PCID-02

Is the application listed as an approved Payment Application Data Security Standard (PA-DSS) application?

Explanation

This question is asking whether your application has been officially validated and listed as compliant with the Payment Application Data Security Standard (PA-DSS). PA-DSS is a set of requirements designed for software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement. These applications must be secure to prevent breaches of cardholder data. Why this matters in a security assessment: 1. If your application handles payment card data and is PA-DSS validated, it provides assurance that it was built following secure coding practices specific to payment processing. 2. Using PA-DSS validated applications can simplify PCI DSS compliance for merchants and service providers. 3. Non-validated applications may introduce security risks when handling payment card data. The PCI Security Standards Council maintains a list of validated payment applications that have undergone rigorous security testing by a Payment Application Qualified Security Assessor (PA-QSA). To best answer this question: - Check if your application is listed on the PCI SSC website's list of validated payment applications - If listed, provide the listing details including validation number and expiration date - If not listed but handles payment data, explain your alternative compliance approach - If your application doesn't process payment card data directly (uses a third-party processor instead), clarify this in your response

Guidance

Refer to PCI DSS Security Standards for supplemental guidance in this section

Example Responses

Example Response 1

Yes, our application 'SecurePay Gateway v4.2' is listed as an approved PA-DSS application It was validated by TrustSec QSA and appears on the PCI SSC list of validated payment applications with validation number PA-12345 The current validation expires on June 15, 2024 We maintain compliance through annual assessments and implement all required security updates to maintain our listing status.

Example Response 2

No, our application 'CloudCommerce Platform' is not listed as a PA-DSS validated application However, our solution does not store, process, or transmit cardholder data directly Instead, we integrate with Stripe's payment processing API, which is PCI DSS Level 1 compliant All payment data is collected directly by Stripe using their secure elements, ensuring cardholder data never touches our servers We maintain PCI DSS SAQ-A compliance for our integration approach.

Example Response 3

No, our application 'PaymentProcessor Pro' is not currently listed as an approved PA-DSS application, although it does process payment card data We have chosen to implement the PCI Software Security Framework (SSF) instead, which is the successor to PA-DSS We are currently working toward Secure Software validation under the SSF program, with an assessment scheduled for completion in Q3 of this year In the meantime, we follow all PCI DSS requirements and conduct regular penetration testing and code reviews to ensure the security of payment processing functions.

Context

Tab
Case-Specific
Category
Payment Card Industry Data Security Standard (PCI DSS)

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron