Frequently Asked Question
For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?
Revalidation Date: Annually, the software vendor is required to revalidate by completing Part 3b of the Attestation of Validation form, confirming that no changes have been made to the application version listed as a Validated Payment Application. The vendor submits the Attestation form and revalidation fees to the PCI Security Standards Council (PCI SSC) prior to the listed Revalidation Date. If there is a new or changed version of the application that the vendor wants listed, the vendor goes through the process for either a Major Update (new PA-DSS assessment) or Minor Update (Change Analysis). Please refer to the PA-DSS Program Guide for more details on the Revalidation Date. The Program Guide and the Attestation of Validation form can be found at https://www.pcisecuritystandards.org/security_standards/documents.php
Expiry Date: Each application is given an expiry date, after which an assessment against the current version of PA-DSS is required in order to renew the application listing.
When a PA-DSS validated payment application has reached its expiry date, it is listed as acceptable only for pre-existing deployments, or in other words, for customers that have already purchased and deployed the product. Note that if the software vendor wishes to continue selling the application, the application must undergo a new PA-DSS assessment in order for the listing to be renewed. The PCI SSC encourages entities wishing to purchase a payment application to check the application's expiry date as part of their purchasing due diligence process. Whether, and for how long, an entity is permitted to continue using an expired application that is only "acceptable for pre-existing deployments" is up to the individual payment brands and/or acquirers, and should be discussed with them.
Please refer to the PA-DSS Program Guide for more details on the Revalidation Date and Expiry Date. The PA-DSS Program Guide can be found at https://www.pcisecuritystandards.org/security_standards/documents.php
Expiry Date: Each application is given an expiry date, after which an assessment against the current version of PA-DSS is required in order to renew the application listing.
When a PA-DSS validated payment application has reached its expiry date, it is listed as acceptable only for pre-existing deployments, or in other words, for customers that have already purchased and deployed the product. Note that if the software vendor wishes to continue selling the application, the application must undergo a new PA-DSS assessment in order for the listing to be renewed. The PCI SSC encourages entities wishing to purchase a payment application to check the application's expiry date as part of their purchasing due diligence process. Whether, and for how long, an entity is permitted to continue using an expired application that is only "acceptable for pre-existing deployments" is up to the individual payment brands and/or acquirers, and should be discussed with them.
Please refer to the PA-DSS Program Guide for more details on the Revalidation Date and Expiry Date. The PA-DSS Program Guide can be found at https://www.pcisecuritystandards.org/security_standards/documents.php
Originally published: November 2012
Article Number: 1174
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
-
Does PCI SSC provide a list of PCI DSS-compliant third-party service providers?
-
How does encrypted cardholder data impact PCI DSS scope?
-
What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
-
Are Mobile Payments on COTS (MPoC)™ solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?