To comply with card scheme mandates, payment applications sold, distributed or licenced to multiple merchants must be secure and validated PA-DSS applications that can be implemented in a PCI DSS compliant manner in order to facilitate a merchant’s PCI Data Security Standard (DSS) assessment.

If your application is designed to process, store or transmit cardholder data as part of authorisation and/or settlement and is sold/distributed/licenced to third parties, the application may be eligible for PA-DSS. The card schemes can also mandate the validation of payment software under PA-DSS.

The PA-DSS program requires a Payment Application – Qualified Security Assessor (PA-QSA) to perform the testing procedures set out in the PA-DSS to assess and validate the compliance of eligible payment applications with the PA-DSS requirements.

A payment application validated as a compliant by a PA-QSA may then have the Report on Validation (RoV) and associated Attestation on Validation (AOV) submitted to and accepted by the PCI SSC for listing as a validated Payment Application on the PCI Security Standards website.

All listed validated payment applications must be revalidated annually, and a partial or full re-assessment is required if a listed payment application is updated and changed.

Sysnet is a PCI PA-DSS Qualified Security Assessor Company (QSAC) with extensive experience in delivering advice for development, remediation and assessment for PA-DSS eligible applications.

With PA-QSAs located across the globe, we are able to work with software vendors of all types and sizes to ensure your application achieves PA-DSS compliance and can be sustained.