Payment Application Validation and Software Lifecycle Compliance

At MegaplanIT, we have a keen understanding of the challenge businesses face in passing compliance assessments and remaining compliant over time. Our PA-DSS and SSF assessment services are designed to keep your costs and level of effort down while making it easy to stay compliant year after year.

Service Overview

Payment Application Validation and Software Lifecycle Compliance

The Payment Application Data Security Standard (PA-DSS) is the current and outgoing standard for payment applications that store, process, or transmit cardholder data. Using PA-DSS validated payment applications has enabled organizations to simplify the PCI DSS assessment process and reduce the effort required to test and validate the in-scope environment. 

In addition, software vendors have benefited from PA-DSS by providing organizations with secure applications designed to protect credit card data and support an entity’s PCI DSS compliance. With the scheduled retirement of PA-DSS in October 2022, software vendors and customers should consider the PCI Software Security Framework (SSF) validated payment applications for current development and implementations.

Our Approach

Our SSF payment application assessment services provide independent validation of all types of payment software, enabling software vendors to demonstrate to customers that their products can be relied upon to facilitate secure payment transactions. Our SSF software lifecycle assessment services (SLC) provide a path to independently validate how software vendors integrate security throughout the entire software lifecycle.

MegaplanIT provides assessment services using a project-based, multi-phased approach.  Our experienced, qualified assessors perform the necessary testing procedures and report development while guiding you through the entire process.

How It Works

Get To Know The In's & Out's Of The Assessment Process

Step One
Review Project Scope
Each assessment will start with the project scope and data collection. Your assessor will schedule a series of calls and collect documentation to obtain an overview of your payment solution architecture and development environment.
Step One
Step Two
Data Gathering, Review, and Analysis
We then start data gathering, review, and analysis. The assigned assessor will process and evaluate supporting documentation against the applicable PCI standards. In addition, potential security control gaps will be escalated and monitored.
Step Two
Step Three
Application Penetration Testing
For SSF payment application assessments, MegaplanIT will access a mutually agreed upon lab environment to conduct hands-on operational and security testing that simulates real-world application use within a secure lab environment.
Step Three
Step Four
Draft Report
The assessor will review and finalize collected evidence, draft an initial report (ROV/AOV, ROC/AOC), and prepare the evidence and draft deliverables for internal QA submission.
Step Four
Step Five
MegaplanIT Quality Assurance
Your assessor will then submit the draft report and required documentation to MegapanIT's internal Quality Assurance lead for objective and detailed review. MegaplanIT addresses QA recommendations before client draft delivery.
Step Five
Step Five
Report Delivery & Project Closure

MegaplanIT will deliver the draft reporting deliverables to you for client review and feedback. After completing additional updates and QA acceptance, the assessor will submit the final reports for validated payment applications and software lifecycles to PCI SSC AQM for review and approval. Relevant feedback and findings of interest are communicated to the client, as received from AQM.

Upon completing the AQM review and acceptance cycle, MegaplanIT will schedule a project closing meeting to review the overall project, receive feedback, conduct a Lessons Learned readout, and identify any further actions or next steps.

Step Five

The Four Core Security Objectives

Security requirements detailed within the Secure Software Standard:

Payment applications for customer system installation (or sale, distribution, or licensing to third parties) qualify for assessment against the Secure Software Standard. However, software for single-customer or internal, in-house use is not eligible for this type of PCI assessment. The assessor documents the assessment results in a Report on Validation (ROV) and Attestation of Validation (AOV). Upon AQM approval and acceptance, the PCI SSC includes approved payment applications on its listing of Validated Payment Software.

MegaplanIT performs testing against the four core security objectives and associated security requirements detailed within the Secure Software Standard:

Minimizing the Attack Surface

Software Protection Mechanisms

Secure Software Operations

Secure Software Lifecycle Management

Webinar Recordings | Answers From Our Team of Certifed Experts

Get Read To Move From PA-DSS To SSF

The challenges, Obstacles, And All The Guidance You'll Need Is Right Here

Why Choose MegaplanIT?

Our SSF software lifecycle assessment services (SLC) provide a path to independently validate how software vendors integrate security throughout the entire software lifecycle. MegaplanIT partners with your business.  We work to understand your own goals and objectives while identifying relevant ways that our services and team can support your current and future state. Our team tailors our service offerings to your organization, building projects with the necessary elements such as an integrated gap assessment to position your team for success and positive outcomes.

Streamline Your Assessment Process

Our expert QSAs know how to effectively implement the processes that merchants of all sizes need to protect cardholder data and keep sensitive information secure. 

We're Here To Help

Meet The Team

MegaplanIT’s Management Team oversees each project, working alongside our IT security specialists to ensure your company has a successful engagement. Our team of security consultants is certified with PCI-QSA, PA-QSA, PCIP, GPEN, CPISA, CPISM, CISSP, CISM, CISA, CGEIT, CCSP, and MCSE.

Anthony Petruso

VP Compliance Services

CISSP, QSA, ASV, P2PE-QSA, PA-QSA

Anthony is MegaplanIT’s VP of Compliance. As a seasoned Security and Compliance practitioner with over a decade of experience in the field of regulatory compliance, he is currently responsible for directing MegaplanIT’s Compliance Services while recruiting and mentoring MegaplanIT consultants to ensure client satisfaction and proper execution of each service offered.

Caleb Coggins

Director of Compliance Services

CISSP, GSNA, EnCE, QSA.

Having spent over 20 years in the industry, Caleb’s experience spans multiple areas that include Auditing, Digital Forensics, Compliance, and IT/Security Operations. He enjoys collaborating with clients and teammates on projects to improve an organization’s security posture and effectively manage risk.

Jennifer Boyd

Principal Security Consultant

CISA, CISSP, PCI-QSA, CHPSE, CCSFP

Jennifer has worked on the MegaplanIT teams for 4 years as a Principal Security Consultant. Her current responsibilities include the performance of comprehensive Security Assessments for MegaplanIT clients against regulations and standards including, but not limited to; PCI DSS, HIPAA Security, NIST, and ISO Standards.  In addition, She support her clients by providing policy and procedure development and compliance advisory services.

William Ryan

Principal Security Consultant

PCI QSA, CISA, CISSP, CDPSE

William has decades of experience securing systems and data in both the public and private sectors. As an IT Security Manager, William was a trusted partner with key departments and business units including human resources, legal, risk management, and internal audit. William has led assessments for leading merchants, service providers as well as application vendors as a QSA and PA-QSA in the United States and internationally.

Why Choose MegaplanIT

With decades of experience, MegaplanIT has a proven record of excellence in developing accurate PCI-DSS compliance reports that provide the best value in the industry. Contact us today to find out how our PCI-DSS Plus Program can help your business save time and reduce costs.

Receive Two QSAs Per Assessment

We assign a primary and secondary QSA to every PCI-DSS assessment, so you can always reach a compliance expert when you need one. Our policy of assigning two QSAs provides greater flexibility with your schedule and more accurate compliance reports.

Get A Free PCI DSS Gap Analysis

To save you time and the cost of your PCI Assessment, we identify which services your business needs. Our goal is to have your organization prepared for the most recent iteration of the PCI-DSS standards, We do this by comparing your cardholder environment’s current security controls against the revised requirements. We then provide an analysis that includes a list of which controls need to be updated or replaced.

Policies and Procedures Development

To save you time and the cost of your PCI Assessment, we identify which services your business needs. Our goal is to have your organization prepared for the most recent iteration of the PCI-DSS standards, We do this by comparing your cardholder environment’s current security controls against the revised requirements. We then provide an analysis that includes a list of which controls need to be updated or replaced.

Trusted Advisory and Remediation

Included Trusted Advisory and Remediation means that MegaplanIT will advise you with any system changes made throughout the year that might affect your PCI compliance status. This service may actually reduce the time and cost of your PCI assessment year after year!

PCI Compliance Project Management

Our compliance project management service monitors compliance deadlines and tracks the completion of milestones throughout the assessment. While our QSAs are conducting your assessment, our management team aligns the necessary resources to facilitate an on-time completion of your final report. 

MegaplanIT Security and Compliance Services
We can bring 
Success 
Time Back 
Expert Advisors 
to your business
We can bring 
Success 
Time Back 
Expert Advisors 
to your business

Ready To Start Developing Your Compliance Plan?