Addendum to the PCI Security Standards Council statement on PA-DSS and mobile payment applications released on November 29th 2010

PCI Security Standards Council addendum to statemen t on PA-DSS and mobile payment
applications
January 25, 2011

The following is an addendum to the
PCI Security Standards Council statement on PA-DSS and mobile
payment applications released on November 29 th 2010 .

Due to the evolving nature of the payment application landscape, new categories of applications emerge
that necessitate regular review of PCI SSC criteria and processes for examining the security of these
applications. While the Council’s initial statement regarding mobile payment applications and the PA-D SS
(
November 29 th 2010 ) noted that “no mobile payment applications used b y merchants to accept or
process payment for goods and services would be app roved or listed as validated PA-DSS applications
unless all requirements can be satisfied as stated ,” this category of payment applications remains un der
review, and the Council is able to provide the following additional detail:

“Until it has completed a comprehensive examination of the mobile communications device and mobile
payment application landscape, the Council will not approve or list mobile payment applications used b y
merchants to accept and process payment for goods a nd services as validated PA-DSS applications
unless all PA-DSS requirements can be satisfied as stated and the underlying mobile communications
device supports the merchant's PCI DSS compliance .”

Again, the Council encourages merchants to refer to the PCI SSC website for a current list of PA-DSS
validated applications and reminds organizations that the use of a PA-DSS compliant application alone
does not make an entity PCI DSS compliant. The appl ication must also be configured in accordance with
the vendor’s PA-DSS Implementation Guide and installed into a PCI DSS compliant environment.