Recent FAQ Changes

❓ FAQ 1279 Deleted 2026-02-25T15:57:39.434341+00:00

How does using a PA-DSS validated application affect the scope of a merchant's PCI DSS assessment?

Applications which are PA-DSS validated have been assessed by a PA-QSA as meeting all PA-DSS requirements. This means the application, when properly installed and configured, is capable of supporting the …

❓ FAQ 1288 Deleted 2026-02-25T15:57:39.434341+00:00

Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)?

PA-DSS Requirement 3.3.2 applies to all passwords generated or managed by the payment application that are used to authenticate access to the payment application. This requirement is not intended to …

❓ FAQ 1183 Deleted 2026-02-25T15:57:39.434341+00:00

The PA-DSS Program Guide says application version numbers may consist of a combination of fixed and variable alphanumeric characters. What does this mean?

Application version numbers may consist of any combination of alphanumeric characters to create a unique version, discernible from other versions of that payment application, based on the vendor's versioning methodology. …

❓ FAQ 1271 Deleted 2026-02-25T15:57:39.434341+00:00

Can I combine sections from different versions of the PA-DSS?

No. When validating payment application compliance through a Report on Validation (ROV) you may not 'combine' requirements from multiple versions of the standard — your assessment must be to one …

❓ FAQ 1355 Deleted 2026-02-25T15:57:39.434341+00:00

Are applications listed as Acceptable only for Pre-existing Deployments able to meet the current PA-DSS and PCI DSS?

Payment applications that are listed as Acceptable only for Pre-existing Deployments have previously been validated as meeting PA-DSS but the validation is no longer current. This may be due to …

❓ FAQ 1261 Deleted 2026-02-25T15:57:39.434341+00:00

Does a P2PE validated application also need to be validated against PA-DSS?

The P2PE Standard does not require applications solely used in a P2PE solution to be validated to PA-DSS. PA-DSS and P2PE are distinct PCI standards with separate requirements and programs, …

❓ FAQ 1602 New 2026-02-03T17:56:23+00:00

Should entities with enterprise or internal service providers, used to provide internal services to other corporate entities, conduct separate PCI DSS assessments of these service providers or include them as part of each corporate entity’s PCI DSS assessment?

Assessed entities have the discretion to either have enterprise functions assessed separately as an internal service provider or include those functions in each individual corporate entity’s PCI DSS assessment. Regardless …

❓ FAQ 1223 Deleted 2026-01-21T15:01:10.141934+00:00

Does PCI DSS, PA-DSS, or PTS apply to ATMs?

PCI DSS applies to entities involved in payment card processing or that otherwise store, process, or transmit cardholder data; the Payment Application Data Security Standard (PA-DSS) applies to payment applications …

❓ FAQ 1052 Deleted 2026-01-21T15:01:10.141934+00:00

Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant?

No. If cryptographic keys are provided by the application vendor as part of the application, the keys must be unique to each customer or installation. An application that requires the …

❓ FAQ 1053 Deleted 2026-01-21T15:01:10.141934+00:00

Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer?

No. In order to meet PA-DSS and PCI DSS requirements, the payment application must facilitate the customers' ability to perform key changes periodically and as required by the customer in …

Recent FAQ Changes RSS