Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.
The Payment Card Industry Security Standards Council maintains PA-DSS, which it published in 2008 as a replacement to Visa’s Payment Application Best Practices (PABP). PABP was Visa’s attempt to guide software vendors in creating secure applications. However, it lacked widespread adoption.
To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:
- Do not retain full magnetic stripe, card validation code or value, or PIN block data.
- Provide secure password features.
- Protect stored cardholder data.
- Log application activity.
- Develop secure applications.
- Protect wireless transmissions.
- Test applications to address vulnerabilities.
- Facilitate secure network implementation.
- Do not store cardholder data on a server connected to the Internet.
- Facilitate secure remote software updates.
- Facilitate secure remote access to applications.
- Encrypt sensitive traffic over public networks.
- Encrypt all non-console administrative access.
- Maintain instructional documentation and training programs for customers, resellers and integrators.