PCI Watch

Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, payment applications should facilitate, and not hinder, merchants’ PCI DSS compliance. The Payment Application Data Security Standard (PA-DSS) requirements have been derived from the PCI DSS Requirements to define what a payment application must support to facilitate a customer?s PCI DSS compliance.

Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of cardholder data or sensitive authentication data. However, use of a PA-DSS compliant application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and in accordance with the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).