About PA-DSS (Payment Application Data Security Standard)
PA-DSS is the council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or the PIN, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to PA-DSS requirements, but must still be secure in accordance with the PCI DSS.
Why is PA-DSS Compliance important?
PA-DSS certified applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. PA-DSS does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent’s PCI DSS assessment. k-eCommerce Credit Card Extension is a validated payment application.
About Visa Security Mandates
Visa developed the Payment Application Best Practices (PABP) specifications as part of the CISP / PCI compliance program. The program assists software vendors in creating secure payment applications that help merchants and agents mitigate security compromises, prevents storage of sensitive cardholder data that otherwise might suffer unauthorized access from hackers and supports compliance with the PCI Data Security Standard (PCI-DSS).
Starting October 1, 2008, Visa began requiring their merchants who use payment application software to adhere to Visa's Payment Application Best Practices (PABP). Click here for more information.
PABP requirements for merchant accounts
Merchant account providers will not issue merchant accounts to any company using application software that is not PABP certified. Companies that use an uncertified credit card processing solution may be unable to get a merchant account or may be forced to pay higher rates.
PCI requirements for merchants
Every merchant can be categorized by one of four merchant levels. These different levels are based on the amount of Visa transactions a merchant receives over a period of 12 months. Reference the chart below to determine what level your business falls into.
Merchant PCI requirements
PCI Compliance is no longer an optional feature for businesses accepting credit card payments. All merchants must be PCI compliant or risk being subject to hefty fines.
|Level||Merchant Criteria||Validation Action|
|Level 1||More than 6,000,000 yearly transactions||Annual Report on Compliance, quarterly network scan and completion of Compliance Form|
|Level 2||150,000 - 6,000,000 yearly transactions||Annual self-assessment questionnaire, quarterly network scan and completion of Compliance Form|
|Level 3||20,000 - 150,000 yearly transactions||Annual self-assessment questionnaire, quarterly network scan and completion of Compliance Form|
|Level 4||Less than 20,000 yearly transactions||Quarterly network scan if applicable, annual self-assessment questionnaire recommended and compliance validation requirements as set by acquirer|
PCI Compliance: Credit Card Extension
k-eCommerce Credit Card Extension is PA-DSS certified and integrates with multiple gateways to provide reliable service for credit card processing within Microsoft Dynamics GP.