View Hudson's PA-DSS Status Update
The Hudson Group is fully engaged in PA-DSS!
Date: December 2016
The achievement and maintenance of PCI Payment Application-Data Security Standard (PA-DSS) acceptance is a constant and on-going process for The Hudson Group. The actual standards put forth by the Payment Card Industry (PCI) Council continue to change. As technology evolves and the threats to online security have become more aggressive the requirements included in the standard have changed too.
When The Hudson Group first began the pursuit of achieving PA-DSS validation for the core HGTS suite of applications, the council was at version 2 of the standard. Once validated to that version, Hudson’s payment application technology did not change or evolve, even though the standard continued to change. Renewing the initial validation was done every 12 months, directly with the PCI council, by submitting documents indicating that no changes in payment processing technology had occurred. Hudson’s HGTS suite continued to be a PCI “Accepted” application for new customer deployments.
In late October 2016, version 2 of the PA-DSS standard “expired”. When this happened, the HGTS Suite lost its PA-DSS Acceptance for “New Customer Deployments” only. Any clients who were using HGTS on or before 10/28/16 continue to be covered by the Hudson PA-DSS validation issued by the PCI Security Standards Council. This can be verified by visiting the PCI website and viewing the list of applications approved for previous deployments. The image below shows that HGTS is still PA-DSS Accepted for current deployments.
As of December 2016, the PA-DSS standard is currently at version 3.2 (for those with the desire to know what Hudson has to do to comply with the standard, you can download the requirements here: File:PA-DSS v3-2.pdf). The Hudson Group continues to work with Trustwave, our approved Quality Security Assessor (QSA) to re-evaluate Hudson’s core suite of products. Trustwave evaluates the software applications and then reports back on items that Hudson developers need to modify in order to meet the latest standard. Only a few application related items actually are in the process of being updated. One of these is the encryption standard used to secure information in the back end database. Though strong PA-DSS approved encryption is already present, stronger algorithms are being put in place to meet the new standard. Another item that is being updated is the way in which Hudson support technicians will access client systems in order to troubleshoot application issues that may arise.
Perhaps the most time consuming part of the re-evaluation process is the updating of 7 detailed manuals and internal training programs required by the PCI Council that document the secure development and troubleshooting procedures followed by Hudson. It is as much or more about the security of our processes as it is about our applications. It took nearly 3 years for Hudson to achieve its initial PA-DSS Acceptance. We will work with Trustwave and the PCI Security Standards Council to meet the requirements for PA-DSS Acceptance according to the latest standard. Watch for updates and more information in 2017!