Sarvesh, The root cause of the issue would be http://www.slideshare.net/cmlh/padss/11 then. Is the product listed on https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true and undertook the penetration test provided to the bank i.e. *not* the PA-QSA since they would be listed against the VPA? On Fri, May 24, 2013 at 4:24 PM, sarvesh shete <sarvesh.sse@gmail.com> wrote: > Actually why I asked this question is because same case happened in my > organization. > I work for a company who develops banking products. We have a product PADSS > certified and while delivering it to a bank who is our new client; the > product 'go live' has been put on hold because bank carried out penetration > testing from other company who is specialized in penetration testing based > on pure hacking stuff. Though the pen testers could not break encryption or > hashing done on stored card numbers but were able to find flaws in few > screens of application like XSS, SQL injection etc because in some screens > developers missed out server side validations. Now the client bank says if > your product is PADSS certified then why such issues? It must be completely > secure. We have no answer! Surely we can fix the same but we have got no > explanation why such issues still exist even though product is PADSS > certified. -- Regards, Christian Heinrich http://cmlh.id.au/contact