FAQ #1020 Diff

The requirements for Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS). This document details what is required for a merchant to be PCI DSS compliant (and therefore what a payment application must support to facilitate a merchant’s PCI DSS compliance). Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, and merchants are required to be PCI DSS compliant, payment applications should facilitate, and not hinder,prevent, merchants’ PCI DSS compliance. The Payment Application Data Security Standard (PA-DSS) requirements have been derived from the PCI DSS Requirements to define what a paymentJust a few of the ways payment applications can prevent a merchant’s compliance are: 1) storage of magnetic stripe data in the merchant’s network after authorization; 2) applications that require merchants to disable other features required by PCI DSS, such as anti-virus software or firewalls, and; 3) vendors that use unsecured methods to connect to the application mustto provide support to facilitate a customer?s PCI DSS compliance.

Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of cardholder data or sensitive authentication data. However, use of a PA-DSS compliant application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and in accordance with the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).the merchant.