FortConsult Services PCI Advisories Customers Careers Contact
Contact FortConsult if you wish to know:
- How to interpret the security requirements in PA DSS
- Whether you have the option of exemption from PA DSS certification
- How to be PA DSS validated in the quickest and most straightforward manner
- How you can minimise your costs in qualifying for PA DSS validation

We can also help you obtain PA DSS vali- dation.
FortConsult is the only Danish enterprise which is certified by the credit card companies to both conduct audits and security scans of enter- prises' critical payment systems in accordance with PCI DSS - and to check security in payment software in accordance with PA DSS.
The security requirements in PA DSS revolve around how payment applications are developed, tested, installed and maintained, which documentation has been developed, and which security measures have been implemented by the vendor.
 
In addition to the requirements from the acquiring bank, you will probably experience added pressure from your customers that need your software to be validated in accordance with PA DSS. Your customers - the shops - also have to be security validated - but in their case in accordance with PCI DSS. If your software is not PA DSS compliant, your customers cannot be validated.
 
The most important requirements in PA DSS include:
  1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
  2. Protect stored cardholder data
  3. Provide secure authentication features
  4. Log payment application activity
  5. Develop secure payment applications
  6. Protect wireless transmissions
  7. Test payment applications to address vulnerabilities
  8. Facilitate secure network implementation
  9. Cardholder data must never be stored on a server connected to the Internet
  10. Facilitate secure remote software updates
  11. Facilitate secure remote access to payment application
  12. Encrypt sensitive traffic over public networks
  13. Encrypt all non-console administrative access
  14. Maintain instructional documentation and training programs for customers, resellers, and integrators
 
Expiry of PA DSS certification
Payment software must be security revalidated every time a new version of the software containing major changes is released. Generally speaking, security validation is valid for a minimum of 3 years, in that certification expires 3 years after a new version of PA DSS is issued. For example, software that has been PA DSS validated according to the first version, 1.1, will be valid until October 2011, because it was superseded by version 1.2 in October 2008. Similarly, software which is PA DSS certified according to version 1.2 will be valid for at least 3 years from the date on which version 1.2 expires and is superseded by a new version.
 
You can read more about the security requirements in PA DSS in the following, as well as how to obtain PA DSS validation in the easiest possible manner.
 
- PCI DSS certified in 2004 to perform security scans as the first and only company in Scandinavia.
- PCI DSS certified in 2005 to conduct audits as the first and only company in Scandinavia.
- Chosen by the bank sector in Denmark to help all Danish bank data centres to acquire PCI DSS validation due to our early PCI DSS certification, our considerable experience in the PCI area and our extensive knowledge of the financial sector.
- Permanent PCI DSS service provider to all Danish banks needing PCI DSS assistance.
- Has carried out PCI DSS tasks for some of the biggest retail chains in Scandinavia at international level.
- Is today the leading PCI DSS service provider in Scandinavia and the Baltic. We have, for instance, certified more than 60 percent of the enterprises on VISA's list of validated Scandinavian service providers.
- PA DSS certified in 2008 as the first and only company in Denmark - and among the first 14 in the world.
udskriv