PCI Data Security

  • PA-DSS

PA-DSS: Payment Application Data Security Standard

Payment Application Data Security Standard

The Payment Application Data Security Standard (PA-DSS) is a security standard managed by the Payment Card Industry Security Standards Council (PCI SSC). This standard is based on Visa’s Payment Application Best Practices (PABP).  The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties such as merchants or service providers. 

Many merchants in the payments industry today utilize third party payment applications that are tailored to their business needs to assist them in accepting credit card payments.  Account data compromise statistics show that vulnerable payment applications which store prohibited data are the leading cause of account data compromises, especially among small merchants.  The goal of PA-DSS is to assist software vendors to develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure that their payment applications support the merchant’s obligation to comply with the Payment Card Industry Data Security Standard (PCI DSS).

PA-DSS & Visa Canada PACP Frequently Asked Questions  

PA-DSS applies to:

  • Payment applications which are typically sold “off the shelf” without much customization by software vendors.

  • Payment applications which are commercially available.

PA-DSS does not apply to:

  • Payment applications developed in-house by a merchant and only used internally.

  • Custom applications that have been developed for a specific merchant based on their requirements and are not commercially available.

  • Software as a service (Services offered by service providers where the application or virtual terminal resides within the service provider’s site and no components of software are installed within the merchant’s computer systems).

  • Non-payment applications.  An application that does not store, process, or transmit cardholder data as part of authorization or settlement.  Examples include operating systems (Windows, Linux, UNIX), Database systems that may store cardholder data (MS SQL, Oracle, MySQL), Backoffice systems that may store cardholder data (for example, for customer service or reporting).

  • PA-DSS does not apply to standalone hardware point-of-sale terminals (specific qualifications apply).

For a more detailed explanation of the scope of PA-DSS please review the PA-DSS Requirements and Security Assessment Procedures.

The PCI SSC maintains a comprehensive list of payment applications that have been successfully validated to the PA-DSS. Click here for the list of validated applications.

Visa Canada Payment Application Compliance Program (PACP)

Visa Canada has implemented a mandate for payment application compliance.  This mandate establishes timeframes by which Acquirers must ensure that all merchants (new and existing) who use payment application software to process transactions only use such software that has been validated against PA-DSS or PABP requirements. 

Phase I – Effective October 01, 2008

By 1 October 2008, all acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with PABP or PA-DSS requirements. 

Please note that "newly boarded" merchants only refer to new merchants that accept Visa cards for payment.  It does not include existing merchants who may switch Acquirers, nor does it include a new outlet store in a merchant chain or franchise setup.    

Phase II – Effective July 01, 2010

By 1 July 2010, all merchant (new and existing) who use payment application software must ensure that the payment application software has been validated to comply with PABP or PA-DSS requirements. 

Moneris Solutions is committed to working with our merchants and their payment application vendors to meet the mandated requirements in a timely fashion that will minimize business disruption. This mandate is enforced by Visa Canada and applies to all payment processors. 

For additional information on the Visa Canada Payment Application Compliance Program please visit the Visa website.
 

Related Links

Apply Now

Apply Now

Apply Now for an Account  

Merchant Direct Online Statement

Sign up for Merchant Direct