For payment application software developers, vendors, or retailers, compliance with the PA-DSS— and now the PCI SSF—is critical to keeping sensitive PCI data safe as it is processed through these applications. So, what are the PA-DSS listing expiry dates and how do they affect your business operations? Read on to learn more.
How do the PA-DSS Expiry Dates Impact Your Business?
Over the years, the PCI Security Standards Council (SSC) has released various versions of the PA-DSS. Most recently, the PCI SSF was released and is currently considered the gold standard for securing data processed via payment application software. After providing an overview of the PA-DSS, this blog will outline the PA-DSS listing expiry dates across:
- PA-DSS v3.2
- PA-DSS v3.1
- PA-DSS v3.0
- PA-DSS v2.0
- PA-DSS v1.0
Compliance with the requirements listed in the PCI SSF will safeguard sensitive PCI data from data breach risks, especially when guided by a PCI compliance advisor.
What is the PA-DSS?
The Payment Application Data Security Standards (PA-DSS) help software vendors of payment applications secure cardholder data (CHD) processed via these applications.
The PA-DSS Requirements are derived from those in the Payment Card Industry (PCI) Data Security Standards (DSS) and apply to any entity that develops payment applications involved in the storage, processing, or transmission of CHD and sensitive authentication data (SAD).
PA-DSS compliance is mostly applicable to vendors or developers of payment applications who may not be required to comply with the PCI DSS.
However, compliance with the PA-DSS positions these organizations to align with the PCI DSS Requirements and minimizes the risks of data breaches to CHD and SAD. Notably, the PA-DSS does not apply to payment applications developed for sole use by a single customer or those developed for in-house use.
Released in March 2016 and effective in June of the same year, the PA-DSS v3.2 was the most recent PA-DSS version before the framework transitioned to the PCI SSF.
Some of the major changes from PA-DSS v3.1 to v3.2 included updates to:
- Primary account number (PAN) security, with more guidance on PAN masking best practices
- Installation of security patches and updates
- Troubleshooting of debugging logs
- Multi-factor authentication requirements for personnel with non-console administrative access
Although the PA-DSS v3.2 provided robust payment application security, there was still a need to meet the security demands of evolving technologies in the software application space. To meet these needs, the PCI SSF was developed.
When was the PA-DSS V3.2 Expiry Date?
For v3.2, the PA-DSS listing expiry date was at the end of October 2022.
Prior to this date, the PA-DSS remained valid to minimize business disruptions and to enable vendors, developers, and businesses to transition to compliance with the PCI SSF framework.
Released in March 2015 and effective in June of the same year, the PA-DSS v3.1 was a minor update replacing PA DSS v3.0. The transition from PA-DSS v3.0 to v3.1 included changes like:
- Additional guidance around the encryption of cryptographic keys
- Removal of SSL from the list of secure technologies
- Clarification of financial institutions as acquirers and issuers
When Was the PA-DSS V3.1 Expiry Date?
The PA-DSS listing expiry date for v3.1 was at the end of October 2019.
Released in November 2013, the PA-DSS was a major update from v2.0.
Some of the changes from PA-DSS v.2.0 to v3.0 included:
- Clarification that PA-DSS applications are in scope for PCI DSS assessments
- Aligned PA-DSS requirements with those of the PCI DSS framework
- Updated requirements for password use and cryptographic algorithms
- Added security reviews in the development of application software
- Added requirement for software application vendors to include release notes in application updates
Compared to version changes from v3.0 to 3.1 and v3.1 to 3.2, the v2.0 to 3.0 changes were significant and improved the overall security of payment applications.
When Was the PA-DSS V3.0 Expiry Date?
The PA-DSS listing expiry date for v3.0 was also in October 2019.
Like the transition from PA-DSS v2.0 to 3.0, there were significant updates to v2.0 from v1.2 when it was released. The changes from PA-DSS v1.2.1 to 2.0 included clarification that:
- The PA-DSS is not applicable for applications developed and sold to single customers for their sole use
- Primary account number (PAN) defines whether an application is in the scope of the PCI DSS
Similar to the version changes from v2.0 to 3.0, the v1.0 to 2.0 changes were significant.
When Was the PA-DSS V2.0 Expiry Date?
v2.0 of the PA-DSS expired in October 2016 after close to six years of being active. However, the PCI SSC made document changes to the PA-DSS v2.0 in 2008, 2009, and 2010.
As the original version of the PA-DSS, v1.1 was released in 2008.
At the time of its release, the PA-DSS v1.1 was meant to help software vendors and other entities secure the sensitive data processed by the applications they developed. Derived from the PCI DSS Requirements, the PA-DSS v1.1 Requirements helped these organizations to:
- Safeguard CHD during processing and storage
- Track the activity of processes within payment applications
- Protect the transmission of CHD
- Identify vulnerabilities to payment applications
- Securely update payment applications remotely
- Manage access to sensitive data environments
- Keep the networks that transmit CHD secure
Overall, the PA-DSS has evolved over time, with each version improving data security and minimizing potential risks to payment applications handling CHD and SAD. Its structure and requirements have also remained similar over time.
When Was the PA-DSS V1.0 Expiry Date?
PA-DSS v1.1 expired in October 2013 before being updated to v1.2.
The Importance of PCI SSF
As the replacement for the PA-DSS, the PCI SSF is critical to keeping sensitive data safe as it is collected, processed, stored, or transmitted via payment applications. Although the PCIS SSF derives most of its components from the PA-DSS, there are significant changes to how payment application developers, vendors, and businesses can safeguard CHD and SAD.
Most importantly, the PCI SSF helps these organizations strengthen the security controls they currently implement across software assets and ensures these controls meet the minimum standards recognized by the card payment industry. Compliance with the PCI SSF will help you:
- Optimize security controls across the software assets that handle CHD and SAD
- Secure a wider range of payment application software assets
- Improve the speed and efficiency of secure software development processes
- Enable the secure customization of payment application software
- Invest in newer software technologies to meet your customers’ needs
- Find PCI-approved software and vendors
Becoming and remaining compliant with the PCI SSF starts with identifying software assets within PCI scope. With the help of a trusted and experienced PCI compliance specialist, you can then implement recommended PCI SSF controls to secure these assets.
With the PA-DSS listing expiry dates listed above, you may be wondering how to transition to the latest version of the PCI SSF to benefit from its protection for your payment application software. Partnering with a PCI compliance advisor like RSI Security will help you get started with meeting the PCI SSF requirements.
Contact RSI Security today to learn more!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.