Diff: FAQ #1020
How does the PCI PA-DSS integrate with the PCI Data Security Standard (DSS)?
Earlier Version
2012-04-05 22:02:08 UTC
2012-04-05 22:02:08 UTC
Later Version
2014-05-28 14:36:00 UTC
2014-05-28 14:36:00 UTC
Removed
Added
The requirements for Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard ( details the requirements a payment application must meet in order to facilitate a customer’s PCI DSS) compliance. This document detailsPA-DSS validated payment applications, what is required for a merchant to been implemented in a PCI DSS compliant-compliant environment, can help minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (and therefore what a payment application must support to facilitate a merchant’s PCAV2, CI DSS complianceD, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches. Traditional
Use of a PA-DSS validated application does not by itself make an entity PCI DSS compliance may not apply to payment application vendors since most vendors do not storet, process, or transmit cardholder data. However,since that application must because these payment applications are used by merchants to store, process, and transmit cardholder data, and merchants are required to be implemented into a PCI DSS compliant, payment applications should facilitate, and not prevent, merchants environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.
PA-DSS applications are in scope for an entity’s PCI DSScomplianceassessment. Just a few of the ways payment applications can prevent a merchant’s compliance are: 1) storage of magnetic stripe data in the merchant’s network after authorization; 2) applications that require merchants to disable other features required byThe PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, such as antia more in-virus softdepth revieware or fire wallsill be required during the PCI DSS assessment, and; 3) vendors that use unsecured methods to connect to the application to provide support to the merchants the application may no longer be representative of the version that was validated to PA-DSS.
Additionally, it should be noted that some payment brand rules may require the use of PA-DSS applications. Merchants should contact their acquirer or the payment brands directly to determine if they have any requirements. Payment brand contact details are provided in FAQ 1142.
Use of a PA-DSS validated application does not by itself make an entity PCI DSS complian
PA-DSS applications are in scope for an entity’s PCI DSS
Additionally, it should be noted that some payment brand rules may require the use of PA-DSS applications. Merchants should contact their acquirer or the payment brands directly to determine if they have any requirements. Payment brand contact details are provided in FAQ 1142.