Does PA-DSS apply to you?

As a PA-QSA working for a QSA company, I take calls from people wanting to get PA-DSS validation for their application(s). June 30, 2010 is the deadline for all merchants and service providers to start using PA-DSS validated applications.

A surprising number of people have just heard about PA-DSS and are scrambling to get validated. Some acquirers seem to have compounded the problem by sending out mass emails to all merchants and service providers that they work with, informing them of the deadline and their need to get their applications validated.

If you have not already got your validation done, there is no way you are going to get it done between now and June 30. The PCI-SSC is taking about 8-10 weeks to review the Report on Validation (RoV) at this point and this is only going to get worse for at least the next few months.

If you have received a letter from your acquirer or someone has told you to get your application validated, the first thing you need to do is to make sure that you need a PA-DSS validation for your application.

PA-DSS (Payment Application Data Security Standard) applies to payment applications that store, process or transmit cardholder data as part of authorization or settlement that are sold as products (or modules).

  • This will apply to any application sold as a product or as a product module to other entities “off the shelf” without much customization. If the only customization that you do is cosmetic, such as logos, themes, colors, then PA-DSS may still apply.
  • PA-DSS does not apply to custom developed applications for a specific entity. For example, if company A contracted with company B to custom develop an application that A will use in-house or as a web-service (that A’s customers will log into), then the app will be covered under PCI-DSS of company A and PA-DSS will not apply.
  • If you developed an application specifically for a client, and is only sold to that client, PA-DSS will not apply since this will be considered a custom developed application and will be covered under the client’s PCI-DSS compliance validation.
  • For applications that are sold as add-on modules to a core set of modules, PA-DSS will apply to the all modules that perform payment functions.
  • PA-DSS usually will not apply to Terminal services applications (eg. Citrix applications) that are hosted at the vendor’s site and accessed by their clients, but the vendor will need to be PCI-DSS compliant. PA-DSS will apply in cases where the terminal services application is hosted at the client (instead of the vendor). If any piece of the software is distributed to clients, PA-DSS may apply to that part of the software.
  • If an application does not relate to authorization and settlement, it is not required to undergo a PA-DSS assessment, even if it handles payment card data.

I have just covered some basic scenarios. You should talk to a QSA (may be more than one) to verify applicability of PA-DSS for your application(s). While we are scrupulous about informing people when PA-DSS does not apply to someone, others may not be. I have heard of instances when a QSA has asserted that PA-DSS would apply when it clearly did not.

If you know you need to get your application(s) PA-DSS validated, you might want to take a look at Tips for a successful PA-DSS validation to get an idea of the process and save yourself a lot of trouble later on.