Frequently Asked Questions
How do I know if my application requires a PA-DSS (Payment Application Data Security Standard) Assessment?
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.
With the following exceptions:
1. PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI DSS compliance review. Note that such an application (which may be referred to as a "bespoke" application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications.
2. PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant's or service provider's normal PCI DSS compliance.
3. PA-DSS does NOT apply if Primary Account Numbers (PANs) are not stored, processed, or transmitted.
Who requires my application to be validated?
The individual payment card brands determine the validation requirements for payment card applications. For detailed validation requirements for each card brand, contact one of our Professional PCI Consultants at 801-705-5656.
Can my payment application store cardholder data?
The best practice is to avoid storing cardholder data unless absolutely necessary. However, with proper controls in place, storage of the Primary Account Number (PAN), cardholder name, service code, and expiration date is permissible.
The following must never be stored after authorization: 1) The full contents of any track from the magnetic stripe (that is on the back of a card, in a chip, or elsewhere), 2) card-validation code or value (three- or four digit number printed on front or back of payment card), 3) PIN or encrypted PIN block.
How long does it take to receive the completed Report-on-Validation (ROV)?
The time required depends on the complexity of your application and if you have completed a previous assessment. For a general overview of the time and steps involved, please reference the following page.
If I validate, will I appear on the PCI list?
Yes, when you successfully complete a PA-DSS assessment, your payment application can be listed on the PCI-SSC list of validated applications. Arrangements for listing are made between the vendor and the PCI-SSC.
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.
With the following exceptions:
1. PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI DSS compliance review. Note that such an application (which may be referred to as a "bespoke" application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications.
2. PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant's or service provider's normal PCI DSS compliance.
3. PA-DSS does NOT apply if Primary Account Numbers (PANs) are not stored, processed, or transmitted.
Who requires my application to be validated?
The individual payment card brands determine the validation requirements for payment card applications. For detailed validation requirements for each card brand, contact one of our Professional PCI Consultants at 801-705-5656.
Can my payment application store cardholder data?
The best practice is to avoid storing cardholder data unless absolutely necessary. However, with proper controls in place, storage of the Primary Account Number (PAN), cardholder name, service code, and expiration date is permissible.
The following must never be stored after authorization: 1) The full contents of any track from the magnetic stripe (that is on the back of a card, in a chip, or elsewhere), 2) card-validation code or value (three- or four digit number printed on front or back of payment card), 3) PIN or encrypted PIN block.
How long does it take to receive the completed Report-on-Validation (ROV)?
The time required depends on the complexity of your application and if you have completed a previous assessment. For a general overview of the time and steps involved, please reference the following page.
If I validate, will I appear on the PCI list?
Yes, when you successfully complete a PA-DSS assessment, your payment application can be listed on the PCI-SSC list of validated applications. Arrangements for listing are made between the vendor and the PCI-SSC.