The PCI Council recently released version 2.0 of the PA-DSS Program Guide, available here, which includes a significant change with regards to the definition of a “minor change” and what it means to Payment Application Vendors. Certain types of changes that would have previously required a complete revalidation of the payment application can now be addressed by having a PA-QSA assess the changed portions of the application, without a complete revalidation. There are some important qualifying criteria, however, so keep reading for the details…
A PA-DSS “Minor Change” was previously defined as the following:
“…enhancements related to process and documentation review only. These can be application updates including, but not limited to, the following types of changes:
- Changes that impact the aesthetics of the payment application, such as, GUI enhancements, button movement, marketing color updates, etc.
- Changes that impact components of the application that are not related to the authorization or settlement process of the payment application, such as, adding additional tax fields not related to cardholder data, updates to the Implementation Guide, etc.
Any item requiring testing or validation by a PA-QSA regarding changes affecting the security of the application will not fall under the guidelines of a Minor Update.”
However, this definition of a minor change presented a gap for those changes that affect PA-DSS requirements, but have a minimal impact. The good news is that the Council has addressed this concern in the recently released version 2.0 of the PA-DSS Program Guide. The Program Guide provides a lot more guidance and clarification on what used to be referred to as a “minor” change, which is now broken down into 2 different classifications.
1) No-Impact Changes are minor changes (either administrative or software) made to a listed payment application that have no impact on the PA-DSS requirements. Examples of minor updates include, but are not limited to, corporate identity changes or software changes to a graphical user interface or to supporting modules that perform no payment application functions.
2) Low-Impact Changes are minor changes made to a listed payment application that touch upon PA-DSS related functions of the payment application and have limited impact on the PA-DSS requirements. The Council has defined 6 specific changes that would be deemed as Low-Impact and they include:
a. Inclusion of minor updates or patches to validated operating system versions upon which the payment application was previously validated;
b. Inclusion of minor updates or patches to supported 3rd party databases with which the payment application was previously validated;
c. Updates to reporting modules;
d. Additions or deletions of supported payment processors;
e. Inclusion of minor updates or patches to supported middleware with which the payment application was previously validated;
f. Recompilation of unchanged code base with either the same compiler using different flags or with a completely different compiler
For a Low-Impact Change, the QSA is now allowed to perform an assessment of the change (this could also include a partial technical review of the changes to the payment application) and prepare the necessary documentation which is then submitted to the Council.
Any change not defined in the above, would still have to go through a full PA-DSS review.
Shelina Samji, PCI QSA
Senior Consultant, PCI Compliance Services