The Payment Application Data Security Standard (PA-DSS) is a program designed to help companies like software vendors build secure payment applications that don’t store “prohibited data,” such as full magnetic stripe, PIN data, or CVV2.

PA-DSS makes sure payment applications support PCI DSS compliance. But, the use of a PA-DSS compliant application by itself isn’t the same thing as being PCI-DSS compliant, nor is it a guarantee of PCI-DSS compliance.

According to the PCI Security Standards Council, the PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data.  These are typically commercial payment applications that are sold and installed by vendors to a third-party organization.

As outlined in the PA-DSS Program Guide, the standard does not apply to payment applications that are offered only as a service hosted by a service provider. This is because customers are not able to manage, install, or control the application; rather, it’s only offered as a service. Further, the application is already covered by the service provider’s PCI DSS review, and the application is not being sold, distributed, or licensed to third parties.

Other exceptions to the PA-DSS program are non-payment applications that are part of a payment application suite, including fraud-monitoring functions. All in-house payment applications are exempt from PA-DSS compliance, as are applications designed for or sold to a single end-user customer.

Visa used to manage a precursor to the PA-DSS program, formerly known as the Payment Application Best Practices (PABP). The Payment Card Industry Security Standards Council created the PA-DSS program in 2008.

PA-DSS vs. PCI-DSS

There are two primary standards of compliance when evaluating secure payment systems and storing credit card data: PCI-DSS and PA-DSS. While these two may sound similar, there are fundamental differences between the two.

First, understand PCI-DSS. When an organization stores, processes, or transmits credit card data, it must meet the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is made up of 12 main requirements and numerous directives or sub-requirements that address everything from network security to information security policies.  This standard was developed in 2004 by major credit card companies to protect consumers, bands, and credit card vendors from data theft and fraud.

Credit card brands Visa, Mastercard, American Express, and JCB expanded their security initiative to include financial institutions, merchants, processor companies, software developers, point-of-sale vendors, and others to their security initiative, known as the Payment Card Industry Security Standards Council (PCI SSC).  The PCI SSC maintains all of the PCI standards, including the PA-DSS and the PCI-DSS.

One important distinction is that an in-house payment application developed by a merchant or service provider is not subject to PA-DSS, but will be required to be PCI-DSS compliant.

However, if a merchant then sells the payment application to a third party, then it is considered a software vendor and therefore subject to PA-DSS requirements.

While your company might be exempt from PA-DSS compliance, it’s still worth consulting to adopt the application security framework.

What are PA-DSS requirements?

In the “Payment Application Data Security Standard” (last updated in May 2016), the PCI SSC outlines 14 requirements and testing procedures for each:

  1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
  2. Protect stored cardholder data. 
  3. Provide secure authentication features.
  4. Log payment application activity.
  5. Develop secure payment applications.
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities and maintain payment application updates. 
  8. Facilitate secure network implementation.
  9. Never store cardholder data on a server connected to the internet.
  10. Facilitate secure remote access to the payment application.
  11. Encrypt sensitive traffic over public networks.
  12. Secure all non-console administrative access.
  13. Maintain PA-DSS instructions, documentation, and training programs for customers, resellers, and integrators.
  14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.  

Many of the PA-DSS requirements align with PCI-DSS requirements.

What are the first steps to being PCI PA-DSS compliant?

To get started on PCI compliance for your company, consider forming a committee to help determine the applicability of requirements for scoping. Your committee should oversee tasks such as establishing and testing controls related to secure payment processing, remediating control gaps, and security vulnerabilities, and gathering evidence of compliance efforts and the results.  PA-DSS readiness assessments are a great way to prepare for the official assessment.  As a requirement for the PA-DSS assessment, payment application vendors must provide the appropriate documentation and software to a Payment Application Qualified Security Assessor (PA-QSA) Company.

Adhering to PCI PA-DSS requirements goes beyond ticking the box of compliance: It’s an important step to ensuring your company can withstand cybersecurity breaches. Your security policies are your first method of defense against data hacks, and creating secure applications will help guard your customers and your company against credit card fraud. A solution like ZenGRC can get you on the road to compliance.