The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). [1] PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aimed to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards ( PCI DSS).
Ultimately the PA-DSS was retired in late 2022, though existing implementations using PA-DSS applications do not necessarily lose their compliance status. [2] The PCI Council since established a new software validation program, the PCI Software Security Framework.
For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following fourteen protections: [3]
PCI SSC has compiled a list of payment applications that have been validated as PA-DSS compliant, with the list updated to reflect compliant payment applications as they are developed. Creation and enforcement of these standards currently rests with PCI SSC via Payment Application- Qualified Security Assessors (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.
Governed originally by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS then became retroactively distinguished as "version 1.1" [4] and "version 1.2". [5]
In October 2009, PA-DSS v1.2.1 was released with three noted changes: [3]
In October 2010, PA-DSS 2.0 was released, [6] indicating: Update and implement minor changes from v1.2.1 and align with new PCI DSS v2.0. For details, please see PA-DSS – Summary of Changes from PA-DSS Version 1.2.1 to 2.0.
In November 2013, PA-DSS 3.0 was released, [7] indicating: Update from PA-DSS v2. For details of changes, please see PA-DSS – Summary of Changes from PA-DSS Version 2.0 to 3.0. [8]
In May 2015, PA-DSS 3.1 was released [3] indicating:Update from PA-DSS v3.0. See PA-DSS – Summary of Changes from PA-DSS Version 3.0 to 3.1 for details of changes. [9]
In May 2016, version 3.2 of the PA-DSS Program Guide and Standards were released. [10] [11] For details, see Summary of Changes from PA-DSS Version 3.1 to 3.2. [12]
The PCI SSC has published additional materials that further clarify PA-DSS, including the following:
The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). [1] PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aimed to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards ( PCI DSS).
Ultimately the PA-DSS was retired in late 2022, though existing implementations using PA-DSS applications do not necessarily lose their compliance status. [2] The PCI Council since established a new software validation program, the PCI Software Security Framework.
For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following fourteen protections: [3]
PCI SSC has compiled a list of payment applications that have been validated as PA-DSS compliant, with the list updated to reflect compliant payment applications as they are developed. Creation and enforcement of these standards currently rests with PCI SSC via Payment Application- Qualified Security Assessors (PA-QSA). PA-QSAs conduct payment application reviews that help software vendors ensure that applications are compliant with PCI standards.
Governed originally by Visa Inc., under the PABP moniker, PA-DSS was launched on April 15, 2008 and updated on October 15, 2008. PA-DSS then became retroactively distinguished as "version 1.1" [4] and "version 1.2". [5]
In October 2009, PA-DSS v1.2.1 was released with three noted changes: [3]
In October 2010, PA-DSS 2.0 was released, [6] indicating: Update and implement minor changes from v1.2.1 and align with new PCI DSS v2.0. For details, please see PA-DSS – Summary of Changes from PA-DSS Version 1.2.1 to 2.0.
In November 2013, PA-DSS 3.0 was released, [7] indicating: Update from PA-DSS v2. For details of changes, please see PA-DSS – Summary of Changes from PA-DSS Version 2.0 to 3.0. [8]
In May 2015, PA-DSS 3.1 was released [3] indicating:Update from PA-DSS v3.0. See PA-DSS – Summary of Changes from PA-DSS Version 3.0 to 3.1 for details of changes. [9]
In May 2016, version 3.2 of the PA-DSS Program Guide and Standards were released. [10] [11] For details, see Summary of Changes from PA-DSS Version 3.1 to 3.2. [12]
The PCI SSC has published additional materials that further clarify PA-DSS, including the following: