: "Complying with PA-DSS" Requirement 5.2.1 (Practical guide to fix XSS vulnerabilitiess)

2010-04-22T14:26:00.000-07:00

I topic "Complying with PA-DSS" i will show a different ways which will help you to comply with different Requirements.
So as we start to talk about web application security in previous topic lets continue in this area. The most popular web application vulnerability is XSS as u mentioned earlier so here is the guide for developers how to fix XS vulnerabilities and write secure code.

Importance of web application security in PA-DSS certification

2010-04-22T14:04:00.000-07:00

WhiteHat Security published report with different statistics about web application vulnerabilities which shows the importance of web application security assessment which is needed in Requirement 6.5 of PCI DSS and 5.2 of PA-DSS.
More on importance of application security in PA-DSS assessment in presentation from Cardexpo which will be available soon.

OWASP Top 10 Final version Released

2010-04-20T13:45:00.000-07:00

On April 19, 2010 OWASP released the final version of the OWASP Top 10 for 2010, and here is the associated press release.

The OWASP Top 10 Web Application Security Risks for 2010 are:

A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

Now u must use those risks in PCI DSS and PA-DSS compliance assessments .

New topic: latest certified PA DSS applications

2010-04-19T08:21:00.000-07:00

From this day i will post here the latest PA-DSS certified applications:

This week we have 2 press releases:

1. 17 april 2010: SalePoint Announces PA-DSS Validation of Trovato Point of Sale Software
2. 13 april 2010 Hypercom Payment Software Earns PCI PA-DSS Security Validation

PA DSS and open source applications

2010-04-19T07:09:00.000-07:00

Really good article about problems of certificating open-source applications.

As i see (And my point of view is the same like in article), the most problems lay on the process of development. Those things like SLDC, secure updates, change control and documentation of process is really hard to implement when u talk about open-source software. And of-cause there if a problem with payment for certification,i don't think that developers can pay 30k$ or about for certification precess )

Developers Guide to PCI DSS and PA-DSS Requirements

2010-04-16T14:38:00.000-07:00

While searching information for my feature talk about Application Security and PA-DSS Complience in CardExpo Conference which will be held in Moscow (Rusiia) 20 april I found a good video for developers about PCI and PA DSS Compliance from OWASP MSP 2009 by Sets Peter.

ATM's and PA-DSS

2010-04-13T14:06:00.000-07:00

ATMs: PTS, PCI DSS, or PA-DSS? In 2 worlds the answer is:

PTS applies to the PIN pad component of ATM
PA-DSS applies to the software running on ATM (potentially)
PCI DSS applies to the company that drives the ATM network

more information here ATMs: PTS, PCI DSS, or PA-DSS? by Michael Dahn

ipad and PA-DSS

2010-04-12T15:20:00.000-07:00

interesting article about Ipad Applications and PA-DSS link. BTW the first (if believe to authors) PA DSS compliant application is available in istore.

P.S. I take a look at List of Validated Payment Applications and did not find anything about this application. So u must be aware of such types of applications :)

pcidssrussia 2010

2010-04-07T02:14:00.000-07:00

In 17th march i make a talk in pcidssrussia2010 conference which was wery great event btw. I have 2 talks in this conference. One was about technical aspects of PCI DS Compliance where the main idea was "Thinking about purpose of requirement may help u to save time, money and make good solution which will be Secure and Compliant"

Another talk was about introduction to PA-DSS for beginners. Nothing special but good starting point.

download presentation (In Russian)

beginning

2010-04-07T01:54:00.001-07:00

Hello my name is Alexander Polyakov. I work in a Digital Security Company as a lead of it security audit department and I also a head of our research group DSecRG which focused in finding vulnerabilities and research in enterprise application security area.

As I am also PCA QSA and PA QSA I decide to start new project in payment application security area and write here my research and thoughts about this. So ewerybody wellcome!