Zone 2

PA-DSS

What is PA-DSS?

The goal of the Payment Application Data Security Standard (PA-DSS) is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.

Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.

The PA-DSS Standard

Visa and MasterCard strongly encourages payment application vendors to develop and validate the conformance of their products to the PA-DSS. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. PA-DSS does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent's PCI DSS assessment.   The PCI SSC is responsible for maintaining and updating the PA-DSS and all related documentation, Payment Application Qualified Security Assessor (PA-QSA) qualification and training, Reports of Validation (ROV) submissions and quality assurance as well as the listing of PA-DSS validated payment applications.

For more information on PA-DSS, including validation requirements and a list of PA-DSS validated applications please visit the PCI SSC website at www.pcisecuritystandards.org.

PA-DSS Requirements

1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data

2. Provide secure password features

3. Protect stored cardholder data

4. Log Application Activity

5. Develop Secure Applications

6. Protect wireless transmissions

7. Test Applications to address vulnerabilities

8. Facilitate secure network implementation

9. Cardholder data must never be stored on a server connected to the Internet

10. Facilitate secure remote access to payment application

11. Encrypt sensitive traffic over public networks

12. Encrypt all non-console administrative access

13. Maintain instructional documentation and training programs for customers, resellers, and integrators

PA-DSS Mandates

Visa and MasterCard will implement a series of mandates to eliminate the use of non-secure payment applications.. These mandates require clients to ensure that their merchants and service providers use payment applications that are compliant with PA-DSS. The mandates will be effective over the next few years as follows:

Phase	Payment Application Compliance Mandates	Effective Date
1	Newly boarded merchants1 must use PA-DSS compliant payment applications or must be PCI DSS compliant	1 July 2010
2	Acquirers must ensure all their merchants and service providers use PA-DSS compliant payment applications	1 July 2012

¹ A newly-boarded merchant is a newly executed merchant account with an acquirer.

For purposes of the mandates, payment applications apply only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorisation or settlement of a payment card transaction. Traditionally used in point-of-sale (POS) systems, payment applications are typically designed for use on a PC-based architecture (e.g., desktops and servers running on a Windows, Unix or Linux operating system). PA-DSS does not apply to merchant or agent in-house developed applications, stand-alone hardware terminals or PIN Entry Devices (PED’s).

In addition, software-as-a-service (SaaS) solutions hosted completely at a third party are not within scope of the mandates, provided these solutions are hosted by a third party and no such configurations, controls or systems reside on the merchant's or service provider's systems. Instead, merchants must use PCI DSS compliant service providers to provide SaaS solutions. PA-DSS compliant payment applications must be used if any such configurations, controls or systems, do reside at the merchant or service provider location.