PA-DSS (Payment Application Data Security Standard)

Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.

The Payment Card Industry Security Standards Council maintains PA-DSS, which it published in 2008 as a replacement to Visa’s Payment Application Best Practices (PABP). PABP was Visa’s attempt to guide software vendors in creating secure applications. However, it lacked widespread adoption.  

To achieve PA-DSS compliance, a software provider must have its application audited by a PA-DSS Qualified Security Assessor. PA-DSS requirements include:

• Do not retain full magnetic stripe, card validation code or value, or PIN block data.
• Provide secure password features.
• Protect stored cardholder data.
• Log application activity.
• Develop secure applications.
• Protect wireless transmissions.
• Test applications to address vulnerabilities.
• Facilitate secure network implementation.
• Do not store cardholder data on a server connected to the Internet.
• Facilitate secure remote software updates.
• Facilitate secure remote access to applications.
• Encrypt sensitive traffic over public networks.
• Encrypt all non-console administrative access.
• Maintain instructional documentation and training programs for customers, resellers and integrators.