Visa Issues FAQ on its Payment Application Mandates

Visa just released a FAQ on its payment application mandates. Visa issued the mandates with two objectives in mind:

• To eliminate the use of payment applications that are known to be vulnerable to attack or that store prohibited data like the security codes or PINs; and
• To require merchants who use third party payment applications to use only PA-DSS applications.

Note that if you use an internally-developed payment application (does anybody still do that!?!), the second part of this mandate doesn't apply to you. But if like most of the Higher Ed world you use third-party apps that store, process, or transmit payment card data, then those apps have to be PA-DSS compliant. And the only way you can tell is to go to the list on the PCI Council's website and check to see if your app is listed. While you're there, be sure to check the version and expiry date, too.

I'm sometimes asked if using a PA-DSS application makes a school PCI compliant. The answer is a firm NO, but it can help if you do it right. First, your PA-DSS app has to be installed according to the vendor's Implementation Guide (you asked to see a copy before you signed up, right...we could have a major discussion on that one), and you installed the app in a PCI compliant environment. Then the best you can say is that the PA-DSS app won't be the cause of your being non-compliant. In other words, PA-DSS apps can simplify your compliance effort considerably, but they are not a panacea.

This FAQ is intended for you. There is nothing particularly new, but it is a good reminder of some important upcoming dates you need to be aware of. This is just one of the topics we'll be discussing at the upcoming Treasury Institute PCI Workshop in Long Beach this January. I hope you will be able to join me there.