FAQ #1020 Diff
How does the PCI PA-DSS integrate with the PCI Data Security Standard (DSS)?
Earlier Version
Later Version
Removed
Added
The PA-DSS details the requirements a payment application must meet in order to facilitate a customer’s PCI DSS compliance. PA-DSS validated payment applications, when implemented in a PCI DSS-compliant environment, can help minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches.
Use of a PA-DSS validated application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.
PA-DSS applications are in scope for an entity’s PCI DSS assessment. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS.
Additionally, it should be noted that some payment brand rules may require the use of PA-DSS applications. Merchants should contact their acquirer or the payment brands directly to determine if they have any requirements. PaymentApplication Data Security Standard (PA-DSS)brand contact details are derived from the Payment Card Industry Data Security Standard (PCI DSS). This document details what is required for a merchant to be PCI DSS compliant (and therefore what a payment application must support to facilitate a merchant’s PCI DSS compliance). Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, and merchants are required to be PCI DSS compliant, payment applications should facilitate, and not prevent, merchants’ PCI DSS compliance. Just a few of the ways payment applications can prevent a merchant’s compliance are: 1) storage of magnetic stripe dataprovided in the merchant’s network after authorization; 2) applications that require merchants to disable other features required by PCI DSS, such as anti-virus software or firewalls, and; 3) vendors that use unsecured methods to connect to the application to provide support to the merchant.FAQ 1142.
Use of a PA-DSS validated application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.
PA-DSS applications are in scope for an entity’s PCI DSS assessment. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS.
Additionally, it should be noted that some payment brand rules may require the use of PA-DSS applications. Merchants should contact their acquirer or the payment brands directly to determine if they have any requirements. Payment
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.