Is the application listed as an approved Payment Application Data Security Standard (PA-DSS) application?
Explanation
PA-DSS validation is the point of this question: it asks whether your application is officially listed as an approved Payment Application Data Security Standard solution.
PA-DSS is a set of requirements designed for software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement. These applications must be secure to prevent breaches of cardholder data.
Why this matters in a security assessment:
- If your application handles payment card data and is PA-DSS validated, it provides assurance that it was built following secure coding practices specific to payment processing.
- Using PA-DSS validated applications can simplify PCI DSS compliance for merchants and service providers.
- Non-validated applications may introduce security risks when handling payment card data.
The PCI Security Standards Council maintains a list of validated payment applications that have undergone rigorous security testing by a Payment Application Qualified Security Assessor (PA-QSA).
To best answer this question:
- Check if your application is listed on the PCI SSC website's list of validated payment applications
- If listed, provide the listing details including validation number and expiration date
- If not listed but handles payment data, explain your alternative compliance approach
- If your application doesn't process payment card data directly (uses a third-party processor instead), clarify this in your response
Guidance
Refer to PCI DSS Security Standards for supplemental guidance in this section
Example Responses
Example Response 1
Yes, our application 'SecurePay Gateway v4.2' is listed as an approved PA-DSS application It was validated by TrustSec QSA and appears on the PCI SSC list of validated payment applications with validation number PA-12345 The current validation expires on June 15, 2024 We maintain compliance through annual assessments and implement all required security updates to maintain our listing status.
Example Response 2
No, our application 'CloudCommerce Platform' is not listed as a PA-DSS validated application However, our solution does not store, process, or transmit cardholder data directly Instead, we integrate with Stripe's payment processing API, which is PCI DSS Level 1 compliant All payment data is collected directly by Stripe using their secure elements, ensuring cardholder data never touches our servers We maintain PCI DSS SAQ-A compliance for our integration approach.
Example Response 3
No, our application 'PaymentProcessor Pro' is not currently listed as an approved PA-DSS application, although it does process payment card data We have chosen to implement the PCI Software Security Framework (SSF) instead, which is the successor to PA-DSS We are currently working toward Secure Software validation under the SSF program, with an assessment scheduled for completion in Q3 of this year In the meantime, we follow all PCI DSS requirements and conduct regular penetration testing and code reviews to ensure the security of payment processing functions.
Context
- Tab
- Case-Specific
- Category
- Payment Card Industry Data Security Standard (PCI DSS)
Related questions
- Do you have a current, executed within the past year, Attestation of Compliance (AoC) or Report on Compliance (RoC)?
- Does the system or solutions use a third party to collect, store, process, or transmit cardholder (payment/credit/debt card) data?
- Do your systems or solutions store, process, or transmit cardholder (payment/credit/debt card) data?
- Are you compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
- Are you classified as a service provider?
- Are you on the list of Visa approved service providers?

