The Payment Card Industry Data Security Standards (PCI DSS) are a set of requirements designed to minimize fraud and related risk by protecting sensitive cardholder information that is processed, stored and transmitted by merchants.
Compliance with the PCI DSS is an annual requirement for all merchants set by the card associations, including Visa®, Mastercard®, American Express®, and Discover®. The PCI DSS were designed to help protect business owners – and their customers – from the severe financial loss that is often associated with a data breach.
In addition to following the PCI DSS, software vendors and others who develop POS systems and applications that store, process or transmit cardholder data also need to follow the Payment Application Data Security Standards (PA-DSS).
The PCI DSS and PA-DSS work together to help protect sensitive cardholder information, along with the ISVs who embed payments into their software.
PCI PA-DSS vs PCI DSS
While the PA-DSS are mandatory for ISVs, it doesn’t guarantee that they are fully protected. That’s why it’s a best practice to adopt a layered approach to payment security, which includes Tokenization, PCI-Validated Point-to-Point Encryption (P2PE) and EMV.
Tokenization and PCI-Validated P2PE protect sensitive cardholder data at rest and in transit. Both solutions eliminate the ISV’s PA-DSS scope while simultaneously reducing the merchant’s PCI scope, making compliance faster and easier.
Another way to eliminate your PA-DSS scope is with Cloud EMV Semi-Integrated EMV payments. Semi-integration takes your application complete out of PA-DSS scope since the ISV’s software environment never actually handles sensitive cardholder data.