What is PA-DSS? The Payment Application Data Security Standard (PA-DSS) is a security standard managed by the Payment Card Industry Security Standards Council (PCI SSC). This standard is based on Visa’s Payment Application Best Practices (PABP). The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties such as merchants or service providers. Why do merchants need to use applications which are compliant with PA-DSS? It has been discovered, through account data compromise investigations, that vulnerable payment applications which store prohibited data are the leading cause of account data compromises, especially among small merchants. The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support the merchant’s obligation to comply with the Payment Card Industry Data Security Standard (PCI DSS). In addition Visa has mandated that merchants only use applications which are compliant with PA-DSS through their payment application compliance program. When is the deadline for merchants to upgrade to a PA-DSS compliant application? The Visa payment application compliance program requires all merchants to be utilizing applications which are compliant to PA-DSS no later than July 01, 2010. What will happen if I don’t comply with the Visa payment application compliance program? Merchants that do not utilize payment applications that are compliant with PA-DSS are at greater risk of suffering an account data compromise as they may be storing prohibited data coveted by attackers. In addition Visa may impose a non-compliance fine for each merchant that is found to be non-compliant. Furthermore, if your business is involved in a security breach which results in the compromise of credit card data, additional fines may be imposed by the payment brands. Note: Processing services for existing merchants will not be disconnected or shutdown by Moneris while merchants are upgrading their payment application (unless Moneris is otherwise required to terminate an existing Merchant due to an incident which is separate and apart from the upgrade to the payment application) . However, Visa at their discretion may impose non-compliance fines. Why am I responsible for this? Why don’t you call my software vendor for this info? It is the merchant’s responsibility to comply with the card brand rules. It is the merchant’s obligation to ensure that the payment application used to process payments is compliant to PA-DSS. It is however the software vendor’s responsibility to ensure that the software that they develop is PA-DSS compliant and goes through the validation process to prove it. We suggest that you contact your software vendor or reseller to discuss the status of their application’s compliance to PA-DSS. What is a software vendor? A software vendor is the company that creates the application/software. The software vendor may sell and support their product directly or they may use Value Added Resellers and Integrators (VARs) to distribute, install and support their product. What is Middleware? Middleware is a software application which is often used to enable communication between an application and a payment gateway to facilitate transactions. The middleware vendor may sell and support their product directly or they may use Value Added Resellers and Integrators (VARs) to distribute, install and support their product. What is a Value Added Reseller (VAR)? A Value Added Reseller is a company that sells, distributes, installs, and supports software products on behalf of organizations that develop the software application. Where can I obtain a list of payment applications that are PA-DSS compliant? The PCI Security Standards Council publishes a list of PA-DSS compliant applications on their website. To view the listing click on the following link here. The list of PA-DSS validated applications is maintained by the PCI Security Standards Council and is updated on a regular basis. My software vendor called to advise me that I need to upgrade to a version of their software that is compliant to PA-DSS? Is this true? By July 2010 all merchants must be utilizing payment applications that are compliant with PA-DSS. We recommend that you identify the payment application(s) and version(s) that you are currently utilizing and determine whether it is PA-DSS compliant. If it is not, you must upgrade to a compliant version. It is your choice whether to upgrade your current application or move to a new application altogether. Either way, make sure that the application you choose to move forward with is a PA-DSS compliant application. We recommend that you use the PCI SSC list of PA-DSS validated payment applications as a resource to identify compliant applications. The PCI Security Standards Council list of PA-DSS validated applications can be found here. This list is updated on a regular basis. My software application is not PA-DSS compliant and my software vendor has no plans to make it compliant or go through the compliance validation process, what should I do? If your software vendor has no intention of developing a PA-DSS compliant application or supporting your obligation to utilize PA-DSS compliant applications and complying with PCI DSS you have no choice but to seek a new payment application or change to a standalone terminal solution. How do I confirm that my payment application is compliant to PA-DSS and has been independently validated? Visit the PCI SSC list of compliant applications found here. Please ensure that you confirm that the application and version listed matches the application and version that you are utilizing. If your software vendor is not on the list ask your software vendor to provide written confirmation from the Payment Application Qualified Security Assessor (PA-QSA) that conducted the PA-DSS review confirming that the application is PA-DSS compliant. If I apply for a merchant account with Moneris am I required to confirm that the payment application I use is PA-DSS compliant? Yes. Any merchant that is applying for a new merchant account with Moneris will need to confirm that the payment application which they are using is compliant to PA-DSS provided that the application falls into scope of the PA-DSS mandate. PA-DSS does not apply to custom applications which are developed for one merchant and are not commercially available and PA-DSS does not apply to standalone terminals.