Frequently Asked Questions

< Back to search page

How can I check whether a payment application is PA-DSS validated?

FAQ Response

The List of Validated Payment Applications on the PCI SSC website is the authoritative list of applications which have been accepted by PCI SSC as PA-DSS validated. If an application is not included in the list, it is not PA-DSS validated.
 
Each application on the list has a version number which represents the specific version of the application that was reviewed in the PA-DSS assessment.  The format of the version number is determined by the application vendor and is updated by the vendor according to their defined versioning methodology.  Note that an application may have multiple versions listed as PA-DSS validated, but only those specific versions listed on the PCI SSC website are considered PA-DSS validated. 
 
Please also note that compliance mandates for use of PA-DSS validated payment applications are managed by the individual payment brands, not by the PCI Security Standards Council. For queries about how usage of a particular payment application affects PCI DSS compliance, please contact your acquirer (merchant bank) or the payment brands directly.
 

November 2012
Article Number 1181

Related Articles

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are the PA-DSS Expiry Dates?

What is the difference between a Validated Payment Application which is shown on the PCI SSC website as “Acceptable for New Deployments” and one which is shown as “Acceptable only for Pre-Existing Deployments”?

What is the Council’s guidance on the use of SHA-1?

How does use of an expired PTS device affect my PCI DSS compliance?