The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS). This document details what is required for a Merchant to be PCI-DSS compliant (and therefore what a payment application must support to facilitate a Merchant's PCI-DSS compliance). Traditional PCI-DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by Merchants to store, process, and transmit cardholder data, and Merchants are required to be PCI-DSS compliant, payment applications should facilitate, and not prevent, Merchants' PCI-DSS compliance.
Just a few of the ways payment applications can prevent a merchant's compliance are:
- Storage of magnetic stripe data in the merchant's network after authorization;
- Applications that require Merchants to disable other features required by PCI-DSS, such as anti-virus software or firewalls, and;
- Vendors that use unsecured methods to connect to the application to provide support to the Merchant.