The Payment Application Data Security Standard (PA-DSS) is a program designed to help companies like software vendors build secure payment applications that don’t store “prohibited data,” such as full magnetic stripe, PIN data, or CVV2.

PA-DSS makes sure payment applications support PCI DSS compliance. But, the use of a PA-DSS-compliant application by itself isn’t the same thing as being PCI-DSS compliant, nor is it a guarantee of PCI-DSS compliance.

According to the PCI Security Standards Council, the PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data or sensitive authentication data.  These are typically commercial payment applications sold and installed by vendors to a third-party organization.

As outlined in the PA-DSS Program Guide, the standard does not apply to payment applications offered only as a service hosted by a service provider. Customers cannot manage, install, or control the application; it’s only provided as a service. Further, the application is already covered by the service provider’s PCI DSS review, and the application is not being sold, distributed, or licensed to third parties.

Other exceptions to the PA-DSS program are non-payment applications that are part of a payment application suite, including fraud-monitoring functions. All in-house payment applications are exempt from PA-DSS compliance, as are applications designed for or sold to a single end-user customer.

Visa used to manage a precursor to the PA-DSS program, formerly known as the Payment Application Best Practices (PABP). The Payment Card Industry Security Standards Council created the PA-DSS program in 2008.

What is PA-DSS?

PA-DSS validates that payment applications adhere to PCI SSC security standards, safeguarding sensitive cardholder data during transactions. It’s crucial for software vendors to ensure their applications protect the Primary Account Number (PAN) and account data. Compliance involves stringent security controls, encryption keys, and validation through penetration testing and vulnerability scans, fortifying against malware and vulnerabilities in system components.

Who does PA-DSS apply to?

PA-DSS is vital for businesses involved in payment application development, addressing the business need for secure transactions. Compliance is critical within the cardholder data environment, necessitating access control and robust security systems like firewalls and secure operating systems. Regular risk assessments, anti-virus software, and encryption key management are essential to protect against unauthorized access and breaches.

What is the goal of PA-DSS?

PA-DSS aims to protect cardholder data and ensure secure card transactions. Compliance validates adherence to security requirements like strong cryptography and unique IDs, attesting to PCI DSS compliance. It involves vulnerability management, reducing risks associated with default passwords and meeting compliance requirements, fostering trust within the payment ecosystem.


There are two primary compliance standards when evaluating secure payment systems and storing credit card data: PCI-DSS and PA-DSS. While these two may sound similar, there are fundamental differences between the two.

First, understand PCI-DSS. When an organization stores, processes, or transmits credit card data, it must meet the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS comprises 12 main requirements and numerous directives or sub-requirements that address everything from network security to information security policies.  This standard was developed in 2004 by major credit card companies to protect consumers, bands, and credit card vendors from data theft and fraud.

Credit card brands Visa, Mastercard, American Express, and JCB expanded their security initiative to include financial institutions, merchants, processor companies, software developers, point-of-sale vendors, and others to their security initiative, known as the Payment Card Industry Security Standards Council (PCI SSC).  The PCI SSC maintains all PCI standards, including the PA-DSS and the PCI-DSS.

One important distinction is that an in-house payment application developed by a merchant or service provider is not subject to PA-DSS but will be required to be PCI-DSS compliant.

However, if a merchant sells the payment application to a third party, it is considered a software vendor and subject to PA-DSS requirements.

While your company might be exempt from PA-DSS compliance, it’s still worth consulting to adopt the application security framework.

  1. tore cardholder data on a server connected to the internet.
  2. Facilitate secure remote access to the payment application.
  3. Encrypt sensitive traffic over public networks.
  4. Secure all non-console administrative access.
  5. Maintain PA-DSS instructions, documentation, and training programs for customers, What are PA-DSS requirements?

In the “Payment Application Data Security Standard” (last updated in May 2016), the PCI SSC outlines 14 requirements and testing procedures for each:

  1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
  2. Protect stored cardholder data. 
  3. Provide secure authentication features.
  4. Log payment application activity.
  5. Develop secure payment applications.
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities and maintain payment application updates. 
  8. Facilitate secure network implementation.
  9. Never sresellers, and integrators.
  10. Assign PA-DSS responsibilities to personnel and maintain training programs for personnel, customers, resellers, and integrators.  

Many of the PA-DSS requirements align with PCI-DSS requirements.

What are the first steps to being PCI PA-DSS compliant?

To get started on PCI compliance for your company, consider forming a committee to help determine the applicability of requirements for scoping. Your committee should oversee tasks such as establishing and testing controls related to secure payment processing, remediating control gaps and security vulnerabilities, and gathering evidence of compliance efforts and the results.  

PA-DSS readiness assessments are a great way to prepare for the official assessment.  As a requirement for the PA-DSS assessment, payment application vendors must provide the appropriate documentation and software to a Payment Application Qualified Security Assessor (PA-QSA) Company.

Start on the Path to PCI PA-DSS Compliance with ZenGRC

Adhering to PCI PA-DSS requirements goes beyond ticking the box of compliance: Ensuring your company can withstand cybersecurity breaches is essential. 

Your security policies are your first defense against data hacks, and creating secure applications will help guard your customers and your company against credit card fraud. A solution like ZenGRC can get you on the road to complying with PCI DSS. Schedule your demo today!