PA-DSS, PCI DSS: Why It's Important and How It Works

As campus IT and business offices evaluate their processes in the wake of COVID-19 restrictions, changing campus policies and ever-evolving technology priorities make keeping payments compliance top of mind more critical than ever. Maintaining compliance for software applications that process payments is demanding, requiring regular audits and reports as well as knowledgeable, credentialed staff.

The security of cardholder information is of the highest importance. Institutions face a choice: Install a software application on-site and maintain the Payment Card Industry Data Security Standards (PCI DSS) for all payments processed on your campus, or partner with a software-as-a-service (SaaS) vendor or application service provider (ASP) that maintains the software to be PCI DSS compliant, thereby reducing the institution's compliance scope.

Historical Overview

Payment processing applications are governed primarily by the Payment Card Industry Security Standards Council (PCI SSC), which maintains security policies and procedures based on requirements from major payment brands like VISA.

"PCI DSS covers the security of the environments that store, process, or transmit account data," said Patricia Ellington, IT manager of cybersecurity at Nelnet Campus Commerce. "This includes requirements for the security management, policies, procedures, network architecture, secure software design, security awareness training, and other critical protective measures."

The Payment Application Data Security Standard (PA-DSS), established in 2008, is derived from the PCI DSS and details the requirements that payment applications must meet to be PCI DSS compliant (and therefore what a payment application must support to facilitate the institution's PCI DSS compliance). PA-DSS requirements are intended to help software vendors develop secure payment applications that support PCI DSS compliance when installed within their customer's PCI DSS environment.

"In other words, PA-DSS validated payment applications must facilitate—not prevent—PCI DSS compliance," Ellington said. "When an institution purchases a PA-DSS validated product, they receive a software application and the responsibilities for providing the infrastructure support and maintenance that will support the application; installing the application in a PCI DSS-complaint manner; and maintaining, administering, and supporting the application, all within their PCI DSS environment."

This entails a lot of work for the institution. IT staff will use the vendor's implementation guide to install the application on-site in a PCI DSS-compliant manner. The PA-DSS software must meet all PCI DSS requirements, including the following:

• Having a process for securely deleting stored cardholder data that exceeds defined retention
• Configuring and patching systems that support the application to meet configuration standards
• Implementing file integrity management, antivirus, and audit logging on the systems that support the application

Compliance requirements vary depending on the number of transactions processed annually by an institution. A smaller institution with a limited number of transactions per year may be able to complete a self-assessment questionnaire (SAQ), a self-validation tool to assess security for cardholder data. Large institutions that process high volumes of payment transactions may be required to work with a PCI Qualified Security Assessor (QSA) to complete more in-depth assessments, with the level of certification depending on the number of annual transactions.

"Nelnet Campus Commerce is PCI Level 1 assessed based on the number of transactions we process annually," Ellington said.

A PCI DSS assessment can take around two or three months and will evaluate evidence for compliance with PCI standards that covers an entire year. This validates that their business-as-usual activity—the activity throughout the year, not just during the evaluation period—supported PCI DSS compliance requirements.

"The PCI QSA annually confirms you are meeting both technical and nontechnical requirements throughout the year. In order to accomplish this, the PCI QSA requires evidence, interviews, and also some hands-on reviews of devices, files, and procedures during the assessment period." Ellington said.

The PCI QSA is assuring that you meet all PCI DSS requirements.

"Most people are unaware that there are many nontechnical requirements that are evaluated, including hiring practices; security awareness training; assigning roles and responsibilities to meet the requirements; maintaining and testing incident response; and creating policies, standards, and processes to support the intent of the requirements," Ellington said. "There are also many technical requirements, including periodic reviews of firewalls and routers, file integrity monitoring, antivirus and malware protection, backup and restoration validations, logging activities, meeting retention requirements, timely patching of devices, operating systems and applications, and vulnerability management, including internal and external quarterly scans and annual penetration tests."

Those are just some of the many technical requirements that will need to be maintained and will be reviewed by the PCI QSA."

Relieving the Burden: A Hosted Solution

On the other hand, institutions that choose vendor-hosted solutions or SaaS find that they have reduced their compliance scope since the application software provider is responsible for ensuring that the hosted environment is secure.

"The PCI SSC does not require that an entity use a PA-DSS validated application. An application with the PA-DSS certification only denotes that the application can be configured to meet PCI DSS requirements," Ellington explained.

When a client decides to use our PCI DSS validated SaaS solutions, they know that our business adheres to industry-leading PCI standards to manage our network, secure our web-based applications, and set policies across our organization. Nelnet Campus Commerce has its own cybersecurity group, which works closely with the corporate cybersecurity group of parent company Nelnet, Inc. Together we employ an array of experts in compliance and security. We are assessed as a Level 1 PCI DSS service provider, which means that our business responsibility is to ensure the following:

• An annual PCI DSS assessment is completed by an external PCI Qualified Security Assessor (PCI QSA).
• A vulnerability-management process is in place that includes regular scans and penetration testing as well as timely patching based on risk.
• The application is developed, installed, configured, and maintained to meet or exceed PCI DSS requirements.
• Security applications are in place and monitored, and engineering staff are alerted of any anomalies.
• Incident response, disaster recovery, and business continuity plans are in place, tested, and validated.

"We ensure that PCI compliance is part of our business-as-usual process by monitoring security controls; reviewing hardware and software technologies to ensure they are supported by the vendor and meet security standards; evaluating changes to the environment or the organizational structure; performing periodic reviews and communications to confirm all PCI DSS requirements continue to be in place and personnel are following secure processes; and verifying that appropriate evidence is maintained to assist in the PCI-DSS compliance assessment," Ellington said.

Building Trust

While protecting cardholder data is key, institutions must take into account the full scope of their compliance responsibilities. This becomes especially important as many institutions are facing tighter budgets. In order to continue to best serve your students and broader stakeholder communities—alumni, sports fans, neighbors, etc.—institutions must be able to provide flexible payment options that are mobile-device friendly and secure.

Partnering with a provider that maintains and is committed to being a Level 1 PCI DSS service provider can relieve institutions of most of the burden of securing payment information, allowing institutions to focus their energies on doing what they do best: providing students with educational opportunities.

"Knowing that Nelnet Campus Commerce is committed to taking the responsibilities of being a PCI DSS-compliant provider assures our institutional partners that we are taking all the extraordinary measures to secure the data they have entrusted to us," Ellington said.

If you are interested in learning more about compliance and payments, view more on demand about the Payment Industry Evolution and the Impacts on Compliance.

Linda Hansen is a Proposal Writer at Nelnet Campus Commerce.