“This Payment Card Industry PA-DSS Program Guide reflects an alignment of the payment brands’ requirements to a standard set of:
- Payment application security requirements and assessment procedures
- Processes for recognizing payment applications validated by PAQSAs
- Processes for PABP-validated payment applications for transition to the PCI SSC list
- Quality assurance processes for PA-QSAs
Traditional PCI-DSS compliance may not apply directly to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, since these payment applications are used by customers to store, process, and transmit cardholder data, and customers are required to be PCI-DSS compliant, payment applications should facilitate and not prevent the customers’ PCI-DSS compliance. Examples of how payment applications can prevent PCI-DSS compliance include.
- Magnetic-stripe data stored in the customer’s network after authorization;
- Applications that require customers to disable other features required by the PCI-DSS, like antivirus software or firewalls, in order to get the payment application to work properly; and
- Vendor’s use of unsecured methods to connect to the application to provide support to the customer.
Secure payment applications, when implemented into a PCI-DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches.”
PCI Security Standards Council