Removing Software Vendors From The Scope Of PA DSS

By Don Schroeder, Chief Technology Officer, Element Payment Services, Inc.

To appreciate the benefits of Element's new Hosted Payments, it's important to first understand the origins of the Payment Application Data Security Standards ("PA DSS"), and to understand how the PA DSS relates to, and is dependent on, the Payment Card Industry Data Security Standards ("PCI DSS").

The requirements for PA DSS are based on, and derived from, PCI DSS. PCI DSS is a comprehensive set of requirements that applies directly to merchants and payments service providers. PCI DSS describes in great detail all of the necessary requirements to ensure a secure environment for accepting cardholder data. This includes any software applications within the environment that store, process, or transmit cardholder data. PCI DSS, however, does not directly apply to the merchants' software vendors. Because the software vendors do not store, process, or transmit cardholder data they are not directly in scope of PCI DSS. Software vendors' applications, however, should facilitate and not prevent their customers/merchants from complying with PCI DSS. This is the origin and catalyst for PA DSS.