...
This topic addresses the following questions:
- What are PCI DSS and PA-DSS Standards?
- Do I (merchant) need to be PCI DSS compliant?
- Do I need to be PCI DSS compliant, if I am using a PA-DSS compliant application?
- Does it make any difference if the payment application used by us (merchant) is PA-DSS compliant?
- What is the link between PCI DSS and PA-DSS requirements?
Anchor | ||||
---|---|---|---|---|
|
Payment Card Industry Security Standards Council (PCI SSC) has defined Payment Card Industry Data Security Standards (PCI DSS) for Merchants, and Payment Application Data Security Standards (PA-DSS) for software vendors that develop payment application. Both these standards are part of the same eco system that ensures the safe handling of payment information.
Anchor | ||||
---|---|---|---|---|
|
Yes, every merchant needs to be compliant with the PCI DSS v3.0, regardless of the transaction volume. Though, the validation requirements are different based on the transaction volume (defined by the Merchant Bank). Visa has listed this table to map the requirements for PCI validation with the transaction volume:
...
Source: http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp
Anchor | ||||
---|---|---|---|---|
|
Yes, using a payment application that is PA-DSS compliant does not mean that a merchant is also PCI-DSS compliant. Though it does make the process of becoming PCI DSS compliant much easier. Since the payment applications are developed for merchants to secure customer's cardholder data, these applications are developed based on the PCI-DSS requirements. The best way to minimize and prevent the potential risks for security breaching is the implementation of a PA-DSS application within a PCI-DSS compliance environment.
Anchor | ||||
---|---|---|---|---|
|
Yes, because PA-DSS Standards were derived out of PCI DSS Standards to ensure that software vendors provide payment applications that have all the features that can enable the merchants to have a PCI DSS compliant solution. So the audit process becomes much easier as many of the PCI DSS requirements are directly met while others are partially met, by just having a PA-DSS compliant payment application. Though the merchant will have to adhere to some requirements that are not related to payment application, such as business process requirements.
Anchor | ||||
---|---|---|---|---|
|
Here is the mapping of PCI DSS and PA-DSS requirements:
...