Frequently Asked Questions

< Back to search page

For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?

FAQ Response

Revalidation Date: Annually, the software vendor is required to revalidate by completing Part 3b of the Attestation of Validation form, confirming that no changes have been made to the application version listed as a Validated Payment Application. The vendor submits the Attestation form and revalidation fees to the PCI Security Standards Council (PCI SSC) prior to the listed Revalidation Date. If there is a new or changed version of the application that the vendor wants listed, the vendor goes through the process for either a Major Update (new PA-DSS assessment) or Minor Update (Change Analysis). Please refer to the PA-DSS Program Guide for more details on the Revalidation Date. The Program Guide and the Attestation of Validation form can be found at https://www.pcisecuritystandards.org/security_standards/documents.php

Expiry Date: Each application is given an expiry date, after which an assessment against the current version of PA-DSS is required in order to renew the application listing.
 
When a PA-DSS validated payment application has reached its expiry date, it is listed as acceptable only for pre-existing deployments, or in other words, for customers that have already purchased and deployed the product. Note that if the software vendor wishes to continue selling the application, the application must undergo a new PA-DSS assessment in order for the listing to be renewed. The PCI SSC encourages entities wishing to purchase a payment application to check the application’s expiry date as part of their purchasing due diligence process. Whether, and for how long, an entity is permitted to continue using an expired application that is only “acceptable for pre-existing deployments” is up to the individual payment brands and/or acquirers, and should be discussed with them.

Please refer to the PA-DSS Program Guide for more details on the Revalidation Date and Expiry Date. The PA-DSS Program Guide can be found at https://www.pcisecuritystandards.org/security_standards/documents.php

January 2011
Article Number 1174

Related Articles

How can I check whether a payment application is PA-DSS validated?

How does my company become a qualified assessor (QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE)), or Approved Scanning Vendor (ASV)?

What is the difference between a Validated Payment Application which is shown on the PCI SSC website as “Acceptable for New Deployments” and one which is shown as “Acceptable only for Pre-Existing Deployments”?

Is it acceptable to make minor changes to a PA-DSS validated application and retain the existing version number?

How much will it cost for a vendor to have their products validated to PA-DSS by a PA-QSA?