Frequently Asked Question
How does PA-DSS support a merchant’s PCI DSS compliance?
Use of a PA-DSS validated application does not by itself make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.
PA-DSS applications are in scope for an entity’s PCI DSS assessment. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS.
Additionally, it should be noted that some payment brand rules may require the use of PA-DSS applications. Merchants should contact their acquirer or the payment brands directly to determine if they have any requirements. Payment brand contact details are provided in FAQ 1142.