Guest Column | April 13, 2009

PCI (Payment Card Industry) Compliance Basics: PA DSS


Written by: Sean Kramer, CEO, Element Payment Services

Several years ago, Visa developed the Payment Application Best Practices (PABP). The purpose of the program was to guide software vendors in creating secure applications that help merchants prevent the compromise of sensitive cardholder data. The goal was also to support merchants’ overall compliance with the PCI Data Security Standard (PCI DSS).

Since its inception, however, there has been no widespread adoption of PABP. Without mandates or penalties, software vendors lacked a viable business case to justify the inordinate time and expense required to achieve compliance with PABP. All that changed on April 15, 2008.

Due to the steady increase in data compromises, the PCI Security Standards Council published version 1.1 of the Payment Application Data Security Standard (PA DSS). In doing so, Visa’s PABP was effectively transitioned into an enforceable security standard.

PA DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties.

Here’s a list of PA DSS requirements:

1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data
2. Provide secure password features
3. Protect stored cardholder data
4. Log application activity
5. Develop secure applications
6. Protect wireless transmissions
7. Test applications to address vulnerabilities
8. Facilitate secure network implementation
9. Do not store cardholder data on a server connected to the Internet
10. Facilitate secure remote software updates
11. Facilitate secure remote access to application
12. Encrypt sensitive traffic over public networks
13. Encrypt all non-console administrative access
14. Maintain instructional documentation and training programs for customers, resellers and integrators

To ensure that software vendors meet these PA DSS requirements, they must successfully pass a PA DSS review. PA DSS reviews are performed by independent assessors known as PA QSAs. It is the responsibility of the software vendor to locate and pay for a PA QSA to perform their review.
The goal of a PA DSS review is to produce a Report of Validation (ROV). The ROV is subsequently submitted to the PCI SSC for approval and listing on the PCI SSC web site. In addition to the PA QSA fees, the software vendor is also responsible for paying the PCI Security Standards Council an annual listing fee. This fee is for listing the software vendor’s application on the PCI SSC web site.

About Element Payment Services, Inc. (
Headquartered in Phoenix, Arizona, Element Payment Services Inc. provides fully integrated PCI DSS compliant payment processing solutions to merchants through partnerships with leading business management software providers. Focused primarily on helping ISVs navigate through the requirements of PA-DSS compliance, our expert solutions greatly simplify PA-DSS validation, or remove the cost and burden entirely. Through our Compliance Relief Program, Element will cover part, if not all, of the PA-DSS assessment for qualified ISVs. Alternatively, for those who prefer to eliminate the need for compliance, Element's Hosted Payments solution removes ISVs from the scope of PA-DSS, while still enabling a fully integrated payment solution.

For more information about Element, visit