When are merchants required to use a PA-DSS validated POS (point-of-sale) application?
September 21, 2011 | POSTED BY MICHAEL OGLESBY IN COMPLIANCE, PCI
In True's experience as a QSA advising merchants with PCI compliance, one point of confusion seems to always surface ? when are merchants required to use a Payment Application Data Security Standard (PA-DSS) validated POS application?
First, it is important to understand that the Payment Card Industry Data Security Standard (PCI-DSS) and PA-DSS are completely separate standards. Assessors do not validate or require PA-DSS when validating PCI-DSS. All applicable PCI-DSS controls must always be evaluated regardless of the POS validation status. Utilizing a PA-DSS application allows merchants to ensure that the application was designed to meet the PCI security requirements.
Our role as a QSA is not to challenge or verify an application's PA-DSS validation, but rather assess the merchant's implementation of the application and its environment. QSAs should be encouraging clients to use a PA-DSS validated application whenever possible to receive security benefits and satisfy card brand requirements, described next.
When to use a PA-DSS is actually mandated directly by the individual card brands. Currently, only VISA publicly mandates PA-DSS for its merchants; however, MasterCard plans to require starting July of 2012. The information below lists the current requirement for each card brand. Merchants should verify with their acquirer or card brand as to their unique PA-DSS requirements.
- Merchants should contact American Express directly to verify requirements
- Merchants should contact JCB directly to verify requirement
I hope this explanation clears up any confusion. If you have any questions related to this topic or have other topics that you would like to see addressed by experts on True Insight, please post a reply or send us an email