Payment Application Data Security Standard (PA-DSS)

The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI Data Security Standard (“PCI DSS”).

Payment applications must not retain full magnetic stripe data or CVV2 data and must support a merchant's and service provider’s ability to comply with the PCI DSS. Secure payment applications, when implemented in a PCI-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data or CVV2, and the damaging fraud resulting from these breaches.

PA-DSS is the Payment Card Industry Security Standards Council (“PCI SSC”) managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP).

For purposes of PA-DSS, a payment application is defined as one that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment applications is sold, distributed, or licensed to third parties. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.  

PSC is certified globally as a Payment Applications Qualified Security Assessor company (“PA-QSA”) for the PCI Security Standards Council to perform PA-DSS assessments on payment applications.