FortConsult Services PCI Advisories Customers Careers Contact
Contact FortConsult if you wish to know:
- How to interpret the security requirements in PA DSS
- Whether you have the option of exemption from PA DSS certification
- How to be PA DSS validated in the quickest and most straightforward manner
- How you can minimise your costs in qualifying for PA DSS validation

We can also help you obtain PA DSS vali- dation.
FortConsult is the only Danish enterprise which is certified by the credit card companies to both conduct audits and security scans of enter- prises' critical payment systems in accordance with PCI DSS - and to check security in payment software in accordance with PA DSS.
Vendors that develop or install payment applications that process, store or transmit credit card data have to comply with the PA DSS. This includes vendors that develop IT systems whereby customers pay by credit card, irrespective of whether the credit card transaction is a major or a minor part of the system. Integrators who develop software for point of sales systems/cash tills or terminal vendors who develop payment terminals for shops are within the scope of the PA DSS.
 
In addition, business enterprises that develop and distribute, sell or give away software, which processes credit card data - e.g. for banks, ATMs and e-business software - come within the scope of PA DSS. Even if the software does not store - but simply processes - card data, it must still be PA DSS compliant.
 
Although an enterprise's software solution may already be approved by e.g. the acquiring bank in another context, it still has to be PA DSS validated.
 
Furthermore, enterprises that maintain and operate systems with payment software have to be PCI DSS validated because they handle credit card data in their operating environment. Read more about PCI DSS requirements concerning these business enterprises in the Data centres and PCI section.
 
Guide from the PCI Council
The following guide can be used to determine whether PA DSS applies to a given payment application.
 
Note: All validated payment application products must not be beta versions.
 
VALID
  • PA DSS does apply to payment applications that are typically sold and installed "e;off the shelf"e; without much customization by software vendors.
  • PA DSS does apply to payment applications provided in modules, which typically includes a "e;baseline"e; module and other modules specific to customer types or functions, or customized per customer request. PA DSS may only apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA QSA). If other modules also perform payment functions, PA DSS applies to those modules as well.
  • Note that it is considered a  best practice  for software vendors to isolate payment functions into a single or small number of baseline modules, reserving other modules for non-payment functions. This best practice (though not a requirement) can limit the number of modules subject to PA DSS.
 
NOT VALID
  • PA DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI DSS compliance review. Note that such an application (which may be referred to as a "e;bespoke"e; application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications.
  • PA DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold to a third party), since this in-house developed payment application would be covered as part of the merchant's or service provider's normal PCI DSS compliance.
 
For example, for the last two bullets above, whether the in-house developed or "bespoke" payment application stores prohibited sensitive authentication data or allows complex passwords would be covered as part of the merchant's or service provider's normal PCI DSS compliance efforts and would not require a separate PA DSS assessment.
 
PA DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third-parties.
 
Assistance from FortConsult
If you need assistance to ascertain whether your payment application comes within the scope of PA DSS, you are welcome to contact us. We have many years of experience of interpreting PCI DSS and are one of the first security enterprises in the world that has practical experience of PA DSS. We are able to help you to decide whether your applications have to be PA DSS validated and what the options are with regards to putting the payment application out of PA DSS scope, e.g. designing a technical solution which does not process, store or transmit card data.
 
You can read more about the security requirements in PA DSS in the following, as well as how to obtain PA DSS validation in the easiest possible manner.
 
- PCI DSS certified in 2004 to perform security scans as the first and only company in Scandinavia.
- PCI DSS certified in 2005 to conduct audits as the first and only company in Scandinavia.
- Chosen by the bank sector in Denmark to help all Danish bank data centres to acquire PCI DSS validation due to our early PCI DSS certification, our considerable experience in the PCI area and our extensive knowledge of the financial sector.
- Permanent PCI DSS service provider to all Danish banks needing PCI DSS assistance.
- Has carried out PCI DSS tasks for some of the biggest retail chains in Scandinavia at international level.
- Is today the leading PCI DSS service provider in Scandinavia and the Baltic. We have, for instance, certified more than 60 percent of the enterprises on VISA's list of validated Scandinavian service providers.
- PA DSS certified in 2008 as the first and only company in Denmark - and among the first 14 in the world.
udskriv