Frequently Asked Questions

< Back to search page

How does PA-DSS support a merchant’s PCI DSS compliance?

FAQ Response

The PA-DSS details the requirements a payment application must meet in order to facilitate a customer’s PCI DSS compliance. PA-DSS validated payment applications, when implemented in a PCI DSS-compliant environment, can help minimize the potential for security breaches leading to compromises of PAN, full track data, card verification codes and values (CAV2, CID, CVC2, CVV2), and PINs and PIN blocks, along with the damaging fraud resulting from these breaches.

Use of a PA-DSS validated application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.  

PA-DSS applications are in scope for an entity’s PCI DSS assessment. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS.

Additionally, it should be noted that some payment brand rules may require the use of PA-DSS applications. Merchants should contact their acquirer or the payment brands directly to determine if they have any requirements. Payment brand contact details are provided in FAQ 1142.

May 2014
Article Number 1020