Frequently Asked Questions

< Back to search page

Will PA-DSS validated applications continue to be Acceptable for New Deployments if they run on an unsupported operating system?

FAQ Response

As part of the annual PA-DSS revalidation process, PCI SSC will be working with application vendors to identify applications which rely or depend on unsupported software, to ensure that validated payment applications continue to support the PCI DSS compliance of the organizations that use them. As part of this process, applications that can no longer support PCI DSS compliance may be moved to the Acceptable only for Pre-Existing Deployments category.

PA-DSS validated applications are intended to facilitate PCI DSS compliance when implemented and maintained in a compliant manner. Organizations are responsible for ensuring their own PCI DSS compliance, and an organization using unsupported operating systems in their cardholder data environment should be planning to upgrade to a supported operating system in a timely manner.  Consistent with this, an organization may also need to upgrade their applications to ensure they are compatible with the supported operating system.  For additional guidance on the use of unsupported operating systems, please refer to FAQ # 1130: Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?

December 2013
Article Number 1262

Related Articles

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are the PA-DSS Expiry Dates?

What is the difference between a Validated Payment Application which is shown on the PCI SSC website as “Acceptable for New Deployments” and one which is shown as “Acceptable only for Pre-Existing Deployments”?

What is the Council’s guidance on the use of SHA-1?

How does use of an expired PTS device affect my PCI DSS compliance?