SQA A - minimum self assessment


Project Structure
-----------------------
Gap analysis
comply, don't comply, not sure
Prioritized approach tool - Prioritized_Approach_v3.xls
Crypto Key Management

Sell/license applications - PA-DSS
Service Provider

SQA A - minimal, self assessment
SQA D - involved

quarterly avs external scans
compliance is separate from security
virtualization, treat system as circumscribed entities
pci and non pci, keep separate

scope - pci dss only applies to cardholder data environment (CDE)
no printers
outsource cardholder data
antivirus, malware
penetration testing & passwords


scope of compliance - cardholder data environment (cde)
volume

1.Card Brands
2.Aquirers -issue credit card & payment processors, direct relationship
3.PCI SCC (DSS, PaymentApplication-DSS, PIN standards)
4.Merchants 

merchant agreement -w- payment processor or bank
-merchants
-service provider

payment island

Requirements
vs.
Validation
1) self assessment
2) qsa assessment, lead and independent

self-assessment questionaire

SSC, 2005
-PCI Data Security Standard
-Payment Application Data Security Standard

Manage accreditation for certified assessors
800 distinct items

----------
One of the features of PA-DSS compliance is that you will be logged off from the control panel following 15 minutes of inactivity. In Version 6.2 we introduced a wPA-DSS Compliance and Ecommerce Templates

From Version 6.1 of Ecommerce Plus from Ecommerce Templates we are pleased to announce the software is officially certified PA-DSS compliant. Certification is provided by the PCI Security Standards Council.


What is PA-DSS?

PA-DSS is a certification process to ensure the security of data by requiring shopping cart and payment applications to adhere to an industry standard initially created by Visa. This includes the non-storage of sensitive data such as credit card numbers and validation code, application activity logging, secure logins and vulnerability testing amongst many other things.


Why is PA-DSS compliance important?

Your ecommerce software is just one factor in being PCI compliant as it also involves your hosting company and payment processor for example. If you are not using a PA-DSS compliant shopping cart like Ecommerce Templates, it is unlikely you will be PCI compliant. This can result in higher fees, fines and even revocation of the ability to take online payments. 

It is also means that you are working with a vendor that takes your online security extremely seriously. Certification is not a simple rubber stamp process but takes many weeks of code changes, testing and documentation to have the application approved.
rning alert box that will advise you that you are about to be disconnected from the control panel and allows you to maintain your session in the admin.

Mean For Store
---------------------
Activity and event logging in the control panel dashboard
Forced minimum password length with alpha-numeric content
Periodic forced password change
Maximum number of incorrect password attempts
Automatic logging off from control panel after a period of inactivity
No card holder data stored
All passwords are transmitted and stored in hashed form

i.e. One of the features of PA-DSS compliance is that you will be logged off from the control panel following 15 minutes of inactivity. In Version 6.2 we introduced a warning alert box that will advise you that you are about to be disconnected from the control panel and allows you to maintain your session in the admin.