Frequently Asked Question
For the list of Validated PA-DSS Applications, what is the difference between Revalidation Date and Expiry Date?
Expiry Date: Each application is given an expiry date, after which an assessment against the current version of PA-DSS is required in order to renew the application listing.
When a PA-DSS validated payment application has reached its expiry date, it is listed as acceptable only for pre-existing deployments, or in other words, for customers that have already purchased and deployed the product. Note that if the software vendor wishes to continue selling the application, the application must undergo a new PA-DSS assessment in order for the listing to be renewed. The PCI SSC encourages entities wishing to purchase a payment application to check the application’s expiry date as part of their purchasing due diligence process. Whether, and for how long, an entity is permitted to continue using an expired application that is only “acceptable for pre-existing deployments” is up to the individual payment brands and/or acquirers, and should be discussed with them.
Please refer to the PA-DSS Program Guide for more details on the Revalidation Date and Expiry Date. The PA-DSS Program Guide can be found at https://www.pcisecuritystandards.org/security_standards/documents.php
Featured FAQ Articles
Most Recently Updated
Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same controls?
What impact does the inclusion of UnionPay in PCI DSS documents have on an entity’s PCI DSS assessment?
Can a PFI Company perform subsequent PFI investigations for the same entity?