PA-DSS FAQs

What is PA-DSS?

The Payment Application Data Security Standard (PA-DSS) is a security standard managed by the Payment Card Industry Security Standards Council (PCI SSC). This standard is based on Visa’s Payment Application Best Practices (PABP). The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties such as merchants or service providers.

Why do merchants need to use applications which have been validated as compliant with PA-DSS?

It has been discovered, through account data compromise investigations, that vulnerable payment applications which store prohibited data are the leading cause of account data compromises, especially among small merchants. The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support the merchant’s obligation to comply with the Payment Card Industry Data Security Standard (PCI DSS). In addition Visa has mandated that merchants only use applications which have been validated as compliant with PA-DSS through their Payment Application Compliance Program (PACP).

When is the deadline for merchants to upgrade to a PA-DSS validated application?

The Visa Payment Application Compliance Program (PACP) requires all merchants to be utilizing applications which have been validated as compliant to PA-DSS no later than July 01, 2010.

What will happen if I don’t comply with the Visa Payment Application Compliance Program?

Merchants that do not utilize payment applications that have been validated as compliant with PA-DSS are at greater risk of suffering an account data compromise as they may be storing prohibited data coveted by attackers. In addition Visa may impose a non-compliance fine of $10,000 for each merchant that is found to be non-compliant. Furthermore, if your business is involved in a security breach which results in the compromise of credit card data, additional fines may be imposed by the payment brands. Note: Processing services for existing merchants will not be disconnected or shutdown by Moneris while merchants are upgrading their payment application (unless Moneris is otherwise required to terminate an existing Merchant due to an incident which is separate and apart from the upgrade to the payment application) . However, Visa at their discretion may impose non-compliance fines. Fines will be re-active in the event that a merchant is found to be utilizing a non-compliant payment application through the investigation of a data compromise.

Why am I responsible for this? Why don’t you call my software vendor for this info?

It is the merchant’s responsibility to comply with the card brand rules. It is the merchant’s obligation to ensure that the payment application used to process payments is compliant to PA-DSS. It is however the software vendor’s responsibility to ensure that the software that they develop is PA-DSS compliant and goes through the validation process to prove it. We suggest that you contact your software vendor or reseller to discuss the status of their application’s compliance to PA-DSS.

What is a software vendor?

A software vendor is the company that creates the application/software. The software vendor may sell and support their product directly or they may use Value Added Resellers and Integrators (VARs) to distribute, install and support their product.

What is a Middleware?

A Middleware is a software application which is often used to enable communication between an application and a payment gateway to facilitate transactions. The middleware vendor may sell and support their product directly or they may use Value Added Resellers and Integrators (VARs) to distribute, install and support their product.

What is a Value Added Reseller (VAR)?

A Value Added Reseller is a company that sells, distributes, installs, and supports software products on behalf of organizations that develop the software application.

Where can I obtain a list of payment applications that have been validated as compliant to PA-DSS?

The PCI Security Standards Council publishes a list of PA-DSS validated applications on their website. To view the listing click here. The list of PA-DSS validated applications is maintained by the PCI Security Standards Council and is updated on a regular basis.

My software vendor called to advise me that I need to upgrade to a version of their software that has been validated as PA-DSS? Is this true?

By July 2010 all merchants must be utilizing payment applications that have been validated as compliant with PA-DSS. We recommend that you identify the payment application(s) and version(s) that you are currently utilizing and determine whether it is PA-DSS validated. If it is not, you must upgrade to a validated version. It is your choice whether to upgrade your current application or move to a new application altogether. Either way, make sure that the application you choose to move forward with is on the PA-DSS list of validated applications. The PCI Security Standards Council list of PA-DSS validated applications can be found here. This list is updated on regular basis.

My software application is not PA-DSS compliant and my software vendor has no plans to make it compliant or go through the compliance validation process, what should I do?

If your software vendor has no intention of validating their application to PA-DSS and support your obligation to utilize PA-DSS compliant applications and compling with PCI DSS you have no choice but to seek a new payment application or change to a standalone terminal solution.

How do I confirm that my payment application has been validated as compliant to PA-DSS?

Visit the PCI SSC list of validated applications. Please ensure that you confirm that the application and version listed matches the application and version that you are utilizing. If your software vendor is not on the list ask your software vendor to provide written confirmation from the Payment Application Qualified Security Assessor (PA-QSA) that conducted the PA-DSS review confirming that the application was successfully validated to PA-DSS.

If I apply for a merchant account with Moneris am I required to confirm that the payment application I use has been validated as compliant with PA-DSS?

Yes. Any merchant that is applying for a new merchant account with Moneris will need to confirm that the payment application which they are using has been validated as compliant to PA-DSS provided that the application falls into scope of the PA-DSS mandate. PA-DSS does not apply to custom applications which are developed for one merchant and are not commercially available and PA-DSS does not apply to standalone terminals.