Payment Application DSS – PA-DSS Compliance

What is PA-DSS?

 PA-DSS stands for Payment Application Data Security Standard (PA-DSS) which is a set of comprehensive requirements to ensure secure PA-DSS certified payment applications are utilized for the processing of credit cards.

For the purposes of PA-DSS, a certified payment application is defined as one that stores, processes, or transmits cardholder data as part of authorization or settlement, where the PA-DSS certified application is sold, distributed, or licensed to third parties. For example:

• PA-DSS does apply to payment applications that are typically sold and installed “off the shelf” without much customization by software vendors.
• PA-DSS does apply to payment applications provided in modules, which typically includes a “baseline” module and other modules specific to customer types or functions, or customized per customer request. PA-DSS may only apply to the baseline module if that module is the only one performing payment functions.
• PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review.
• PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant’s or service provider’s normal PCI DSS compliance.

As part of the PA-DSS compliance process improvement and facilitation, the PCI Security Standards Council defined qualifications for PA-DSS Qualified Security Assessors (QSAs).

Enterprise Risk Management is a certified PA-DSS Qualified Security Assessor (QSA). We can assist your organization regarding what is PA-DSS and  PA-DSS compliance. We offer competitive pricing and value packages, tailored to your specific PA-DSS compliance needs.