The Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS) is a comprehensive set of international security requirements for software vendors and others that develop secure payment applications that do not store prohibited data, such as full magnetic-stripe, other sensitive authentication data or PIN data, as part of an authorization or settlement of a payment card transaction.PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI Data Security Standard (DSS).
Payment Application Data Security Standard
Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA-DSS. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. PA-DSS does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent's PCI DSS assessment.
The PCI SSC is responsible for maintaining and updating the PA-DSS and all related documentation, Payment Application Qualified Security Assessor (PA-QSA) qualification and training, Reports of Validation (ROV) submissions and quality assurance as well as the listing of PA-DSS validated payment applications.
For more information on PA-DSS, including validation requirements and a list of
PA-DSS validated applications please visit the PCI SSC website at www.pcisecuritystandards.org.
Payment Application Security Mandates
Visa will implement a series of mandates to eliminate the use of non-secure payment applications from the Visa payment system. These mandates require Visa clients to ensure that their merchants and service providers use payment applications that are compliant with PA-DSS. The mandates will be effective over the next few years as follows:
Phase |
Payment Application Compliance Mandates |
Effective Date |
1 |
Newly boarded merchants1 must use PA-DSS compliant payment applications or must be PCI DSS compliant |
1 July 2010 |
2 |
Acquirers must ensure all their merchants and service providers use PA-DSS compliant payment applications |
1 July 2012 |
| 1 | A newly-boarded merchant is a newly executed merchant account with an acquirer. |
For purposes of the mandates, payment applications apply only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement of a payment card transaction. Traditionally used in point-of-sale (POS) systems, payment applications are typically designed for use on a PC-based architecture (e.g., desktops and servers running on a Windows, Unix or Linux operating system). PA-DSS does not apply to merchant or agent in-house developed applications, stand-alone hardware terminals or PIN Entry Devices (PEDs).
In addition, software-as-a-service (SaaS) solutions hosted completely at a third party are not within scope of the mandates, provided these solutions are hosted by a third party and no such configurations, controls or systems reside on the merchant's or service provider's systems. Instead, merchants must use PCI DSS compliant service providers to provide SaaS solutions. PA-DSS compliant payment applications must be used if any such configurations, controls or systems, do reside at the merchant or service provider location.
