SlideShare a Scribd company logo

PA-DSS and Application Penetration Testing

Schellman & Company
Schellman & Company

Security risks associated with payment applications have never been greater or more publicized. The Payment Application Data Security Standard (PA-DSS) and application penetration testing under the broader PCI DSS requirement 11.3 both aim to address application threat vectors, albeit through different tools and mechanisms. In this presentation, we will cover: • An overview of PA-DSS and application penetration testing • The shared elements and compare and contrast some of the more detailed differences • The requirements, where they apply, and how they play a role in securing payment applications

Technology
1 of 18
Download to read offline
PA-DSS vs Penetration Testing | 1 PA-DSS and Application Penetration Testing Complementary Tools to Address Payment Security Risk and Compliance
PA-DSS vs Penetration Testing | 2 Setting the Stage • We are not here to scare you • PA-DSS and Application Testing work together for PCI compliance and payment application security • As with all payment security, the devil is in the details!
PA-DSS vs Penetration Testing | 3 Comparison of Key Activities PA-DSS PenTest Architecture/Design Review Application Penetration Testing Forensic Analysis (Lab) Testing of Production Environment
PA-DSS vs Penetration Testing | 4 PA-DSS Overview • Parallel and subsidiary standard to PCI DSS • Facilitate and not preclude PCI DSS compliance • Test the application’s function –Usually in our lab –Sometimes in the software vendor’s lab
PA-DSS vs Penetration Testing | 5 PA-DSS Scope and Applicability •For applications that run in the customer’s environment –I.e., not for SaaS products •Applications that facilitate authorization and settlement of transactions •Applies to a specific version of an application
PA-DSS vs Penetration Testing | 6 PA-DSS Scope and Applicability •Not intended for applications developed for own use •PCI SSC will not accept most applications on mobile devices
PA-DSS vs Penetration Testing | 7 Process and Documentation • Software development practices – Demonstrate competence in software security – Application threat modeling – Developer training
PA-DSS vs Penetration Testing | 8 Process and Documentation • PA-DSS Implementation Guide – Specific, clear guidance for proper use of application – For users and resellers of application – We submit this to PCI SSC
PA-DSS vs Penetration Testing | 9 Testing in a Lab • Test the payment application as it would be deployed by a user – Examine application function and security features – Error conditions – Test transactions • Use forensic tools and methods • Perform penetration testing in test environment
PA-DSS vs Penetration Testing | 10 Forensic Tools and Methods • Search for cardholder data • Examine authentication or cryptographic processes • Confirm data retention and deletion
PA-DSS vs Penetration Testing | 11 Forensic Tools and Methods
PA-DSS vs Penetration Testing | 12 Forensic Tools and Methods
PA-DSS vs Penetration Testing | 13 Pen Testing for PA-DSS Validation • Test all web interfaces – Not just Internet-facing web interfaces – Test for OWASP/PCI DSS 6.5 vulnerabilities – Examine the software vendor’s process for fixing these issues
PA-DSS vs Penetration Testing | 14 Broader Application Testing • Not in a lab -> In production • Network vs Application • Type of applications – COTS and in-house developed – Web, Thick Client, Mobile and Web Services – Integrated solutions
PA-DSS vs Penetration Testing | 15 App Pen Testing and PCI-DSS • Primarily addresses requirement 11.3 – External and Internal – Network and Application • Results may influence other controls: – Architecture (1.3 and segmentation) – System Configuration (2.2) – Masking PAN (3.3) – OWASP (6.6)
PA-DSS vs Penetration Testing | 16 Tools and Techniques • Vulnerability scanners • Man-in-the-Middle (MitM) Proxies • REST Clients • Web debuggers • Browser plugins • Integrated Development Environments (IDE)
PA-DSS vs Penetration Testing | 17 Summary •Application security has significant attention in the PCI DSS and industry-wide •PCI includes a multi-faceted approach including core requirements and PA-DSS where applicable •Techniques can overlap but differ in approach and context •The goal and mission remain the same, a comprehensive approach to application security
PA-DSS vs Penetration Testing | 18 Learn More: PA-DSS Validation

Recommended

Application Security and PA DSS Certification
Application Security and PA DSS CertificationApplication Security and PA DSS Certification
Application Security and PA DSS Certification
Digital Security
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
Graeme Wood
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Vulnerability Scans & Penetration Test Comparison Chart
Vulnerability Scans & Penetration Test Comparison ChartVulnerability Scans & Penetration Test Comparison Chart
Vulnerability Scans & Penetration Test Comparison Chart
I.S. Partners, LLC
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 

Recommended

Application Security and PA DSS Certification
Application Security and PA DSS CertificationApplication Security and PA DSS Certification
Application Security and PA DSS Certification
Digital Security
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
Graeme Wood
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Vulnerability Scans & Penetration Test Comparison Chart
Vulnerability Scans & Penetration Test Comparison ChartVulnerability Scans & Penetration Test Comparison Chart
Vulnerability Scans & Penetration Test Comparison Chart
I.S. Partners, LLC
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
Mordecai Kraushar
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
Cheryl Goldberg
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Rui Miguel Feio
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
Building a World-Class Proactive Integrated Security and Network Ops Center
Building a World-Class Proactive Integrated Security and Network Ops CenterBuilding a World-Class Proactive Integrated Security and Network Ops Center
Building a World-Class Proactive Integrated Security and Network Ops Center
Priyanka Aash
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
Huntsman Security
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
Tripwire
 
Outsourcing Security Management
Outsourcing Security ManagementOutsourcing Security Management
Outsourcing Security Management
Nick Krym
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
Ahmed
AhmedAhmed
Ahmed
Ahmed Abd Elhamed
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
Atif Ghauri
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
Erika Powell-Burson, MSIA, CISSP, CISA
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
Outpost24
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Algo sec suite overview 2013 05
Algo sec suite overview 2013 05Algo sec suite overview 2013 05
Algo sec suite overview 2013 05
hoanv
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
Avancercorp
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
Mahmoud Salaheldin
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Testing the brave new world of saa s applications quest 2018 v1
Testing the brave new world of saa s applications quest 2018 v1Testing the brave new world of saa s applications quest 2018 v1
Testing the brave new world of saa s applications quest 2018 v1
GerieOwen
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
Erika Barron
 

More Related Content

What's hot

Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
Mordecai Kraushar
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
Cheryl Goldberg
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Rui Miguel Feio
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
Building a World-Class Proactive Integrated Security and Network Ops Center
Building a World-Class Proactive Integrated Security and Network Ops CenterBuilding a World-Class Proactive Integrated Security and Network Ops Center
Building a World-Class Proactive Integrated Security and Network Ops Center
Priyanka Aash
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
Huntsman Security
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
Tripwire
 
Outsourcing Security Management
Outsourcing Security ManagementOutsourcing Security Management
Outsourcing Security Management
Nick Krym
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
Ahmed
AhmedAhmed
Ahmed
Ahmed Abd Elhamed
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
Atif Ghauri
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
Erika Powell-Burson, MSIA, CISSP, CISA
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
Outpost24
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Algo sec suite overview 2013 05
Algo sec suite overview 2013 05Algo sec suite overview 2013 05
Algo sec suite overview 2013 05
hoanv
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
Avancercorp
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
Mahmoud Salaheldin
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 

What's hot (20)

Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
 
Building a World-Class Proactive Integrated Security and Network Ops Center
Building a World-Class Proactive Integrated Security and Network Ops CenterBuilding a World-Class Proactive Integrated Security and Network Ops Center
Building a World-Class Proactive Integrated Security and Network Ops Center
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
 
Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1 Automating for NERC CIP-007-5-R1
Automating for NERC CIP-007-5-R1
 
Outsourcing Security Management
Outsourcing Security ManagementOutsourcing Security Management
Outsourcing Security Management
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Ahmed
AhmedAhmed
Ahmed
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Algo sec suite overview 2013 05
Algo sec suite overview 2013 05Algo sec suite overview 2013 05
Algo sec suite overview 2013 05
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 

Similar to PA-DSS and Application Penetration Testing

Testing the brave new world of saa s applications quest 2018 v1
Testing the brave new world of saa s applications quest 2018 v1Testing the brave new world of saa s applications quest 2018 v1
Testing the brave new world of saa s applications quest 2018 v1
GerieOwen
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
Erika Barron
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Parasoft
 
SQA Lecture 01 (Introduction) - Testing and SQA
SQA Lecture 01 (Introduction) - Testing and SQASQA Lecture 01 (Introduction) - Testing and SQA
SQA Lecture 01 (Introduction) - Testing and SQA
sunena224
 
Test Policy and Practices
Test Policy and PracticesTest Policy and Practices
Test Policy and Practices
Talentica Software
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Perforce
 
Decoupled System Interface Testing at FedEx
Decoupled System Interface Testing at FedExDecoupled System Interface Testing at FedEx
Decoupled System Interface Testing at FedEx
TechWell
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
Pm 6 testing
Pm 6 testingPm 6 testing
Pm 6 testing
Radiant Minds
 
Pm 6 testing
Pm 6 testingPm 6 testing
Pm 6 testing
Radiant Minds
 
Software Project Management lecture 10
Software Project Management lecture 10Software Project Management lecture 10
Software Project Management lecture 10
Syed Muhammad Hammad
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt
_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt
_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt
AnilKumarARS
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent Testing
outsourceToIndia
 
QAustral Testing
QAustral TestingQAustral Testing
QAustral Testing
cusmaim
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
Neev QA Offering
Neev QA OfferingNeev QA Offering
Neev QA Offering
Neev Technologies
 
End-to-End Quality Approach: 14 Levels of Testing
End-to-End Quality Approach: 14 Levels of TestingEnd-to-End Quality Approach: 14 Levels of Testing
End-to-End Quality Approach: 14 Levels of Testing
Josiah Renaudin
 
Addressing The Challenges Of Testing Soa Based Applications From AppLabs
Addressing The Challenges Of Testing Soa Based Applications From AppLabsAddressing The Challenges Of Testing Soa Based Applications From AppLabs
Addressing The Challenges Of Testing Soa Based Applications From AppLabs
VIJAYA BHASKARA VARMA YARAKARAJU
 
Types of Testing
Types of TestingTypes of Testing
Types of Testing
Murageppa-QA
 

Similar to PA-DSS and Application Penetration Testing (20)

Testing the brave new world of saa s applications quest 2018 v1
Testing the brave new world of saa s applications quest 2018 v1Testing the brave new world of saa s applications quest 2018 v1
Testing the brave new world of saa s applications quest 2018 v1
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
SQA Lecture 01 (Introduction) - Testing and SQA
SQA Lecture 01 (Introduction) - Testing and SQASQA Lecture 01 (Introduction) - Testing and SQA
SQA Lecture 01 (Introduction) - Testing and SQA
 
Test Policy and Practices
Test Policy and PracticesTest Policy and Practices
Test Policy and Practices
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Decoupled System Interface Testing at FedEx
Decoupled System Interface Testing at FedExDecoupled System Interface Testing at FedEx
Decoupled System Interface Testing at FedEx
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Pm 6 testing
Pm 6 testingPm 6 testing
Pm 6 testing
 
Pm 6 testing
Pm 6 testingPm 6 testing
Pm 6 testing
 
Software Project Management lecture 10
Software Project Management lecture 10Software Project Management lecture 10
Software Project Management lecture 10
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt
_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt
_VoicePPT_QA_Testing_Training_4_Days_Schedule.ppt
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent Testing
 
QAustral Testing
QAustral TestingQAustral Testing
QAustral Testing
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
Neev QA Offering
Neev QA OfferingNeev QA Offering
Neev QA Offering
 
End-to-End Quality Approach: 14 Levels of Testing
End-to-End Quality Approach: 14 Levels of TestingEnd-to-End Quality Approach: 14 Levels of Testing
End-to-End Quality Approach: 14 Levels of Testing
 
Addressing The Challenges Of Testing Soa Based Applications From AppLabs
Addressing The Challenges Of Testing Soa Based Applications From AppLabsAddressing The Challenges Of Testing Soa Based Applications From AppLabs
Addressing The Challenges Of Testing Soa Based Applications From AppLabs
 
Types of Testing
Types of TestingTypes of Testing
Types of Testing
 

More from Schellman & Company

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018
Schellman & Company
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
Schellman & Company
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
Schellman & Company
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
Schellman & Company
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
Schellman & Company
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Schellman & Company
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
Schellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
Schellman & Company
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
Schellman & Company
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
Schellman & Company
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
Schellman & Company
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
Schellman & Company
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
Schellman & Company
 

More from Schellman & Company (19)

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
 

Recently uploaded

Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 

Recently uploaded (20)

Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 

PA-DSS and Application Penetration Testing

  • 1. PA-DSS vs Penetration Testing | 1 PA-DSS and Application Penetration Testing Complementary Tools to Address Payment Security Risk and Compliance
  • 2. PA-DSS vs Penetration Testing | 2 Setting the Stage • We are not here to scare you • PA-DSS and Application Testing work together for PCI compliance and payment application security • As with all payment security, the devil is in the details!
  • 3. PA-DSS vs Penetration Testing | 3 Comparison of Key Activities PA-DSS PenTest Architecture/Design Review Application Penetration Testing Forensic Analysis (Lab) Testing of Production Environment
  • 4. PA-DSS vs Penetration Testing | 4 PA-DSS Overview • Parallel and subsidiary standard to PCI DSS • Facilitate and not preclude PCI DSS compliance • Test the application’s function –Usually in our lab –Sometimes in the software vendor’s lab
  • 5. PA-DSS vs Penetration Testing | 5 PA-DSS Scope and Applicability •For applications that run in the customer’s environment –I.e., not for SaaS products •Applications that facilitate authorization and settlement of transactions •Applies to a specific version of an application
  • 6. PA-DSS vs Penetration Testing | 6 PA-DSS Scope and Applicability •Not intended for applications developed for own use •PCI SSC will not accept most applications on mobile devices
  • 7. PA-DSS vs Penetration Testing | 7 Process and Documentation • Software development practices – Demonstrate competence in software security – Application threat modeling – Developer training
  • 8. PA-DSS vs Penetration Testing | 8 Process and Documentation • PA-DSS Implementation Guide – Specific, clear guidance for proper use of application – For users and resellers of application – We submit this to PCI SSC
  • 9. PA-DSS vs Penetration Testing | 9 Testing in a Lab • Test the payment application as it would be deployed by a user – Examine application function and security features – Error conditions – Test transactions • Use forensic tools and methods • Perform penetration testing in test environment
  • 10. PA-DSS vs Penetration Testing | 10 Forensic Tools and Methods • Search for cardholder data • Examine authentication or cryptographic processes • Confirm data retention and deletion
  • 11. PA-DSS vs Penetration Testing | 11 Forensic Tools and Methods
  • 12. PA-DSS vs Penetration Testing | 12 Forensic Tools and Methods
  • 13. PA-DSS vs Penetration Testing | 13 Pen Testing for PA-DSS Validation • Test all web interfaces – Not just Internet-facing web interfaces – Test for OWASP/PCI DSS 6.5 vulnerabilities – Examine the software vendor’s process for fixing these issues
  • 14. PA-DSS vs Penetration Testing | 14 Broader Application Testing • Not in a lab -> In production • Network vs Application • Type of applications – COTS and in-house developed – Web, Thick Client, Mobile and Web Services – Integrated solutions
  • 15. PA-DSS vs Penetration Testing | 15 App Pen Testing and PCI-DSS • Primarily addresses requirement 11.3 – External and Internal – Network and Application • Results may influence other controls: – Architecture (1.3 and segmentation) – System Configuration (2.2) – Masking PAN (3.3) – OWASP (6.6)
  • 16. PA-DSS vs Penetration Testing | 16 Tools and Techniques • Vulnerability scanners • Man-in-the-Middle (MitM) Proxies • REST Clients • Web debuggers • Browser plugins • Integrated Development Environments (IDE)
  • 17. PA-DSS vs Penetration Testing | 17 Summary •Application security has significant attention in the PCI DSS and industry-wide •PCI includes a multi-faceted approach including core requirements and PA-DSS where applicable •Techniques can overlap but differ in approach and context •The goal and mission remain the same, a comprehensive approach to application security
  • 18. PA-DSS vs Penetration Testing | 18 Learn More: PA-DSS Validation