FAQ Response
Expiry Date: Each application is given an expiry date, after which an assessment against the current version of PA-DSS is required in order to renew the application listing.
When a PA-DSS validated payment application has reached its expiry date, it is listed as acceptable only for pre-existing deployments, or in other words, for customers that have already purchased and deployed the product. Note that if the software vendor wishes to continue selling the application, the application must undergo a new PA-DSS assessment in order for the listing to be renewed. The PCI SSC encourages entities wishing to purchase a payment application to check the application’s expiry date as part of their purchasing due diligence process. Whether, and for how long, an entity is permitted to continue using an expired application that is only “acceptable for pre-existing deployments” is up to the individual payment brands and/or acquirers, and should be discussed with them.
Please refer to the PA-DSS Program Guide for more details on the Revalidation Date and Expiry Date. The PA-DSS Program Guide can be found at https://www.pcisecuritystandards.org/security_standards/documents.php
January 2011
Article Number 1174