PCI DSS may be the buzz word but there are other standards council is promoting. PA DSS falls in second to PCI DSS. PCI also has PA-DSS, PCI – PTS Suite of Standards, P2PE and the Card Production Standards.The PA-DSS has indeed been branched off from the PCI-DSS standard and tailored to suite applications, which are present in the PCI-DSS environment. The standard applies more to application vendors than to anyone dealing with card data. The first thing you would like to know is all the applications which are present in the PCI-DSS environment does not have to be PA-DSS certified.
PA-DSS applies only to
- Applications which participate in authorization and / or settlement and
- Applications which are sold off the shelf
In PA-DSS lingo ‘Authorization’ refers to the payment authorization by the issuing bank. The application should participate in authorization to an extent that it receives the track data and sensitive authentication data and processes it to complete the process of authorization. To clarify a bit more, this means your application will not be eligible to list with PCI Council if you don’t meet the above criteria.
However, that does not stop you from doing the right things for your application. Supporting your customers security and compliance program is integral in having a secure customer base. All these associated applications which sits in the scoped PCI environment will be evaluated against the payment application development guidelines as part of your client security program. PA DSS is one among the matured standards in the industry to evaluate the application against, showcases the security index of your application.