PA DSS Validation Services (PA-DSS)

Payment Application Data Security Standard requirements are derived from PCI DSS requirements. PA DSS is essentially a successor of 'Payment Application Best Practices (PABP) v1.4'.

Apparently traditional PCI Data Security Standard compliance may not apply directly to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, since these payment applications are used by customers to store, process, and transmit cardholder data, and customers are required to be PCI Data Security Standard compliant, payment applications should facilitate, and not prevent, the customers' PCI Data Security Standard compliance. Some examples that how payment applications can negatively impact PCI Compliance efforts of an organization:

Storage of magnetic stripe data in the customer's network after authorization

Applications that require customers to disable other features required by the PCI Data Security Standard, like anti-virus software or firewalls, in order to get the payment application to work properly.

Vendor's use of unsecured methods to connect to the application to provide support to the customer


Data Security Standard for Payment Application applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PA DSS applies to:

Payment applications that are typically sold and installed "off the shelf" without much customization by software vendors.

Payment applications provided in modules, which typically includes a "baseline" module and other modules specific to customer types or functions, or customized per customer request.


Software vendors who develop aforementioned payment applications are responsible for:

Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers' PCI DSS compliance (The application cannot require an implementation or configuration setting that violates a PCI DSS requirement).

Following PCI DSS requirements whenever the vendor stores, processes or transmits cardholder data (for example, during customer troubleshooting);

Creating a PA-DSS Implementation Guide, specific to each payment application, according to the requirements in this document;

Educating customers, resellers, and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner;

Ensuring payment applications meet PA-DSS by successfully passing a PA-DSS review as specified in this document.

Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of sensitive Cardholder Data. Failure to comply with the PA DSS can result in loss of potential customers that are bound to be PCI compliant.


SISA Compliance Program

Our consummate PA Compliance Services make us the leader in this field. Our PCI compliance services include:

PA QSA Audits

PA Assessment Services

Application Testing Services

Other PA Exercises:

Performing assessments on payment applications in accordance with the Security Assessment Procedures and the PA-QSA Validation Requirements

Providing an opinion regarding whether the payment application meets PA-DSS requirements

Providing adequate documentation within the ROV to demonstrate the payment application's compliance to the PA-DSS

Submitting the Report on Validation (ROV) to PCI SSC

Maintaining an internal quality assurance process for their PA-QSA efforts


PA DSS Validation Services (PA-DSS)

Advantages with SISA

SISA's has a vast pool of experienced QSA's with proven track record in PA DSS & PCI DSS Compliance.

Independent & Structured approach to expedite the auditing process for enabling our clients to get PA Compliance Certification as quickly and painlessly as possible - therefore reducing the cost associated with PA compliance.

Security consultants of SISA work with customers' in house software developers to understand how the application has been developed, identify areas requiring improvements and provide guidance on how to address flaws in the application development life cycle.

As a vendor-neutral QSA our unbiased approach ensures that we can supply our clients with the optimum solutions for any PA related security issues that might arise. We value a personal approach when working with our audit clients. This extends to offering ad-hoc advice and fielding questions from customers at no extra cost.