Frequently Asked Question
Are applications listed as Acceptable only for Pre-existing Deployments able to meet the current PA-DSS and PCI DSS?
Payment applications that are listed as Acceptable only for Pre-existing Deployments have previously been validated as meeting PA-DSS but the validation is no longer current. This may be due to the validation being to an expired version of PA-DSS, or because the application vendor has chosen to or does not meet the annual revalidation requirements.
Applications listed as Acceptable only for Pre-existing Deployments could still be capable of meeting the current version of PA-DSS; however, this is not assured and should not be assumed. If a previously-validated payment application no longer meets the current version of PA-DSS, it is also likely that it can't meet the current version of PCI DSS, and entities using the application may need to implement additional security controls as part of their PCI DSS implementation. As an example; an application validated to PA-DSS v2.0 could be transmitting cardholder data using an encryption protocol that is no longer considered strong cryptography. In this scenario, the application would not meet the current version of PA-DSS and would not be sufficient to meet PCI DSS Requirement 4.1. Entities using the application will need to implement additional and/or alternative controls to secure any cardholder data sent by the application over public or untrusted networks.
Entities using PA-DSS validated payment applications should be familiar with the Implementation Guide provided by the vendor for their application. The Implementation Guide contains information about the application's configuration and security settings, and also identifies which protocols are used by the application. This information may help the entity determine whether the application continues to meet their security needs and whether it supports the current version of PCI DSS.
If the application no longer meets current PA-DSS requirements, but is still supported by the vendor, entities are encouraged to contact the vendor to determine if an update is available.
See also the following FAQs:
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Where can I find the current version of PCI DSS?
-
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
-
What is a PCI DSS Self-Assessment Questionnaire?
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?