PCI-DSS and PA-DSS are standards set for companies to protect their credit card information and enhance security in their payment systems.
They are both created and enforced by the Payment Card Industry Security Standards Council or PCI-SSC. The council is in charge of maintaining and updating the payment card industry guidelines throughout the years.
They also provide a framework for organizations to follow to protect their digital data during the payment process.
What is PCI-DSS?
Payment Card Industry Data Security Standard, or PCI-DSS, is the primary compliance standard in the business industry. It refers to several requirements created for companies to protect their customer’s debit or credit card information.
While businesses are not mandated by any law or regulatory body to comply with PCI-DSS, major card companies require its use from merchants who would process credit card transactions.
There are four total levels of PCI-DSS compliance. Your level depends on the number of transactions you have processed in a year.
Levels may also slightly differ by the credit card company you use. Though, assessment requirements for each company from any level should be performed.
Although all businesses are required to have an annual assessment, who performs the assessment and how detailed it would be is determined by business-level classification.
What is PA-DSS?
PA-DSS refers to Payment Application Data Security Standard. This applies to software-making companies that develop payment applications that store, process, and transmit cardholder data or sensitive authentication data.
The goal of this is to help companies build secure payment applications that don’t store prohibited data, such as full magnetic stripe, PIN data, or CVV2. It also ensures that every business’ payment applications support compliance with the PCI-DSS.
PA-DSS compliance is needed by payment systems that are sold, shared, or licensed to third parties. In-house payment applications developed by service providers that are not sold to a third party, on the other hand, are not subject to PA-DSS requirements. Still, they should be secured under PA-DSS.
What applies to your business?
PCI-DSS applies to all businesses that store, process, or transmit their customer’s credit card information. PA-DSS on the other hand applies to businesses that produce, and sell payment applications for use by others.
In short, every organization that handles credit cards needs to comply with PCI DSS and only vendors that make and sell payment applications need to meet the requirements for PA DSS.