The Payment Application Data Security Standard (PA-DSS) is a security standard managed by the Payment Card Industry Security Standards Council (PCI SSC). This standard is based on Visa’s Payment Application Best Practices (PABP). The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties such as merchants or service providers.
Why do merchants need to use applications which are compliant with PA-DSS?
It has been discovered, through account data compromise investigations, that vulnerable payment applications which store prohibited data are the leading cause of account data compromises, especially among small merchants. The goal of PA-DSS is to assist software vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support the merchant’s obligation to comply with the Payment Card Industry Data Security Standard (PCI DSS).
In addition Visa has mandated that merchants only use applications which are compliant with PA-DSS through their payment application compliance program.
When is the deadline for merchants to upgrade to a PA-DSS compliant application?
The Visa payment application compliance program requires all merchants to be utilizing applications which are compliant to PA-DSS no later than July 01, 2010.
What will happen if I don’t comply with the Visa payment application compliance program?
Merchants that do not utilize payment applications that are compliant with PA-DSS are at greater risk of suffering an account data compromise as they may be storing prohibited data coveted by attackers. In addition Visa may impose a non-compliance fine for each merchant that is found to be non-compliant. Furthermore, if your business is involved in a security breach which results in the compromise of credit card data, additional fines may be imposed by the payment brands.
Note: Processing services for existing merchants will not be disconnected or shutdown by Moneris while merchants are upgrading their payment application (unless Moneris is otherwise required to terminate an existing Merchant due to an incident which is separate and apart from the upgrade to the payment application) . However, Visa at their discretion may impose non-compliance fines.
Why am I responsible for this? Why don’t you call my software vendor for this info?
It is the merchant’s responsibility to comply with the card brand rules. It is the merchant’s obligation to ensure that the payment application used to process payments is compliant to PA-DSS. It is however the software vendor’s responsibility to ensure that the software that they develop is PA-DSS compliant and goes through the validation process to prove it.
We suggest that you contact your software vendor or reseller to discuss the status of their application’s compliance to PA-DSS.