PA-DSS (Payment Application Data Security Standard)

Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.

Download this free guide

Your Guide to Info Sec Certifications

We’ve collected 30+ certifications for you. Which vendor-neutral and vendor-specific security certifications are best for you? Save time by downloading our list organized by experience level.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The Payment Card Industry Security Standards Council maintains PA-DSS, which it published in 2008 as a replacement to Visa’s Payment Application Best Practices (PABP). PABP was Visa’s attempt to guide software vendors in creating secure applications. However, it lacked widespread adoption.  

To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:

• Do not retain full magnetic stripe, card validation code or value, or PIN block data.
• Provide secure password features.
• Protect stored cardholder data.
• Log application activity.
• Develop secure applications.
• Protect wireless transmissions.
• Test applications to address vulnerabilities.
• Facilitate secure network implementation.
• Do not store cardholder data on a server connected to the Internet.
• Facilitate secure remote software updates.
• Facilitate secure remote access to applications.
• Encrypt sensitive traffic over public networks.
• Encrypt all non-console administrative access.
• Maintain instructional documentation and training programs for customers, resellers and integrators.