PA-DSS (Payment Application Data Security Standard)

Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.

The Payment Card Industry Security Standards Council maintains PA-DSS, which it published in 2008 as a replacement to Visa’s Payment Application Best Practices (PABP). PABP was Visa’s attempt to guide software vendors in creating secure applications. However, it lacked widespread adoption.  

To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:

  • Do not retain full magnetic stripe, card validation code or value, or PIN block data.
  • Provide secure password features.
  • Protect stored cardholder data.
  • Log application activity.
  • Develop secure applications.
  • Protect wireless transmissions.
  • Test applications to address vulnerabilities.
  • Facilitate secure network implementation.
  • Do not store cardholder data on a server connected to the Internet.
  • Facilitate secure remote software updates.
  • Facilitate secure remote access to applications.
  • Encrypt sensitive traffic over public networks.
  • Encrypt all non-console administrative access.
  • Maintain instructional documentation and training programs for customers, resellers and integrators.
This was last updated in April 2012

Dig Deeper on Security operations and management