Version 2 of the Payment Application Data Security Standard (PA-DSS) was retired on the 28th October 2016.
In the article, ‘Updated: Payment Application Data Security Standard (PA-DSS)’, we discussed what the impacts of the latest version of PA-DSS, version 3.2 were. In this follow up article we explore the impact of continued use of PA-DSS version 2 payment applications on merchants that have yet to upgrade to an application validated to a more up to date version of the Standard.
To start with, it is strongly recommended that merchants do not deploy expired payment processing applications in new deployments. If they do so, they may end up in breach of payment brand payment application mandates or compliance requirements.
In addition, weaknesses could be present in expired versions of payment applications and merchant deployments could be vulnerable to exploitation by cyber criminals.
Use of an expired PA-DSS payment application may hinder a vendor’s ability to operate in a PCI DSS manner.
This is because security updates may no longer be released for vulnerabilities affecting the payment application, the application may no longer be able to support upgrade and security patching of the underlying operating system and/or the payment application may require the use of an underlying operating system that is no longer supported by the vendor.
Exceptions to the rule
However there are exceptions. When the PA-DSS validation for a payment application in use expires, merchants already using those payment applications do not necessarily need to upgrade.
If the application and its required components continue to be supported by the vendor with security updates made available and it does not have any high or critical vulnerabilities then merchants should be able to meet the applicable PCI DSS requirements while continuing to use the application.
The PCI SSC advises merchants wishing to continue their use of expired PA-DSS payment applications to seek guidance from their acquirer and/or the payment brands.
The relevant payment brands links do not explicitly prohibit continued use of expired PA-DSS payment applications. Their merchant mandates and guidance on PA-DSS payment application usage can be found here:
If any of your merchants are using an expired PA-DSS payment application, we strongly recommend that you communicate to them that they may be vulnerable and, in addition, may be non-compliant with the PCI DSS.
Most small to medium business will not have the expertise or the resources to evaluate if their expired payment application is fully supported by the vendor. Sysnet therefore recommends, that all payment applications used by merchants are versions that have not yet expired and, preferably, are the latest available PA-DSS approved version released by the vendor.
The payment brands periodically alert their members with an updated list of vulnerable payment applications, where criminals are known to be targeting these vulnerable payment applications to steal cardholder data. Sysnet recommend you seek out and sign up to these internal ‘member only’ alerts.
In the table below we have assembled the expiry dates of PA-DSS V3.0, V3.1. as well as the latest V3.2 for ease of reference.
PA-DSS: Important Dates
|Effective Date (Submissions accepted from this date.)||01-Jun-2014||01-Jun-2015||01-Sept-2016|
|Standard Expiry Date (Submissions for new application listings and high impact changes not accepted after this date.)||31-Aug-2015 (expired)||31-Aug-2016 (expired)||28-Oct-2022|
|High Impact changes accepted until (For listed applications.)||31 August 2016||31 August 2016||28-Oct-2022|
|Low/No impact changes accepted until (Changes for listed applications.)||28-Oct-2019||28-Oct-2019||28-Oct-2022|
|Application Listing Expiry Date (All applications will be moved to “Pre-Existing Deployments” list.)||28-Oct-2019||28-Oct-2019||28-Oct-2022|
We can communicate to your customers on your behalf with our Merchant Contact Services. We offer a wide range of services from outbound education and advice campaigns through to inbound terminal upgrade support. Promoting a new service on your behalf or even safer business practises. For further information or to request a call back visit Merchant Contact Services, email firstname.lastname@example.org or contact your Sysnet Business Relationship Manager.
If you are a merchant that requires technical or PCI DSS help, please click here