What is the Difference Between PA-DSS and PCI-DSS?

Both Payment Application Data Security Standard (PA-DSS) and the Payment Card Industry (PCI-DSS) refer to requirements set for companies to protect credit card information and to secure payment portals.

The difference between the two is relatively straightforward: PCI-DSS applies to all companies that store, process, or transmit cardholder data, whereas PA-DSS applies to vendors that produce and sell payment applications.

Both PA-DSS and PCI are compliance standards created by the Payment Card Industry Security Standards Council (PCI SSC), an industry regulatory board composed of five credit card brands: Visa, Mastercard, Discover, American Express, and JCB. The board also consists of financial institutions, merchants, processor companies, software developers, and point-of-sale vendors.

The PCI SSC maintains and updates the set of standards collectively known as PCI. These standards provide merchants who accept credit cards and service providers with a set of requirements designed to protect credit card data as it traverses electronic networks as part of the acceptance process.

What is PCI DSS?

The industry’s primary compliance standard is the Payment Card Industry Data Security Standard (PCI DSS). While merchants and service providers are not mandated by law or regulation to adopt PCI standards, the major card brands do mandate its use via the banks and other organizations that process all credit card transactions.

Failure to comply with the applicable standards can result in a merchant being unable to accept credit card transactions at all, along with the associated financial impact of such a ban. Therefore, PCI standards are a requirement for all merchants to follow without exception.

PCI compliance includes a set of 12 requirements set in place by the PCI SSC. The requirements include the following:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

Within these 12 requirements are 281 total directives. Your organization must follow all objectives that are in scope for your organization for full compliance. Achieving compliance takes time: up to two years for large merchants and one year for mid-sized and smaller.

How Does a Company Obtain PCI Compliance?

Merchants are classified into different levels based on the number of transactions processed in a given year. The levels differ slightly by credit card brand, but assessment requirements for each merchant level are consistent.

Generally, the greater number of transactions processed by a merchant means that the assessment criteria and methodology are more stringent. There are four levels of compliance for merchants and two for service providers.

The method used to assess compliance with PCI requirements differs depending on the type of business a merchant is performing and their merchant level. While all merchants must perform some annual assessment, who performs the assessment and to what level of detail the assessment is performed is determined by the merchant level.

PCI-DSS assessments generally fall into one of three methods:

1. Qualified Security Assessor (QSA): A QSA is a third-party assessor who has been certified by the PCI Security Council to perform PCI assessments. A QSA is required to perform assessments for all Level 1 Merchants.
2. Internal Security Assessor (ISA): An ISA is an assessor internal to the organization being assessed. The ISA has also been certified by the PCI Security Council to perform PCI assessments, but only for their own organization.
3. Self-Assessment Questionnaire (SAQ): The Self-Assessment Questionnaires are used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance. There are multiple SAQs available, with the specific SAQ being used determined by how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations).

What Does PA DSS Compliance Mean?

PA-DSS stands for Payment Application Data Security Standard. Its goal is to help companies like software vendors build secure payment applications that don’t store “prohibited data,” such as full magnetic stripe, PIN data, or CVV2.

According to the PA-DSS v.3.2 Program Guide, a PA-DSS Validated Payment Application alone is not a guarantee of PCI DSS compliance.

The PCI SSC states that the PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data.

What are PA-DSS requirements?

In the “Payment Application Data Security Standard” (last updated in May 2016), the PCI SSC outlines 14 requirements and testing procedures for each:

1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
2. Protect stored cardholder data.
3. Provide secure authentication features.
4. Log payment application activity.
5. Develop secure payment applications.
6. Protect wireless transmissions.
7. Test payment applications to address vulnerabilities and maintain payment application updates.
8. Facilitate secure network implementation.
9. Never store cardholder data on a server connected to the internet.
10. Facilitate secure remote access to the payment application.
11. Encrypt sensitive traffic over public networks.
12. Secure all non-console administrative access.
13. Maintain PA-DSS instructions, documentation, and training programs for customers, resellers, and integrators.
14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.

Many of the PA-DSS requirements align with PCI-DSS requirements.