“A QSA’s Deja Nightmare”
A QSA walks into a bar (or gas station chain, or retail organization, etc.) to perform a PCI assessment. The bartender/owner says, “We just have some policies for you! We use <<insert POS company name>> POS, and it is PCI compliant.”
This is where the funny story stops. No QSA is smiling when the client says this. Probably one of the largest misconceptions in PCI compliance for point-of-sale (POS) style SMB vendors is that PA-DSS compliance equals PCI DSS compliance.
There is no “equals to,” there is no “equivalent to” and there isn’t even an “adjacent to” when it comes to PA-DSS and PCI compliance. The only thing that anyone can say honestly when speaking to the relationship between the two frameworks is that PA-DSS certification means that an application can successfully support the user’s own PCI compliance program. Now, of course, there are plenty of PA-DSS application sales people who will tell you otherwise; however, they are lying. Only in the face of true total outsourcing can a company dodge the PCI bullet, and even then, they typically still have at least some work to do.
A particular piece of PA-DSS certified software may assist your organization, but it will never completely absolve you of PCI-related responsibility. For example, pre-, during- and post-implementation instructions and procedures are provided with every single PA-DSS certified application’s implementation manual. Your organization must actively enforce and follow each of these guidelines in order for the application to even maintain its ability to be compliant!
The bottom line is that only an organization can be validated to be PCI-DSS compliant, never an application or a system.
It is the responsibility of a business and/or service provider to understand their PCI program reporting requirements. Don’t be misled into making decisions based on partial information!