Diff: FAQ #1020
How does the PCI PA-DSS integrate with the PCI Data Security Standard (DSS)?
Earlier Version
2008-02-24 00:00:00 UTC
2008-02-24 00:00:00 UTC
Later Version
2008-02-28 00:00:00 UTC
2008-02-28 00:00:00 UTC
Removed
Added
The requirementsraditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, payment applications should foracilitate, and not hinder, merchants’ PCI DSS compliance. The Payment Application Data Security Standard (PA-DSS) are derirequirements have been derived from the Payment Card Industry Data Security Standard (PCI DSS Requirements to define what a payment application must support to facilitate a customer?s PCI DSS compliance.
Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of cardholder data or sensitive authentication data. However, use of a PA-DSS compliant application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and in accordance with the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1). This document details what is required for a merchant to be PCI DSS compliant (and therefore what a payment application must support to facilitate a merchant’s PCI DSS compliance). Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, and merchants are required to be PCI DSS compliant, payment applications should facilitate, and not prevent, merchants’ PCI DSS compliance. Just a few of the ways payment applications can prevent a merchant’s compliance are:
storage of magnetic stripe data in the merchant’s network after authorization;
applications that require merchants to disable other features required by PCI DSS, such as anti-virus software or firewalls, and;
vendors that use unsecured methods to connect to the application to provide support to the merchant.
Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of cardholder data or sensitive authentication data. However, use of a PA-DSS compliant application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and in accordance with the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).
storage of magnetic stripe data in the merchant’s network after authorization;
applications that require merchants to disable other features required by PCI DSS, such as anti-virus software or firewalls, and;
vendors that use unsecured methods to connect to the application to provide support to the merchant.