The Payments 101 series looks at Payment Application Data Security Standard (PA-DSS).
The Payment Application Data Security Standard (PA-DSS) is a set of security requirements developed by the Payment Card Industry Security Standards Council (PCI SSC) that govern how payment applications must handle the capture, storage, processing and transmission of sensitive cardholder data. The goal of PA-DSS is to help software companies and developers build secure payment applications that protect cardholder data and support compliance with the PCI DSS.
The PA-DSS consists of fourteen requirements and security assessment procedures that a payment application must meet in order to achieve PA-DSS validation.
The PA-DSS applies specifically to software companies and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. While applications built and utilized solely in-house are not subject to the PA-DSS, they are still accountable to the PCI DSS.
In order to achieve validation, an application developer must submit a Report on Validation (ROV) and accompanying Attestation of Validation from a Payment Application Qualified Security Assessor (PA-QSA) to the PCI SSC. Once accepted by the PCI SSC, the payment application is posted on the PCI SSC website as a PA DSS validated payment application.
The Search for PA-DSS Validated Solutions
The PCI SSC maintains a list of payment applications that have been sanctioned as PA-DSS validated. This list is subject to ongoing modification as newly developed payment application software is regularly released. While using a PA-DSS validated solution does not absolve a merchant from PCI DSS responsibilities, payment applications, when implemented according to the PA-DSS and when implemented in a PCI DSS compliant environment, should facilitate and support merchant PCI DSS compliance.
Achieving validation is becoming increasingly more important for Software Companies and Developers. In fact, a significant deadline mandated by Visa, Inc. was reached on July 1st, 2010 stating that acquirers must ensure their merchants, VisaNet Processors and agents use only PA-DSS validated applications.
Combining Payments Integration and Compliance Management
As a developer or Software Company, your decisions on selecting a payments API, development toolkit, or processing partner for implementing payments services on behalf of a merchant have PCI and PA-DSS compliance implications. The payments industry is complicated; writing software is complicated; PCI and PA-DSS compliance is complicated. Without the proper tools and guidance (Intelligent API, QSA Partner, Compliance Management Portal, etc.), you can easily lose your way. The right partner will provide you with the resources and specialized expertise needed to help reduce your compliance burden and manage a successful compliance validation in one simple process.
If you have any questions about this Payments 101 topic or have a specific question, you can reach us by completing our Contact Us form.
Stay up to date with the conversation and sign up to follow the Payments 101 series and PaymentsAPI.com via Twitter, PaymentsAPI LinkedIn Group RSS or bookmark us. We look forward to hearing your thoughts.
