PA-DSS

PA-DSS Certification

The standard for payment applications security contains requirements to the cardholder data processing software. It is related to the PCI-DSS standard. PA-DSS certification is required for payment applications, which store, process and transfer data about cardholders at the transaction authorization stage and during settlements between the payment process participants. The requirement for certification applies only to applications developed for sale or transfer under a license agreement.

PA-DSS standard applies

  • PA-DSS standard shall apply to payment applications, which are sold and installed as ready-for-use ones, without introducing any significant changes by software vendors.
  • PA-DSS standard shall apply to payment applications supplied as software modules, usually containing a core module and other modules, either depending on the specifics of the client and the desired features, or subject to changes according to the client’s request.
  • PA-DSS standard can apply to the core module only, if only this module fulfills payment functions (to be confirmed once by a payment application qualified security assessor - PA-QSA). If other modules also fulfill payment functions, PA-DSS standard shall apply to them as well.

PA-DSS standard does not apply

  • PA-DSS standard does not apply to payment applications developed for a certain client only, since such applications are examined during regular assessment of the client’s compliance with the PCI-DSS standard.
Download standard

PCI DSS standart

PCI DSS certification

PCI DSS standard (Payment Card Industry Data Security Standard) is intended for ensuring secure processing, storage and transfer of cardholder data in the information systems of companies operating with international payment systems, such as Visa, MasterCard and others.

The standard was developed by the PCI Security Standards Council, which includes the world’s leading companies in the payment card market, such as American Express, Discover Financial Services, and JCB.

The standard provides a list of 12 detailed requirements to ensuring security of cardholder data, which is transferred, stored and processed in corporate IT infrastructures. Adoption of relevant measures for ensuring compliance with the requirements of the standard implies a comprehensive approach to guaranteeing information security of payment cards data.

Download standard

Assessment of compliance with СТО БР ИББС-1

Standard of the Bank of Russia for information security assurance in companies of the Russian banking industry (STO BR IBBS) is a corpus of documents issued by the Bank of Russia based on the requirements of the Russian Law and describing a unified approach to building the architecture of IS assurance systems in companies of the banking industry.

Federal Law No. 184-FZ ‘Concerning Technical Regulation’ dated December 27, 2002 establishes an advisory status for standards and other documents on standardization.

However, the same Federal Law sets forth that standards and other documents on standardization are to be obligatory followed by the companies, which take a voluntary decision to join in.

Download standard

Provision of Central Bank of the Russian Federation from June 9, 2012 of No. 382-P

Subject to Federal Law No. 161 FZ ‘Concerning the National Payment System’ dated June 27, 2011 (the Legislation Bulletin of the Russian Federation for 2011, No. 27, p. 3872) (hereafter, Federal Law No. 161-FZ), these Regulations set up the requirements for money transfer operators, bank paying agents (sub-agents), payment systems operators, payment infrastructure service providers to ensuring information protection during money transfer (hereafter referred to as ‘requirements to information protection during money transfer’), as well as the control procedure exercised by the Bank of Russia regarding the compliance with the requirements to ensuring information protection during money transfer within the scope of supervision exercised by the Bank of Russia over the national payment system.

Download standard

International standart ISO/IEC 27001

The international standard for security management (ISO/IEC 27001) is an international standard for information security developed jointly by the International Organization for Standardization and the International Electrotechnical Commission. It was prepared for publication by SC27 subcommittee of the Joint Technical Committee JTC 1.

ISO/IEC 27001 is designed for developing corporate Information Security Management System regardless of a company’s business field.

Primary targets of the Standard:

  • Establishing unified requirements to ensuring corporate information security;
  • Providing interaction between the management and employees;
  • Increasing efficiency of measures for assuring and maintaining corporate information security.