Sep 9 2010
PA DSS…know the rules!
Posted by chris.mark
Data Security, PA DSS, PCI DSS, Technical Discussions
No Comments
We have had numerous discussions recently with merchants that are using 3rd party applications. Some of the 3rd party providers are claiming that their applications do not need to comply with the Payment Application Data Security Standard (PA DSS). This post is intended to clarify the rules surrounding PA DSS. In this post we will discuss two items. First, is the applicability of the PA DSS and second is the mandate to use PA DSS compliant applications.
The PA DSS is a standard which applies to ‘payment applications’. A payment application is defined as one that “stores, transmits, or processes cardholder data as a part of authorization or settlmetn, where the payment application is sold, distributed or licensed to third parties.” This language is taken directly from the PCI SSC Vendor Considerations document. If you have purchased, licensed, or somehow obtained an application from an application vendor and the application handles cardholder data as part of authorization or settlement then the application must comply with the PA DSS.
If the application is sold as a Software As a Service (SAAS) or Application Service Provider (ASP) model then the PA DSS does not apply as the application would have been covered in the SAAS provider’s own PCI DSS assessment.
It is the responsibility of the application vendor to submit their application for validation through an approved Payment Application Qualified Security Assessor (PA QSA) lab. Once validated, the merchant using the application has confidence that the application 1) is compliant with the PA DSS and 2) supports the merchant’s own PCI DSS compliance requirements.
There appears to be some confusion in the market about whether PA DSS compliance and validation is required. As stated on Visa’ own website; “ Phase V (July, 2010) mandates the use of payment applications that support PCI DSS compliance, requiring acquirers, merchants, and agents to use only those applications that can be validated as PABP compliant.” For clarification the PA DSS was previosly called the Payment Application Best Practices or PABP.
Visa does allow acquirers (banks) to use alternative means to validate PA DSS compliance but it is highly unlikely that an acquirer would do so. In the vast majority of instances, acquirers are simply requiring their merchants to use validated PA DSS applications found on the list of compliant applications.
As a best practice, and to comply with the mandates, it is important that merchants only use PA DSS validated applications found on the list of compliant applications. Additional information can be found in the Frequently Asked Questions on Visa’ website.
If you are using an application and the vendor tells you that they do not need to comply with the PA DSS or that it is your responsiblity then you should look elsewhere for an application provider. It is a mandate to use only payment applications that are PA DSS compliant.
Chris Mark, EVP; Data Security & Compliance
No Responses to “ PA DSS…know the rules! ”