Payment Applications Compliance Program
The PCI Security Standards Council, a global, open industry standards body has adopted the Payment Application Data Security Standard ("PA-DSS") formerly known as the Payment Application Best Practice ("PABP"), which will include a list of all validated payment applications. This list will enable Acquirers and merchants to identify the payment applications that are compliant with the PA-DSS (PABP).

Payment Security Mandates

Visa Canada has implemented mandates to help eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require "Newly Boarded" merchants to use payment applications that adhere to the PA-DSS:

  • By October 1, 2008, Acquirers must ensure that any newly boarded merchant that uses payment application software only uses payment application software that is compliant with the PA-DSS requirements. Please note that "newly boarded" merchants only refer to new merchants that accept Visa cards for payment. It does not include existing merchants who may switch Acquirers, nor does it include a new outlet store in a merchant chain or franchise setup.
  • By July 1, 2010, Acquirers must ensure that their merchants (new and existing) who use a payment application only use payment application software that is compliant with the PA-DSS requirements.

PA-DSS scope

PA-DSS applies to software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement.  In addition, PA-DSS requirements apply to payment applications that are sold, distributed or licensed to third parties. Examples of applicable payment applications include but are not limited to POS software, e-commerce shopping carts, and web-based payment applications. PA-DSS does not apply to payment applications developed by merchants and agents if used only in-house (not sold to a third party). PA-DSS also does not apply to standalone POS terminals.

PA-DSS - List of Validated Payment Applications

Payment application compliance with PA-DSS is based on an evaluation of the application by a Payment Application - Qualified Security Assessor ("PA-QSA").

To view the current list of PA-DSS validated payment applications, click here

Visa does not perform any tests or analysis of the functionality, performance or suitability of any of the payment applications listed. Visa also does not endorse or recommend any of the listed payment applications, or their respective developers or distributors. Furthermore, Visa makes no warranties, guarantees or representations that any of the applications will meet any requirements for performance or functionality, that the applications will be free from errors or malicious code, or that the payment applications will be compatible with any other systems or applications. Any and all representations or warranties, including any and all representations and warranties made by the payment application vendor, are disclaimed by Visa.

The information provided herein is provided "as is" with no warranties, expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and/or non-infringement. The information provided herein is subject to change by Visa, with or without notice. Although Visa makes good faith efforts to provide accurate and complete information, merchants, or anyone else utilizing the information set forth in the List of Validated Payment Applications remain responsible for confirming the accuracy of such information, including but not limited to, confirming with the appropriate payment application vendor that the version of the application identified below is in compliance with PA-DSS. Use of any one or more of the applications below (i) does not guarantee or ensure compliance with the PCI DSS; and (ii) does not satisfy any Acquirers' obligation to perform their own evaluation and due diligence, to ensure the PCI DSS compliance of their merchants and agents.

back to top
PCI Security Standards Council