Back to Forum

PA-DSS otherwise known as Payment Application Data Security Standards

Last post 03:35 pm August 4, 2019 by Nitesh Bansal
5 replies
Paul Eloe
05:42 pm July 30, 2019

I'm looking to see how many teams out there deal with the PCI council and create applications that handle credit card data.

I would like to discuss and connect with those teams and their PA-DSS/PCI-DSS personnel, if possible, how they have implemented the PA-DSS requirements into their scrum/sprint teams and practices.

Thank you in advance.

 

Best regards,

 

Paul

Eric Naiburg
08:41 pm July 30, 2019

Hi Paul,


Here is an article that I have written on Security as part of the Definition of Done.  I have also done a lot of PCI work in the past and worked with the PCI council as my last company was managing the infrastructure for Payment processors and we had to be PCI and HIPAA compliant.

Paul Eloe
08:59 pm July 30, 2019

Eric, I had the opportunity to read your article and it's great from a theoretical POV.

However, I'm looking to hear more from those who have practical experience implementing PA-DSS 3.2 for their companies' payment applications in conjunction with their internal scrum team practices.

Thanks.

Ian Mitchell
09:51 pm July 30, 2019

I'm looking to hear more from those who have practical experience implementing PA-DSS 3.2 for their companies' payment applications in conjunction with their internal scrum team practices.

Is the implementation of PA-DSS 3.2 a complex problem for which there are many unknowns?

Paul Eloe
02:30 pm August 1, 2019

Ian,  The PA-DSS 3.2 requirements are such that there are supposed to be checks and balances in place during the SDLC as well as a separation of duties.  The reasons for this are to prevent malicious code from being published to customers that would either compromise customers SAD, PAN, or credit card data in any way.  Likewise there are proscriptions that apply to other aspects of a merchants business that process credit card transactions.  Wireless access points, physical access to systems, etc.

I'm seeking input from any teams or individuals that have been or currently are involved in the design, implementation, and deployment of payment applications to an already existing customer base.

Nitesh Bansal
03:35 pm August 4, 2019

Hello Paul,

I work for a Payments company.

Here are somethings in place in our company:

  • Team members follow annual PCI-DSS training to ensure that they are up to date with their knowledge.
  • To ensure that code quality meets PCI standards, every team member is provided with a list of Secure Coding Guidelines, code reviews are in place, so there are any violations in the new code, hopefully it is caught in the code review.
  • We have some monitoring tool which triggers an email if any Sensitive data makes it to DB, logs...
  • There is ofcourse an annual audit of the compliance.

Does it help?

By posting on our forums you are agreeing to our Terms of Use.

Please note that the first and last name from your Scrum.org member profile will be displayed next to any topic or comment you post on the forums. For privacy concerns, we cannot allow you to post email addresses. All user-submitted content on our Forums may be subject to deletion if it is found to be in violation of our Terms of Use. Scrum.org does not endorse user-submitted content or the content of links to any third-party websites.

Terms of Use

Scrum.org may, at its discretion, remove any post that it deems unsuitable for these forums. Unsuitable post content includes, but is not limited to, Scrum.org Professional-level assessment questions and answers, profanity, insults, racism or sexually explicit content. Using our forum as a platform for the marketing and solicitation of products or services is also prohibited. Forum members who post content deemed unsuitable by Scrum.org may have their access revoked at any time, without warning. Scrum.org may, but is not obliged to, monitor submissions.