What is PA-DSS?
The Payment Application Data Security Standard (PA-DSS) is a set of security requirements developed by the Payment Card Industry Security Standards Council (PCI SSC) that govern how payment applications must handle the capture, storage, processing and transmission of sensitive cardholder data.
Who is Affected by PA-DSS?
The PA-DSS applies to software companies and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.
Payment applications, when implemented according to the PA-DSS and when implemented in a PCI DSS compliant environment, should facilitate and support merchant PCI DSS compliance.
| Visa's Payment Application Security Mandates |
| 1/1/08 |
Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications |
| 7/1/08 |
VNPs and agents must only certify new payment applications to their platforms that are PABP (PA-DSS)-compliant |
| 10/1/08 |
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP (PA-DSS)-compliant applications |
| 10/1/09 |
VNPs and agents must decertify all vulnerable payment applications |
| 7/1/10 |
Acquirers must ensure their merchants, VNPs and agents use only PABP (PA-DSS)-compliant applications |