The Payment Application Data Security Standard (PA-DSS) is a security standard managed by the Payment Card Industry Security Standards Council (PCI SSC). This standard is based on Visa’s Payment Application Best Practices (PABP). The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties such as merchants or service providers.
Many merchants in the payments industry today utilize third party payment applications that are tailored to their business needs to assist them in accepting credit card payments. Account data compromise statistics show that vulnerable payment applications which store prohibited data are the leading cause of account data compromises, especially among small merchants. The goal of PA-DSS is to assist software vendors to develop secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure that their payment applications support the merchant’s obligation to comply with the Payment Card Industry Data Security Standard (PCI DSS).
Visa Canada's Payment Application Compliance Program
Visa Canada has established timeframes by which acquirers must ensure that all merchants (new and existing) who use payment application software to process with their acquirers only use such software that has been validated against PA-DSS or PABP requirements.
By 1 October 2008, all acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that has been validated to comply with PABP or PA-DSS requirements.
By 1 July 2010, all acquirers must ensure that all merchants (new and existing) who use payment application software only use payment application software that has been validated to comply with PABP or PA-DSS requirements.
MasterCard Payment Application DSS Mandate
Effective 1 July 2012, MasterCard will revise the MasterCard SDP Program Standards to require all merchants and Service Providers that use third party-provided payment applications to only use those applications that are compliant with the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS), as applicable. The applicability of the PCI PA-DSS to third party-provided payment applications is defined in the PCI PA-DSS Program Guide. In addition, MasterCard will establish a new PA-DSS compliance validation requirement for Level 1, Level 2, and Level 3 merchants as well as Level 1 and Level 2 Service Providers. >