PA-DSS

The Payment Application Data Security Standard (PA-DSS) is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.

Most card brands encourage merchants and third party agents to use payment applications that are validated independently by a PA-QSA company and accepted for listing by the PCI SSC.

PA-DSS Requirements

1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data
2. Protect stored cardholder data
3. Provide secure authentication features
4. Log payment application activity
5. Develop secure payment applications
6. Protect wireless transmissions
7. Test payment applications to address vulnerabilities
8. Facilitate secure network implementation
9. Cardholder data must never be stored on a server connected to the internet
10. Facilitate secure remote software updates
11. Facilitate secure remote access to payment application
12. Encrypt sensitive traffic over public networks
13. Encrypt all non-console administrative access
14. Maintain instructional documentation and training programs for customers, resellers, and integrators

Usage: "An ecommerce site must meet the specifications of the PCI SSC in order to be considered PA-DSS compliant."

Related terms:

• PCI-DSS