Why PA-DSS and
PCI-DSS Matter

PA-DSS

The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI-SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications.

The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI-DSS).

PCI-DSS

PCI-DSS is a combination of best practices and associated requirements covering security management, policies, procedures, network architecture, software design, and other protective measures. These requirements apply to all entities that store, process, and/or transmit cardholder data.

  1. Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
  2. Protect stored cardholder data.
  3. Provide secure authentication features.
  4. Log payment application activity.
  5. Develop secure payment applications.
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities.
  8. Facilitate secure network implementation.
  9. Cardholder data must never be stored on a server connected to the Internet.
  10. Facilitate secure remote access to payment application.
  11. Encrypt sensitive traffic over public networks.
  12. Encrypt all non-console administrative access.
  13. Maintain instructional documentation and training for customers, resellers, and integrators.