PCI DSS Compliance Blog: Are You Preventing Your Customers From Being PCI DSS compliant?

« Prioritized Approach to PCI DSS | Main | Payment Industry Acronyms »


Are You Preventing Your Customers From Being PCI DSS compliant?

This month marks the one year anniversary since the Payment Application Data Security Standard,  commonly known as the PA-DSS, was launched.  So we thought now would be a good time to pose the question:

software vendors, are you preventing your customers from being PCI compliant?

The goal of PA-DSS is to facilitate the development of secure payment applications by software vendors.  Each vendor of a software application that stores, processes, or transmits payment cardholder data must now follow the 14 PA-DSS requirements and successfully pass a PA-DSS review by an independent auditor (known as a PA-QSA). 

Back in October, StorefrontBacktalk founder Evan Schuman wrote an excellent article on how PA-DSS is remarkably misunderstood, both by merchants and software vendors.  Schuman wrote:

Most merchants and application vendors seriously underestimate both the scope and the force of the  Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved.

Six months later, we are hearing that this is still the case.  As of March 27th only 153 vendors representing 264 payment applications are PA-DSS validated.  While this is progress, there are many vendors yet to become validated. 

When we speak to non-validated software vendors, the reason most often cited for their non-compliance is that they don’t realize that PA-DSS applies to them.  There is still a lot of education to be done regarding the scope of PA-DSS which states:
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization and  settlement, where these payment applications are sold, distributed or licensed to third parties. 

Simplified, if in a software application cardholder data is directly entered (this could be as simple as a text box input), then the application is a payment application and therefore, in scope. 

Many software providers also don’t realize the relationship between PA-DSS and PCI DSS

All software providers must meet PA-DSS requirements for their customers to comply with the mandated Payment Card Industry Data Security Standard (PCI DSS requirements). As of October 1, 2008, acquiring financial institutions cannot approve merchants for processing that are using non-compliant software. Software providers with applications that don’t meet PA-DSS (PABP) compliance requirements are beginning to lose customers as a result.

Related Posts and Pages:

How to Become PCI Compliant

PA-DSS Implementation


TrackBack URL for this entry:

Listed below are links to weblogs that reference Are You Preventing Your Customers From Being PCI DSS compliant?:


I wonder how technologies like cloud computing will impact compliance, since the data will be distributed across many data centers.

Right now, cloud computing is really kind of an unknown when it comes to impacting future PCI DSS regulations. From what we've read, it's somewhat expected of the PCI Security Standards Council to provide further details in future PCI
regulation releases regarding cloud computing, but it's more of an interpretation at this point. Alexander Howard recently wrote a article about this issue on a Tech Target blog. Here's an excerpt:

"FTC guidance on cloud compliance or official recognition by the PCI Security Standards Council may be forthcoming later this year. Given the visibility, adoption and interest in cloud computing in the enterprise, cloud compliance under PCI or something like it seems likely."

And here is a link to the full post:


The comments to this entry are closed.

Search Blog

Your email address:

Bookmark and Share


About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter

Visit Element on