accepting_payments hosted_tokenization hosted_tokenization hosted_price info_services hosted_paypage accepting_payments account_padlock account_padlock_hover_teal account_setup account_setup account_setup_black account_setup_teal alert_red alert_yellow benefits_balance benefits_balance benefits_health benefits_health_white benefits_pay benefits_pay_white benefits_perks business_convenience Install business_retail business_showroom business_takeout business_warehouse call_us_dark_blue call_us_teal call_us_white carousel_button_pause carousel_button_play check_blue check_white checkmark_circle_blue chevron_down_grey chevron_down_normal chevron_down_normal_black chevron_down_normal_dark_blue chevron_down_normal_hover_teal chevron_left_bold_dark_blue chevron_left_normal_black chevron_left_normal_white chevron_right_bold_dark_blue chevron_right_normal_black chevron_right_normal_white chevron_right_skinny chevron_up_normal chevron_up_normal_black chevron_up_normal_dark_blue chevron_up_normal_hover_teal circle_1_grey circle_1_teal circle_2_grey circle_2_teal circle_3_grey circle_3_teal clock_black close_x close_x_dark_blue close_x_hover_teal divot_down divot_left divot_left_outline divot_up email_receipts extra_location icon_fraud icon_fraud extra_register extra_users extra_users facebook flag_canada flag_usa form_checkmark form_checkmark_teal form_error_arrow_up google_plus innovation_api innovation_chip innovation_ecommerce innovation_hosted_pay_page innovation_new_merchant_guides innovation_seamless innovation_support innovation_teal innovation_white innovation_testing innovation_testing_teal linkedin location_pointer logo_moneris_full logo_moneris_full_hover logo_moneris_symbol logo_moneris_symbol_hover mail mail_teal map_marker max_cash_flow menu_hamburger menu_hamburger_hover_teal minus_normal payd_reports payd_reports payment_chip benefits_balance_2 PaydProPlus_report Increased Control Login Login payment_contactless security payment_swipe icon_management_payment people_teal phone_hover_teal phone_white plus_normal product_tracking real_time_report real_time_report_teal real_time_report_white search_magnifying_glass search_magnifying_glass_hover_teal service_billing service_consultation service_custom_dev service_dedicated_support_blue service_flexible_pricing_options_blue service_installation service_revenue_sharing_blue service_training_blue social_facebook social_linkedin social_twitter support_icon take_to_new_website_arrow take_to_new_website_arrow_hover_teal technical_questions technology_teal terminal_spec tips_troubleshooting triangle twitter vid_play_overlay ecommerce increase_sales increase_sales login settings mass_merchandise extra_user email support_icon price_arbitrage gift-card egift-card delivery seamless-gift-card accept-credit-debit max-cash-flow hardware PaydProPlus_report icon-circled_phone financial financial cash business_mgnt_soln information icon-deliver_electronic_data icon-bank icon-ecommerce icon-fraud icon-bank icon-management_payment-solution icon-creat_new_diff icon-maximized_cash_flow icon-credit_card icon-loyalty_card icon-optimized_spend icon-optimized_interchange icon-calendar icon-ppp_reports icon-product_track icon-product_track icon-partners icon-seamless_integration icon-receipt_fraud icon-decal-open icon-decal-open-fr hardware increase_sales elearning lightbulb consultation female settings call
Support Page

PA-DSS FAQs & Information

What is PA-DSS?

The Payment Application Data Security Standard (PA-DSS) is a security standard managed by the Payment Card Industry Security Standards Council (PCI SSC). This standard is based on Visa’s Payment Application Best Practices (PABP).  The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties such as merchants or service providers.

Why do merchants need to use applications which are compliant with PA-DSS?

It has been discovered, through account data compromise investigations, that vulnerable payment applications which store prohibited data are the leading cause of account data compromises, especially among small merchants.  The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support the merchant’s obligation to comply with the Payment Card Industry Data Security Standard (PCI DSS).

In addition Visa has mandated that merchants only use applications which are compliant with PA-DSS through their payment application compliance program.

When is the deadline for merchants to upgrade to a PA-DSS compliant application?

The Visa payment application compliance program requires all merchants to be utilizing applications which are compliant to PA-DSS no later than July 01, 2010.

What will happen if I don’t comply with the Visa payment application compliance program?

Merchants that do not utilize payment applications that are compliant with PA-DSS are at greater risk of suffering an account data compromise as they may be storing prohibited data coveted by attackers.  In addition Visa may impose a non-compliance fine for each merchant that is found to be non-compliant.  Furthermore, if your business is involved in a security breach which results in the compromise of credit card data, additional fines may be imposed by the payment brands.

Note: Processing services for existing merchants will not be disconnected or shutdown by Moneris while merchants are upgrading their payment application  (unless Moneris is otherwise required to terminate an existing Merchant due to an incident which is separate and apart from the upgrade to the payment application) .  However, Visa at their discretion may impose non-compliance fines.

Why am I responsible for this?  Why don’t you call my software vendor for this info?

It is the merchant’s responsibility to comply with the card brand rules.  It is the merchant’s obligation to ensure that the payment application used to process payments is compliant to PA-DSS.  It is however the software vendor’s responsibility to ensure that the software that they develop is PA-DSS compliant and goes through the validation process to prove it.

We suggest that you contact your software vendor or reseller to discuss the status of their application’s compliance to PA-DSS.

What is a software vendor?

A software vendor is the company that creates the application/software. The software vendor may sell and support their product directly or they may use Value Added Resellers and Integrators (VARs) to distribute, install and support their product.

What is Middleware?

Middleware is a software application which is often used to enable communication between an application and a payment gateway to facilitate transactions.  The middleware vendor may sell and support their product directly or they may use Value Added Resellers and Integrators (VARs) to distribute, install and support their product.

What is a Value Added Reseller (VAR)?

A Value Added Reseller is a company that sells, distributes, installs, and supports software products on behalf of organizations that develop the software application.

Where can I obtain a list of payment applications that are PA-DSS compliant?

The PCI Security Standards Council publishes a list of PA-DSS compliant applications on their website.  To view the listing click on the following link here.  The list of PA-DSS validated applications is maintained by the PCI Security Standards Council and is updated on a regular basis.

My software vendor called to advise me that I need to upgrade to a version of their software that is compliant to PA-DSS?  Is this true?

By July 2010 all merchants must be utilizing payment applications that are compliant with PA-DSS.  We recommend that you identify the payment application(s) and version(s) that you are currently utilizing and determine whether it is PA-DSS compliant.  If it is not, you must upgrade to a compliant version.  It is your choice whether to upgrade your current application or move to a new application altogether.  Either way, make sure that the application you choose to move forward with is a PA-DSS compliant application.  We recommend that you use the PCI SSC list of PA-DSS validated payment applications as a resource to identify compliant applications.  The PCI Security Standards Council list of PA-DSS validated applications can be found here. This list is updated on a regular basis.

My software application is not PA-DSS compliant and my software vendor has no plans to make it compliant or go through the compliance validation process, what should I do?

If your software vendor has no intention of developing a PA-DSS compliant application or supporting your obligation to utilize PA-DSS compliant applications and complying with PCI DSS you have no choice but to seek a new payment application or change to a standalone terminal solution. 

How do I confirm that my payment application is compliant to PA-DSS and has been independently validated?

Visit the PCI SSC list of compliant applications found here. Please ensure that you confirm that the application and version listed matches the application and version that you are utilizing.  If your software vendor is not on the list ask your software vendor to provide written confirmation from the Payment Application Qualified Security Assessor (PA-QSA) that conducted the PA-DSS review confirming that the application is PA-DSS compliant.

If I apply for a merchant account with Moneris am I required to confirm that the payment application I use is PA-DSS compliant?

Yes.  Any merchant that is applying for a new merchant account with Moneris will need to confirm that the payment application which they are using is compliant to PA-DSS provided that the application falls into scope of the PA-DSS mandate.  PA-DSS does not apply to custom applications which are developed for one merchant and are not commercially available and PA-DSS does not apply to standalone terminals.