Versions Compared

Old Version 1

changes.mady.by.user admin

Saved on

compared with

New Version Current

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This topic addresses the following questions:

Anchor
_question1
_question1
What are PCI DSS and PA-DSS Standards?

Payment Card Industry Security Standards Council (PCI SSC) has defined Payment Card Industry Data Security Standards (PCI DSS) for Merchants, and Payment Application Data Security Standards (PA-DSS) for software vendors that develop payment application. Both these standards are part of the same eco system that ensures the safe handling of payment information.



 

Anchor
_question2
_question2
Do I (merchant) need to be PCI DSS compliant?

Yes, every merchant needs to be compliant with the PCI DSS v3.0, regardless of the transaction volume. Though, the validation requirements are different based on the transaction volume (defined by the Merchant Bank). Visa has listed this table to map the requirements for PCI validation with the transaction volume:

...


Source: http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp 
 

Anchor
_question3
_question3
Do I need to be PCI DSS compliant, if I am using a PA-DSS compliant application?

Yes, using a payment application that is PA-DSS compliant does not mean that a merchant is also PCI-DSS compliant. Though it does make the process of becoming PCI DSS compliant much easier. Since the payment applications are developed for merchants to secure customer's cardholder data, these applications are developed based on the PCI-DSS requirements. The best way to minimize and prevent the potential risks for security breaching is the implementation of a PA-DSS application within a PCI-DSS compliance environment.
 

Anchor
_question4
_question4
Does it make any difference if the payment application used by us (merchant) is PA-DSS compliant?

Yes, because PA-DSS Standards were derived out of PCI DSS Standards to ensure that software vendors provide payment applications that have all the features that can enable the merchants to have a PCI DSS compliant solution. So the audit process becomes much easier as many of the PCI DSS requirements are directly met while others are partially met, by just having a PA-DSS compliant payment application. Though the merchant will have to adhere to some requirements that are not related to payment application, such as business process requirements.
 

Anchor
_question5
_question5
What is the link between PCI DSS and PA-DSS requirements?

Here is the mapping of PCI DSS and PA-DSS requirements:

...