Understanding Standards Together With Elinext Experts: ISO 13485:2016, PCI DSS And PA DSS

Regulatory compliance is an important yet complex issue. It is particularly crucial in industries with strict compliance oversight like healthcare or financial services. After all, the potential cost of non-compliance is astonishing — $14.82 million, according to the study conducted by Ponemon Institute.

With this article, we start a series of interviews with Elinext professionals to discuss the most important and widely used standards. Our first expert is Alina Borovskaya who is going to guide us through ISO 13485:2016, PCI DSS and PA DSS standards.

Let’s start with ISO 13485:2016. What is this standard about?

This is an international industry standard developed by the International Organization for Standardization (ISO). The standard specifies the requirements for a quality management system for medical device manufacturers. However, it should be noted that it is a voluntary standard that complements the technical requirements for medical devices.

Who is ISO 13485:2016 for?

The standard is aimed for use by the organizations that are involved in the design, development, production, installation, and maintenance of medical devices, as well as the provision of associated services. The standard can also be used by external and internal parties, including certification bodies, to help with the audit process.

What organizations are subject to certification under ISO 13485:2016?

?ISO 13485:2016 is applicable to all organizations that are involved in:

• Installation and maintenance of medical devices;
• Development of software components for medical devices;
• Development or provision of associated services (for instance, technical support);

The standard can also be used by suppliers of medical devices or external parties that are involved in device manufacturing in any capacity, including the provision of quality management system-related services by such organizations.

Basically, the standard is applicable to organizations engaged in different stages of a medical device’s life cycle, including design, development, production, storage, and distribution.

Now, let’s dive deeper into the requirements of ISO 13485:2016. What do they cover?

Basically, the standard specifies the requirements regarding the following:

• Implementation and practical application of a quality management system;
• Development of respective documentation;
• Risk minimization activities;
• Improving personnel competence;
• Effective resource management;
• Analytical activities aimed at continuous quality improvement.

Why was ISO 13485:2016 revised and what are the main changes?

To ensure that it remains up-to-date and useful for the market, ISO 13485:2016 undergoes a review every 5 years to determine if any changes are needed. ISO 31485:2016 is designed taking into account the latest quality management system practices, changes in technology and regulatory requirements, as well as consumer expectations.

The new version places a greater focus on risk management and decision-making based on risks and changes related to the increased regulatory requirements for organizations in the supply chain.

Once the initial certification is completed, does an organization need to undergo regular auditing?

Since ISO 13485:2016 certificate is issued for 3 years, a surveillance audit is conducted during the second and third years. Annual checks are aimed at continuous process optimization. In three years, a re-certification audit is carried out. Obtaining the ISO 13485:2016 certification is proof of an organization’s long-term commitment to the quality management system for medical devices.

Rounding up the first part of our interview, let’s focus on the key benefits of ISO 13485:2016 certification.

Sure, the advantages of having an ISO 13485:2016 accreditation are numerous. Major benefits include:

• An opportunity to carry out unimpeded trade in 25 countries of the European Economic Area (EEA), as well as in Turkey, Egypt, Saudi Arabia, Korea, Australia, and New Zealand.
• An opportunity to establish business processes in line with the strict requirements of international and European standards.
• Increasing sales volume, improving existing market positions, and penetrating new markets.
• Gaining a competitive edge when competing for lucrative contracts and projects, other conditions being equal.
• Improving an organization’s image by demonstrating commitment to the requirements of international standards, best practices and product quality, as well as compliance with the applicable legislative and regulatory requirements.
• ISO 13485:2016 is harmonized with other international management system standards and specifications like ISO 9001, GMP and others, enabling the development of an effective control system.

Let’s move to the other standards on the agenda — Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS). And first things first, what is PCI DSS?

Developed by the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS is a data security standard in the payment card industry. The standard was established by the international payment systems like Visa, MasterCard, American Express, JCB and Discover.

PCI DSS represents a set of 12 detailed requirements aimed to ensure the security of cardholder data that is transferred, stored, and processed in an organization’s information system. PCI DSS requirements are mandatory for any company that works with international payment systems.

Who needs PCI DSS?

The need to comply with PCI DSS is established by the payment system operators within their own security programs. These programs include:

• For MasterCard, it is Site Data Protection (SDP);
• For Visa in the USA, it is Cardholder Information Security (CISP);
• For Visa in Europe, it is Account Information Security (AIS).

All organizations that store, transmit or process cardholder data must comply with the PCI DSS requirements.

The standard became mandatory in the CEMEA region (Central and Eeastern Europe, the Middle East and Africa) since September 2006, as per the international payment system Visa. Hence, service providers (Internet providers, payment gateways, and processing centers) that work directly with VisaNet have to go through an audit to meet the standard’s requirements.

What does the audit cycle look like?

The audit is performed on a yearly basis. Moreover, penetration testing (internal and external attackers) is carried out twice a year and ASV-scanning (Approved Scanning Vendor) is conducted four times a year.

How does this standard affect software development companies?

Here I’d like to talk in more detail about PA DSS — Payment Application Data Security Standard that is based on the requirements of Visa’s Payment Application Best Practices (PABP). The standard is designed to enforce the implementation of the requirements of PCI DSS.

PA DSS was created and accepted in 2008 by the Payment Card Industry Security Standards Council (PCI SSC). Visa and MasterCard payment systems require that all applications engaged in authorization or clearing/settlement transactions must be certified in compliance with PA DSS.

What is the connection between PCI DSS and PA DSS?

All applications that store, process or transmit cardholder data must be audited regarding their compliance with PCI DSS even if they have already been audited regarding their compliance with PA DSS.

Using a PA DSS-compliant application does not ensure that an organization meets the PCI DSS requirements. This is because the application must be implemented in a PCI DSS-compliant environment and must follow the Guidelines on Implementation in Compliance with PA DSS (provided by the payment application developer).

Modifying a payment application in any way may affect its PCI DSS compliance status, as it may differ from the version audited for PA DSS compliance. Therefore, a more detailed audit is required to verify if the application still meets the PCI DSS requirements.

PCI DSS does not apply directly to payment application providers if they do not store, process, or transmit cardholder data or do not have access to the cardholder data of their clients.

However, since the clients of a payment application provider use those apps to store, process, and transmit cardholder data, the clients are obliged to comply with the standard. Payment applications in their turn must support the clients in meeting the PCI DSS requirements, and not hinder it.

Let’s have a look at some examples when insecure payment applications can prevent from achieving compliance with the standard:

1. Storing data from the magnetic stripe and (or) equally sensitive chip information in the client’s network after authorization;
2. Applications that require the client to turn off different features regulated by PCI DSS, for instance, antivirus software or network firewalls, which are required for a correct functioning of the payment application;
3. Developers’ reliance on insecure connection methods for client support.

What does the scope of PA DSS cover?

The standard encompasses all functionality of a payment application:

• Two-way payment functionality (authorization and settlement);
• Input and output;
• Errors conditions;
• Interfaces and integrations with other systems, files, and (or) payment applications or their components;
• All cardholder data flows;
• Encryption mechanisms;
• Authentication mechanisms;

The standard encompasses recommendations that the payment application provider must submit to its clients and integrators/resellers in order to guarantee that:

• The client knows how to implement the payment application in compliance with PCI DSS requirements;
• The client is aware that specific payment application environment parameters may prevent them from complying with PCI DSS standards.

It shall be noted that the payment application provider must submit the above-mentioned recommendations even if the specific parameter:

• Cannot be controlled by the payment application provider after the application installation by the client;
• It is the responsibility of the client, and not the payment application provider.

In addition, the standard encompasses:

• all selected platforms of the audited version of the payment application (platforms must be specified);
• methods and means within the payment application or used by it with the purpose to access and (or) viewing the cardholder data (logging, accounting, etc.);
• all software components related to the payment application, including requirements and interdependencies of third-party software;
• all other types of payment applications necessary for complete implementation;
• methodology for deciding on the version of the provider.

What are the specific requirements of PA DSS?

PA DSS consists of 14 requirements, let’s go through them.

1. Do not store complete data from the magnetic stripe, code, card verification value (CAV2, CID, CVC2, CVV2) or data of PIN block;
2. Ensuring safe and secure storage of cardholder data;
3. Provision of safe authentication function;
4. Logging the activity of the payment application;
5. Developing safe payment applications;
6. Protecting wireless data transfer;
7. Testing payment applications with the purpose to eliminate vulnerabilities and regularly updating the applications;
8. Ensuring the possibility of implementing payment applications within a safe network environment;
9. Cardholder data must never be stored on the server connected to the Internet;
10. Ensuring safe remote access to the payment application;
11. Encrypting confidential traffic in public networks;
12. Encrypting non-console administrative access;
13. Preparing the Guidelines for PA DSS implementation for clients, integrators, and resellers;
14. Determining responsibilities for employees in relation to PA DSS standards and organizing training programs for clients, integrators, and resellers.

Like other standards, PA DSS is regularly updated. What does this process look like?

PCI SSC council follows a three-year cycle of standard updating. The first year is implementing the standard in the industry, the second year is collecting feedback in the form of comments and suggestions from members of the payment card industry, and the third year is preparing a new standard version.

Between those stages, PCI SSC Community Meeting conferences are held. These conferences consist of American and European sessions during which organizations-participants, international payment systems, consultants and QSA (Qualified Security Assessor)-auditors, as well as merchants and service providers discuss the future of the standard and related documents.

Here’s a quick overview of the history of PA DSS changes:

• 1 — the standard was accepted on April 15, 2008;
• 2 — the standard was updated on October 15, 2008;
• 2.1 — July 2009;
• 0 — January 2010;
• 0 — February 2014;
• 1 — July 2015;
• 2 — the latest version that was updated in May 2016.

The bottom line

As it is clear from today’s discussion, the topic of regulatory compliance is both vast and complicated. And we can say that from experience — at Elinext, we deliver solutions to clients even in the most strictly regulated areas. To be able to do that, we ensure compliance with the applicable standards, be it PCI DSS, HIPAA, or others, and keep a close on all updates so that our customers can have peace of mind.

If you are looking for a reliable partner who can help you navigate the compliance landscape and deliver solutions that meet your business needs and expectations, contact us today, and let’s discuss your project.