iPayment and Payment Application Data Security Standard (PA-DSS)

Previous  Next |  Direct link to this topic

PCI PA-DSS is the standard against which Payment Applications needs to be tested, assessed, and validated. PCI-DSS Compliance is later obtained by the merchant. Obtaining PCI-DSS Compliance is the responsibility of the merchant. As much as the PA-DSS provides industry standards for developing payment applications, not all software applications that play a role in transactions are eligible for review and listing by the PCI SSC under the PA-DSS program. iPayment does not fall under the category of a Payment Application and we are not eligible for PA-DSS validation as we do not store, process or transmit cardholder data as part of authorization or settlement. In regards to cardholder data PCI-DSS, does not apply if PANs are not stored, processed, or transmitted[2] by the payment application. This is the case with iPayment that never store, process or transmit PANs.

The PCI Security Standard Council has created the following document https://www.pcisecuritystandards.org/documents/which_applications_eligible_for_pa-dss_validation.pdf on how to determine if an application like iPayment is eligible for PA-DSS validation. The document has the following sentence: “If the answer is YES to ANY of the following questions, the application is NOT eligible for validation under PA-DSS.”.

The answer for iPayment is yes to point 3: “Does the application facilitate authorization or settlement, but has no access to cardholder data or sensitive authentication data?” and iPayment is not eligible for review.

What should a merchant or service provider do if they use, or wish to use, applications that store, process or transmit cardholder data that are not eligible for PA-DSS validation?

Applications that store, process or transmit cardholder data and that are not eligible for PA-DSS validation would be included as part of an entity’s annual PCI DSS assessment to ensure that the application is compliant with all applicable PCI DSS requirements.[3]

What should an application vendor do if their product is not eligible for validation under the PCI SSC’s PA-DSS Program?

If an application is not eligible for validation under the PCI SSC’s PA-DSS program, the PCI SSC recommends that those applications, if intended for use in the cardholder data environment, are developed using PA-DSS as a baseline for protection of payment card data. Merchants and service providers using or wishing to use such applications in their cardholder data environment would include these applications as part of their annual PCI DSS assessment.[4]

We have developed iPayment using PA-DSS as a baseline but iPayment are not eligible for validation.