In True's experience as a QSA advising merchants with PCI compliance, one point of confusion seems to always surface ? when are merchants required to use a Payment Application Data Security Standard (PA-DSS) validated POS application?
First, it is important to understand that the Payment Card Industry Data Security Standard (PCI-DSS) and PA-DSS are completely separate standards. Assessors do not validate or require PA-DSS when validating PCI-DSS. All applicable PCI-DSS controls must always be evaluated regardless of the POS validation status. Utilizing a PA-DSS application allows merchants to ensure that the application was designed to meet the PCI security requirements.
Our role as a QSA is not to challenge or verify an application's PA-DSS validation, but rather assess the merchant's implementation of the application and its environment. QSAs should be encouraging clients to use a PA-DSS validated application whenever possible to receive security benefits and satisfy card brand requirements, described next.
When to use a PA-DSS is actually mandated directly by the individual card brands. Currently, only VISA publicly mandates PA-DSS for its merchants; however, MasterCard plans to require starting July of 2012. The information below lists the current requirement for each card brand. Merchants should verify with their acquirer or card brand as to their unique PA-DSS requirements.
VISA
- Mandated effective 1 July 2010
- Mandate Reference
MasterCard
- Mandated effective 1 July 2012
- Mandate Reference
Discover
- Strongly recommends
American Express
- Merchants should contact American Express directly to verify requirements
JCB
- Merchants should contact JCB directly to verify requirement
I hope this explanation clears up any confusion. If you have any questions related to this topic or have other topics that you would like to see addressed by experts on True Insight, please post a reply or send us an email.