Payment Applications

Visa developed the Payment Application Best Practices (PABP) to assist software vendors in creating secure payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS).

Payment Application Security

Payment applications must not retain full magnetic stripe data, CVV, CVV2 or PIN data and must support a merchant's and agent’s ability to comply with the PCI DSS. Merchants and agents using vulnerable payment applications are at heightened risk of compromise attacks.

The PCI Security Standards Council (PCI SSC) has adopted Visa’s PABP and released the standard as the Payment Application Data Security Standard (PA-DSS) in April 2008. Visa strongly encourages payment application vendors to validate the conformance of their products to the PA-DSS. Acquirers should insist that their merchants and agents use PA-DSS compliant applications and upgrade or patch applications that cause the storage of sensitive cardholder data.

To locate a PABP-validated payment application, download the Validated Payment Applications (PDF, 468k).

PABP scope

The PABP applies to software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement. Examples of applicable payment applications include but are not limited to POS software, e-commerce shopping carts, and web-based payment applications. PABP does not apply to payment applications developed by merchants and agents if used only in-house (not sold to a third party). PABP also does not apply to standalone POS terminals. Standalone POS terminals are out of scope only if all of the following are true:

• The terminal has no connections to any of the merchant’s systems or networks
• The terminal connects to the acquirer or processor
• The terminal vendor provides secure remote access, updates, maintenance and troubleshooting
• The following are never stored post authorization: the full contents from the magnetic stripe (that is on the back of a card, in a chip, or elsewhere), CVV, CVV2, PIN or encrypted PIN block

Payment Application Security Mandates

Beginning January 1, 2008, Visa has implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data elements data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and require the use of payment applications that adhere to the PA-DSS.

Outlined below are each of the five mandates, which will take effect over the next three years.

Validation procedures and documentation

Software vendors seeking to validate their payment applications must engage a PA-QSA qualified by the PCI-SSC to perform payment application assessments. Compliance validation takes place at the software vendor's expense.

The assessment must be completed according to the Payment Application Best Practices document. This document is also to be used as the template for the Report on Validation to be submitted to Visa.

The Confirmation of Report Accuracy (for Payment Application Companies) must be completed by all payment application vendors validating compliance and their assessor and submitted to Visa.

Download Payment Application Best Practices (DOC, 334k).

Download Confirmation of Report Accuracy (Payment Application Companies) (DOC, 123k).

Visa does not require re-validation for previously validated product versions if no changes were made to the validated payment application version. However, Visa will require a Confirmation of Report Accuracy from the software vendor prior to the expiration date (one year from the validation date) indicating that no changes were made to the validated payment application. If changes were made to a previously validated payment application version but these changes do not impact the compliance of any of the PABP requirements, Visa will require the software vendor to submit a description of each change in addition to a Confirmation of Report Accuracy indicating so. For any version upgrades, Visa will require a completely new and separate PABP validation performed by a QPASP in order to be listed on the PABP-validated payment application list.

PABP-validated List

The following List of Validated Payment Applications have been assessed for compliance with the Payment Application Best Practices ("PABP"). Only those versions of the application identified in the listing below have been evaluated and determined to comply with PABP. Compliance with the PABP is determined based upon data and information developed by an evaluation of the application by a Qualified Payment Application Security Company ("QPASC"). Although Visa reviews the QPASC-developed data and information, Visa does not independently confirm such data or information nor does Visa perform any tests or analysis of the functionality, performance or suitability of any of the applications and/or products listed. Visa makes no endorsement or recommendation of applications or products, or of their respective developers or distributors. Furthermore, Visa makes no warranties, guarantees or representations that any of the applications or products will meet your requirements for performance or functionality, that the applications or products will be free from errors or malicious code, or that the applications or products will be compatible with any other systems or applications. Any and all representations or warranties, including any and all representations and warranties made by the payment application vendor, are disclaimed by Visa.

The information provided herein is provided "as is" with no warranties, expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and/or non-infringement. The information provided herein is subject to change by Visa, with or without notice. Although Visa makes good faith efforts to provide accurate and complete information, merchants, or anyone else utilizing the information set forth on the following List of Validated Payment Applications remain responsible for confirming the accuracy of the information set forth below, including but not limited to, confirming with the appropriate payment application vendor that the version of the application identified below is in compliance with PABP. Use of any one or more of the applications below (i) does not guarantee or ensure compliance with the PCI DSS; and (ii) does not satisfy any Acquirers' obligation to perform their own evaluation and due diligence, to ensure the PCI DSS compliance of their merchants and agents.

Download the PABP-validated Payment Applications List (PDF, 262k).

For more information

To learn more about Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.