PA-DSS (Payment Application Data Security Standard)
What is Payment Application Data Security Standard (PA-DSS)?
Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to help software vendors develop secure payment applications for credit card transactions.
This ensures that companies do not store prohibited data, such as the security PIN, magnetic strip or CVV2. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement.
Compliance with PA-DSS requirements
The Payment Card Industry Security Standards Council (PCI SSC) maintains PA-DSS, published in 2008 as a replacement to Visa's Payment Application Best Practices (PABP). PABP was Visa's attempt to guide software vendors in creating secure applications. However, it lacked widespread adoption.
Unlike PABP, PCI DSS compliance is required by all credit card brands, such as American Express, Mastercard, JCB International and Visa Inc. However, the same is not mandated by law.
Software applications developed by merchants and service providers for in-house use are exempt from PA-DSS but must comply with the Payment Card Industry Data Security Standard, commonly known as PCI DSS requirements.
How to obtain PA-DSS compliance
To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:
- Do not retain full magnetic stripe, card validation code or value, or PIN block data.
- Provide secure password features.
- Protect stored cardholder data.
- Log application activity.
- Develop secure applications.
- Protect wireless transmissions.
- Test applications to address vulnerabilities.
- Facilitate secure network implementation.
- Do not store cardholder data on a server connected to the internet.
- Facilitate secure remote software updates.
- Facilitate secure remote access to applications.
- Encrypt sensitive traffic over public networks.
- Encrypt all non-console administrative access.
- Maintain instructional documentation and training programs for customers, resellers and integrators.
See also: PCI DSS 12 requirements and PCI DSS merchant levels.