PCI DSS Compliance Blog

By Jeff Gross, Element Payment Services

We speak with software vendors all day long about their applications and what the payment industry security standards mean to them. The questions they ask are very insightful, so we thought we’d share the top ten most common questions we receive.

Hope this helps you understand the PA-DSS and the complex issues surrounding it on a deeper level.  Feel free to pose any other questions you have about PA-DSS in the comment section. We’d be happy to answer them.

1. Q: PA what?

A: We still get responses like “PA-what?” when mentioning PA-DSS for the first time to software providers. There clearly needs to be more education around this security standard. 

PA-DSS stands for the Payment Application Data Security Standard. It was created by the major credit card brands (under the umbrella of the Payment Card Industry Security Standards Council) to combat the growing number of credit and debit cardholder data breaches. Seventy five percent of all data security attacks are against software applications. The PA-DSS mandates all payment applications that store, process or transmit payment cardholder data as part of authorization or settlement be certified on a continuous basis using an approved Payment Application Quality Security Assessor (PA-QSA).  The PA-DSS applies to applications that are sold, distributed or licensed to third parties.

Learn more about the PA-DSS requirements.

2. Q: What is the difference between PA-DSS and PCI DSS?

A: The PA-DSS applies to software applications that store, transmit or process credit card data, whereas the PCI DSS applies to merchants that accept payment cards.  Both were created to protect consumer cardholder data.

Learn more about PCI DSS requirements.

3. Q: I’m confused. I thought the credit card brands had their own security standards, like Visa’s PABP.

A:  In September 2006, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed the Payment Card Industry (PCI) Data Security Standard, an independent council designed to improve payment account security. 

The PCI Security Standards Council serves as an advisory group and manages the underlying PCI security standards; however, each payment card brand is responsible for its own compliance programs.  Even though the PCI Security Standards Council developed these standards, each payment card brand is responsible for its own compliance programs and has different deadlines for PCI compliance for merchants and software providers.

4. Q: How serious is this PA-DSS stuff?  We haven’t seen anything as far as fines or anything for non-compliance.

A: All payment applications have to be compliant by July 1, 2010 (Visa’s Final Security Deadline) or risk their customers not being able to process Visa credit cards at all.  And as of October 1, 2009, VisaNet processors must decertify all vulnerable payment applications.  While non-compliance with PA-DSS hasn’t yet been addressed with fines, the card brands are addressing the issue by removing the ability to process payments entirely. 

If it is any indication, MasterCard has begun fining merchants for non-PCI DSS compliance. 

5. Q: How much does the PA-DSS assessment cost?

A:  To achieve PA-DSS compliance, software providers must undergo the process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs generally range between $10,000 to $30,000.  Some software providers also have the option of going out of scope for PA-DSS certification, which cuts down on PA-DSS compliance costs. 

6. Q:  Could our merchants just stop taking credit cards? 

While merchants could stop taking credit cards, customers using credit cards tend to spend 2 to 3 times more than customers who only carry cash or check.  And since the major credit card brands are accepted worldwide, you expose your business to customers from all around the globe, instead of just locally.

7. Q: If we are PA-DSS-compliant, does that mean my merchants are compliant? 

A: PA-DSS and PCI DSS are still two separate compliance standards.  All merchants must still meet the PCI DSS requirements.  Using a PA-DSS compliant application does not remove this requirement.  At a minimum, the appropriate PCI Self-Assessment Questionnaire and network scan should be completed by all merchants.  However, since PA-DSS is a part of PCI compliance standards, new merchants or merchants that change processing providers cannot meet PCI requirements if they are using non-compliant applications.  And, the requirements are only getting tougher.  As of 7/1/2010, all merchant account providers are required to ensure that their merchants use only PA-DSS compliant applications.

8. Q: "Ok, here’s my PCI network scan.  We’ve been confirmed compliant.  Please set us up so that our merchants can process payment cards.”

A: Vulnerability scans are required by the PCI DSS, not the PA-DSS.  Software vendors must pass a PA-DSS review performed by a Payment Application QSA, as well as fulfill all of the PA-DSS requirements.  

9. Q: If I’m just passing card numbers to the merchant, but not storing card numbers, then why do I have to have a PA-DSS assessment?

A: If your software application comes in contact with sensitive cardholder data, the application is in scope of PA-DSS. 

10. Q: Is there anything I can do to get around the requirement of a PA-DSS assessment?

A: The only way this could be done is to have your application not store, process or transmit sensitive cardholder data AT ALL.  Element’s Hosted Payments solution takes software providers entirely out of scope of PA-DSS.