Payment Application Data Security Standards (PA DSS)
| Payment Application Data Security Standards | |
|---|---|
| CITATION | PA DSS |
| ENACTED | Released April 15, 2008 and since amended. |
| SUMMARY |
The PA DSS is derived from the Payment Card Industry Council that is an organization comprised of the major card brands to provide consistent and self-regulated data security for cardholder data processing. It applies to software vendors and others who develop applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed or licensed to third parties. Use of PA DSS compliant technology does not automatically make an entity PCI DSS compliant since the application must be implemented into a PCI DSS compliant environment and according to the PA DSS Standards. |
| DATA COVERED |
Account data that consists of Cardholder Data plus Sensitive Authentication Date. Cardholder Data includes: (1) Primary Account Number; (2) Cardholder Name; (3) expiration Date; and (4) Service Code. Sensitive Authentication Data includes: (1) Full magnetic stripe date or equivalent on a chip; (2) CA V2/CVC2/CVV2/CID; and (3) PINs/PIN blocks. |
| INDUSTRY | Merchants, vendors, developers and others who process credit card data. |
| PENALTIES | Fines and penalties are developed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. Penalties include warnings, fines and the potential loss of ability to process cards. Penalties can range from five thousand dollars ($5,000) to one hundred thousand dollars ($100,000) per month. |
