CHAPTER 12: THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

The PA-DSS is the PCI SSC-managed programme that focuses on payment applications, such as shopping carts, payment gateways, and so on. This programme was previously run by Visa Inc. and was known as Payment Application Best Practices (PABP). Increasingly, criminals are targeting vulnerabilities in payment applications to steal payment card data, and some users may unknowingly have sensitive card data stored on their systems by software. The PA-DSS is therefore meant to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripes, CVV2 or PIN data, and to ensure their payment applications support compliance with the PCI DSS.

Commercial off-the-shelf (COTS) payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house or bespoke payment applications that are developed by merchants or service providers and which are not sold to a third party are not subject to the PA-DSS requirements, but must still comply with the PCI DSS.

The PA-DSS has its own security audit procedures¹ and its own detailed programme guide² that help organisations to determine exactly how these compliance requirements affect them. The PCI SSC also publishes and maintains a list of Validated Payment Applications³ that have been assessed as having met the requirements of the Standard. As this list is continually updated, we recommend that merchants contact the respective software vendors to confirm that their applications are fully compliant with the latest version of the PA-DSS.

As mentioned in Chapter 5, we strongly recommend the use of a third-party payment gateway service which is fully PCI compliant, particularly for the requirements of a small e-commerce business. While such a service provider is not obliged to use an in-house software application that is compliant with the PA-DSS, we advise that merchants use the larger suppliers who are fully compliant with the PA-DSS and the PCI DSS.

¹ www.pcisecuritystandards.org/documents/PA-DSS_v3.pdf

² www.pcisecuritystandards.org/documents/pci_pa_dss_program_guide_v2.pdf

³ www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php