• blogangle-right
  • PA DSS vs. PCI DSS: Who Needs to Comply & What Are the Requirements?

Table of Contents

PA DSS vs. PCI DSS: Who Needs to Comply & What Are the Requirements?

  • January 03, 2025
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Marc Rubbinaccio

Manager, Compliance

PCI DSS applies to all businesses that store, transmit, and process cardholder data, whereas PA DSS only applies to vendors that develop and sell payment applications.

In today’s world where more people shop online, ensuring that each transaction (and the payment application used) is secure and meets the requirements from the PCI Security Standards Council is a top priority for any business. 

The Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) help businesses do just that — PCI DSS to secure the handling of cardholder data and PA DSS to ensure payment applications are built and implemented following specific PCI security standards. 

When it comes to understanding the differences between PA DSS and PCI DSS, here’s what you need to remember: 

  • PCI DSS applies to all businesses that store, transmit, and process cardholder data or those businesses that can impact the security of cardholder data.
  • PA DSS applies only to software vendors and those that develop payment applications.

Seems simple enough, right? 

Like most PCI-related topics, fully understanding the differences between PA DSS vs. PCI DSS involves a bit more nuance, which we will explain below.

What is PCI DSS?

PCI DSS ensures businesses that store, process, or transmit cardholder data or can impact the security of cardholder data follow specific PCI DSS requirements to protect cardholder data. 

Governed by the Payment Card Industry Security Standards Council (PCI SSC), the standard consists of 12 requirements to become PCI compliant

Who does PCI DSS apply to?

PCI DSS applies to two types of businesses: merchants and service providers. 

Merchants are businesses that accept payments for goods or services from any of the 5 PCI SSC card brands. Service providers are businesses that either have direct access to a cardholder data environment or can impact the security of an entity’s cardholder data environment.

Under PCI DSS, businesses can get a better understanding of their PCI DSS risk level by reviewing the categories defined based on the number of transactions they process in a given year. 

There are four PCI compliance levels for merchants, with Level 1 requiring the most stringent reporting requirements and a full assessment by a QSA firm. Service providers have two compliance levels following the same format as merchants, with Level 1 requiring an external audit by a QSA firm. 

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI DSS certified. 

What is PA DSS?

PA DSS was a standard for software vendors to ensure that payment applications were tested, assessed, and validated. The goal of PA DSS was to require software vendors that build payment applications to meet PCI security standards and protect cardholder data to the fullest extent.

It expired at the end of October 2022 and was replaced by the PCI Software Security Framework (SSF). The SSF builds on many of the concepts introduced in PA DSS, but aims to provide a more comprehensive and flexible approach to payment security.

While PA DSS has been formally retired, it can still be useful to learn about the standard and its requirements to better understand how PCI SSF, PCI DSS, and the state of e-commerce as a whole have evolved over time.

When payment applications were PA DSS compliant and implemented in a PCI DSS compliant environment, they could help minimize the potential for a data breach that could compromise cardholder data.  Elements such as sensitive authentication data were required to never be stored within the payment application after authorization, including:

  • Primary account number (PAN)
  • Full track data
  • Card verification codes and values
  • PINs and PIN blocks

In order for a payment application to be considered PA DSS compliant, it had to be assessed by a certified Payment Application Qualified Security Assessor (PA-QSA). 

If the application was compliant, the PA-QSA submitted a Report on Validation (ROV) detailing their results and an Attestation of Validation (AOV). An ROV described the scope of the assessment and each requirement, including auditor test details. The AOV would state if the payment application has been validated as compliant for PA DSS, proving that the software vendor adheres to the PA DSS requirements for securely managing cardholder data through its payment application. 

Who does PA DSS apply to?

PA DSS applied to software vendors and businesses that develop payment applications that store, process, or transmit cardholder data.  

The standard was required when payment applications were sold, distributed, and/or licensed to third parties. These payment applications were frequently installed “off the shelf” and did not require much customization by the software vendors themselves. 

In other words, if you develop a payment application for use within your own business, that application would fall under PCI DSS.

PA DSS vs. PCI DSS: The main differences 

Before we dig into the differences between PA DSS and PCI DSS, it’s important to understand how the two standards overlap. 

PA DSS was one branch of the PCI Security Standards. A business that used a PA DSS compliant payment application was not compliant with PCI DSS as a whole and would still need to adhere to the 12 PCI DSS requirements

All businesses that store, transmit, or process cardholder data are considered in scope for PCI DSS — which included business that used a PA DSS compliant payment application. PA DSS required that software vendors develop an implementation guide that businesses must follow when implementing the payment application. 

Below, we break down the main differences between the two standards. 

  PA DSS PCI DSS
Definition Global security standard created to ensure payment applications meet standards for secure handling of cardholder data and businesses implement payment applications securely Compliance standard created to ensure cardholder data is secured when it’s stored, processed, and transmitted
Main goal Provided cardholder data security requirements that software vendors needed to adhere to when developing payment applications Require business that store, process, transmit, or impact the security of cardholder data to adhere to specific security controls regarding protection of cardholder data
Who it applies to Used to apply to third-party software vendors and businesses that developed payment applications which stored, processed, or transmitted cardholder data and are sold to third parties Organizations that store, process, or transmit cardholder data or could impact the security of card transactions
Governed by Payment Card Industry Security Standards Council (PCI SSC) Payment Card Industry Security Standards Council (PCI SSC)
Validation process Payment application had to be audited and certified by a Payment Application Qualified Security Assessor (PA-QSA) Businesses that must adhere to level 1 compliance will need an external audit performed by a PCI DSS QSA. Other businesses that do not require an external audit can validate with a self assessment questionnare

What are the PA DSS requirements?

There were 14 PA DSS requirements that software developers had to adhere to in order to create compliant payment applications. 

  1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data 
  2. Protect stored cardholder data
  3. Provide secure authentication features
  4. Log payment application activity
  5. Develop secure payment applications
  6. Protect wireless transmissions
  7. Test payment applications to address vulnerabilities and maintain payment application updates
  8. Facilitate secure network implementation
  9. Never store cardholder data on a server connected to the internet
  10. Facilitate secure remote access to payment application
  11. Encrypt sensitive traffic over public networks
  12. Encrypt all non-console administrative access
  13. Maintain a PA DSS Implementation Guide for customers, resellers, and integrators
  14. Assign PA DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators

What are the PCI DSS requirements?

There are 12 PCI compliance requirements businesses must adhere to in order to be compliant with PCI DSS. 

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

Recommended reading

Interactive PCI DSS Checklist: Navigate the 12 Requirements of PCI DSS 4.0

The future of PA DSS and PCI DSS compliance

The history of PCI has seen a variety of updates to keep up with the changing payment card industry landscape and address new and emerging security threats. Here's an overview of significant updates to both standards.  

New changes to PCI DSS

The PCI SSC released a new version update, PCI DSS v4.0, on March 31, 2022. The previous version, PCI DSS v3.2.1, remained in effect until March 31, 2024. This gave merchants and service providers time to make necessary adjustments until PCI DSS v3.2.1 was officially retired and superseded by v4.0. Some of the new requirements are still not mandatory until March 31, 2025. 

New changes to PA DSS 

PA-DSS was one of the first standards and programs of its kind, and laid the groundwork for software security in the payments industry. However, 10 years after its publication, PCI SSC opted to create a new framework that would better suit the payment industry's evolving needs rather than make incremental changes to an aging standard and program. So PA-DSS was retired in October 2022 and replaced with PCI Software Security Framework (SSF). This framework puts a keener focus on the security practices around card transaction software. PCI SSC is planning a revision to the currently published version of the Secure Software Standard v1.2.

Submissions for new payment applications to be validated with PA DSS closed on June 30, 2021. From here on out, new payment applications can be validated by an SSF certified company listed on the PCI SSC website.  

How Secureframe can help streamline PCI compliance 

If you’re having trouble keeping up with the evolving PCI standards or how to get started with your compliance process, we’re here to help. 

Our team of PCI DSS experts can assist with whatever stage of PCI compliance your business is at. 

Request a demo to find out how Secureframe can make compliance easier for your team today.