The PCI Security Standards Council, a global, open-industry standards body, has adopted the Payment Application Data Security Standard (PA-DSS), formerly known as the "Payment Application Best Practice" (PABP), which will include a list of all validated payment applications. This list will enable Acquirers and merchants to identify the payment applications that are compliant with the PA-DSS (PABP).
Visa Canada has implemented mandates to help eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require "newly boarded" merchants to use payment applications that adhere to the PA-DSS:
PA-DSS applies to software vendors who develop payment applications that store, process or transmit cardholder data as part of authorization or settlement. In addition, PA-DSS requirements apply to payment applications that are sold, distributed or licenced to third parties. Examples of applicable payment applications include, but are not limited to, POS software, eCommerce shopping carts and web-based payment applications. PA-DSS does not apply to payment applications developed by merchants and agents if used only in-house (not sold to a third party). PA-DSS also does not apply to stand-alone POS terminals.
Payment application compliance with PA-DSS is based on an evaluation of the application by a Payment Application – Qualified Security Assessor ("PA-QSA").
To view the current list of PA-DSS validated payment applications, click here.
Visa does not perform any tests or analysis of the functionality, performance or suitability of any of the payment applications listed. Visa also does not endorse or recommend any of the listed payment applications or their respective developers or distributors. Furthermore, Visa makes no warranties, guarantees or representations that any of the applications will meet any requirements for performance or functionality, that the applications will be free from errors or malicious code, or that the payment applications will be compatible with any other systems or applications. Any and all representations or warranties, including any and all representations and warranties made by the payment application vendor, are disclaimed by Visa.
The information provided herein is provided "as is" with no warranties, expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and/or non-infringement. The information provided herein is subject to change by Visa, with or without notice. Although Visa makes good-faith efforts to provide accurate and complete information, merchants or anyone else utilizing the information set forth in the List of Validated Payment Applications remain responsible for confirming the accuracy of such information, including, but not limited to, confirming with the appropriate payment application vendor that the version of the application identified below is in compliance with PA-DSS. Use of any one or more of the applications below: (i) does not guarantee or ensure compliance with the PCI-DSS; and (ii) does not satisfy any Acquirers' obligations to perform their own evaluation and due diligence, to ensure the PCI-DSS compliance of their merchants and agents.