PA-DSS is a set of requriements that are intended to ensure software suppliers develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third party applications that store, process or transmit payment cardholder data as part of an authorisation or settlement. Software applications that are developed for the use of one merchant only are exempt from PA-DSS but must comply with PCI DSS.
The Payment Card Industry Security Standards Council maintains the PA-DSS, which it published in 2008 as a replacement for Visa’s Payment Application Best Practices (PABP) standard.
To achieve PA-DSS compliance, a software provider must have its applications audited by a Payment Application Qualified Security Assessor (PA-QSA) and revalidated whenever any major changes are made. PA-DSS requirements include:
- Non capture and retention of full magnetic stripe data, card validation, value or PIN block data
- Provision of secure password features
- Logging of application activity
- Development of secure applications
- Protection of data transmitted over wireless networks
- Testing applications to address vulnerabilities
- Architected to operate in a secure network environment
- No cardholder to be stored on an Internet connected device
- Facilitation of secure remote software updates
- Facilitation of secure remote access to applications
- Encryption of sensitive traffic over public networks
- Encryption of all non-console administrative access
- Maintaining instructional documentation, implementation guides and training programs for customers, resellers and integrators