PA DSS vs. PCI DSS: Understanding the Key Differences
In today’s world where more people shop online, ensuring that each transaction (and the payment application used) is secure and meets the requirements from the PCI Security Standards Council is a top priority for any business.
The Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) help businesses do just that — PCI DSS to secure the handling of cardholder data and PA DSS to ensure payment applications are built and implemented following specific PCI security standards.
When it comes to understanding the differences between PA DSS and PCI DSS, here’s what you need to remember:
- PCI DSS applies to all businesses that store, transmit, and process cardholder data or those businesses that can impact the security of cardholder data.
- PA DSS applies only to software vendors and those that develop payment applications.
Seems simple enough, right?
Like most PCI-related topics, fully understanding the differences between PA DSS vs. PCI DSS involves a bit more nuance, which we will explain below.
What is PCI DSS?
PCI DSS ensures businesses that store, process, or transmit cardholder data or can impact the security of cardholder data follow specific PCI DSS requirements to protect cardholder data.
Governed by the Payment Card Industry Security Standards Council (PCI SSC), the standard consists of 12 requirements to become PCI compliant.
Who does PCI DSS apply to?
PCI DSS applies to two types of businesses: merchants and service providers.
Merchants are businesses that accept payments for goods or services from any of the 5 PCI SSC card brands. Service providers are businesses that either have direct access to a cardholder data environment or can impact the security of an entity’s cardholder data environment.
Under PCI DSS, businesses can get a better understanding of their PCI DSS risk level by reviewing the categories defined based on the number of transactions they process in a given year.
There are four PCI compliance levels for merchants, with Level 1 requiring the most stringent reporting requirements and a full assessment by a QSA firm. Service providers have two compliance levels following the same format as merchants, with Level 1 requiring an external audit by a QSA firm.
The Ultimate Guide to PCI DSS
Learn everything you need to know about the requirements, process, and costs of getting PCI certified.
What is PA DSS?
PA DSS is the standard for software vendors to ensure that payment applications are tested, assessed, and validated. The goal of PA DSS is to require software vendors that build payment applications to meet PCI security standards and protect cardholder data to the fullest extent.
When payment applications are PA DSS compliant and implemented in a PCI DSS compliant environment, they can help minimize the potential for a data breach that could compromise cardholder data. Elements such as sensitive authentication data are required to never be stored within the payment application after authorization, including:
- Primary account number (PAN)
- Full track data
- Card verification codes and values
- PINs and PIN blocks
In order for a payment application to be considered PA DSS compliant, it must be assessed by a certified Payment Application Qualified Security Assessor (PA-QSA).
If the application is compliant, the PA-QSA will submit a Report on Validation (ROV) detailing their results and an Attestation of Validation (AOV). An ROV describes the scope of the assessment and each requirement, including auditor test details. The AOV would state if the payment application has been validated as compliant for PA DSS, proving that the software vendor adheres to the PA DSS requirements for securely managing cardholder data through its payment application.
Who does PA DSS apply to?
PA DSS applies to software vendors and businesses that develop payment applications that store, process, or transmit cardholder data.
The standard is required when payment applications are sold, distributed, and/or licensed to third parties. These payment applications are frequently installed “off the shelf” and do not require much customization by the software vendors themselves.
In other words, if you develop a payment application for use within your own business, that application would fall under PCI DSS.
PA DSS vs. PCI DSS: The main differences
Before we dig into the differences between PA DSS and PCI DSS, it’s important to understand how the two standards overlap.
PA DSS is one branch of the PCI Security Standards. A business that uses a PA DSS compliant payment application is not compliant with PCI DSS as a whole and would still need to adhere to the 12 PCI DSS requirements.
All businesses that store, transmit, or process cardholder data are considered in scope for PCI DSS — including business that use a PA DSS compliant payment application. PA DSS requires that software vendors develop an implementation guide that businesses must follow when implementing the payment application.
Below, we break down the main differences between the two standards.
| PA DSS | PCI DSS | |
|---|---|---|
| Definition | Global security standard created to ensure payment applications meet standards for secure handling of cardholder data and businesses implement payment applications securely | Compliance standard created to ensure cardholder data is secured when it’s stored, processed, and transmitted |
| Main goal | Provide cardholder data security requirements that software vendors need to adhere to when developing payment applications | Require business that store, process, transmit, or impact the security of cardholder data to adhere to specific security controls regarding protection of cardholder data |
| Who it applies to | Third-party software vendors and businesses that develop payment applications which store, process, or transmit cardholder data and are sold to third parties | Organizations that store, process, or transmit cardholder data or could impact the security of card transactions |
| Governed by | Payment Card Industry Security Standards Council (PCI SSC) | Payment Card Industry Security Standards Council (PCI SSC) |
| Validation process | Payment application must be audited and certified by a Payment Application Qualified Security Assessor (PA-QSA) | Businesses that must adhere to level 1 compliance will need an external audit performed by a PCI DSS QSA. Other businesses that do not require an external audit can validate with a self assessment questionnare |
What are the PA DSS requirements?
There are 14 PA DSS requirements that software developers must adhere to in order to create compliant payment applications.
- Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
- Protect stored cardholder data
- Provide secure authentication features
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities and maintain payment application updates
- Facilitate secure network implementation
- Never store cardholder data on a server connected to the internet
- Facilitate secure remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain a PA DSS Implementation Guide for customers, resellers, and integrators
- Assign PA DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators
What are the PCI DSS requirements?
There are 12 PCI compliance requirements businesses must adhere to in order to be compliant with PCI DSS.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Recommended reading
PCI Compliance Checklist: How to Achieve Compliance in 2022
The future of PA DSS and PCI DSS compliance
There are big changes on the horizon for both PA DSS and PCI DSS compliance.
The history of PCI has seen a variety of updates to keep up with the changing payment card industry landscape and address new and emerging security threats.
We dig into the changes coming to both standards below.
Upcoming changes to PCI DSS
The current version of PCI DSS (v3.2.1) will be phased out and replaced with PCI DSS v4.0 on March 31, 2024. Merchants and service providers will be required to comply with v4.0 by March 31, 2025.
This transition period allows businesses to become familiar with the new version and make the necessary adjustments.
Upcoming changes to PA DSS
The current PA DSS version (v3.2) will be retired and replaced with PCI Software Security Framework (SSF) in October 2022.
Submissions for new payment applications to be validated with PA DSS closed on June 30, 2021. From here on out, new payment applications can be validated by an SSF certified company listed on the PCI SSC website.
How Secureframe can help streamline PCI compliance
If you’re having trouble determining which standard to comply with or how to get started with your compliance process, we’re here to help.
Our team of PCI DSS experts can assist with whatever stage of PCI compliance your business is at.
Request a demo to find out how Secureframe can make compliance easier for your team today.