Skip Ribbon Commands
Skip to main content


PA-DSS Assessment RoV/Gap Assessment


Any application involved in the transmission, storage, or processing of credit card information is in scope for PCI compliance. Additionally, if this application is sold to third parties and is involved in the authorization or settlement of cardholder information, it must be PA-DSS certified. A PCI Report on Validation (RoV) will validate this type of payment application with the various PA-DSS control requirements. PA-DSS Requirements are below:

  • Do not retain full magnetic stripe, card validation code or value
  • Protect stored cardholder data
  • Provide secure authentication features
  • Log payment application activity
  • Develop secure payment applications
  • Protect wireless transmissions
  • Test payment applications to address vulnerabilities
  • Facilitate secure network implementation
  • Cardholder data must never be stored on a server connected to the Internet
  • Facilitate secure remote access to payment application
  • Encrypt sensitive traffic over public networks
  • Encrypt all non-console administrative access
  • Maintain instructional documentation and training programs for customers, resellers, and integrators

As of July 1, 2010, Visa requires acquirers to ensure their merchant, VNPs (Visa Net Processors), and agents use only PABP or PA-DSS compliant payment applications. Effective July 1, 2012, MasterCard will require that all merchants and service providers utilizing third party payment applications ensure that the application is PA-DSS certified. Based on SecureState’s experience, very few payment applications are fully compliant with PCI PA-DSS the first time through.


  • Validation of compliance with the PA DSS
  • Competitive edge when marketing applications to merchants
  • Verification that payment applications can be configured to meet PCI DSS compliance requirement


SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of payment applications. As a QSA and PA QSA company, SecureState understands the full payment lifecycle from the application level to implementation within a merchant’s cardholder data environment.

Did You Know?

  • SecureState can assist in the development of the Implementation Guide required for PA-DSS validation
  • Use of validated applications is a separate requirement from PCI DSS and implementation requirements are managed by each individual card brand
  • Visa requires that only PA DSS validate applications be used as of July 2010
  • MasterCard requires that only PA DSS validated applications be used, effective July 2012
  • PA DSS validation is not required for internally developed applications
  • SecureState can assist with the development of your PA DSS Implementation Guide
  • PA DSS applies to commercial applications that support authorization and settlement of transactions
  • PA DSS validation expires after three (3) years and new software versions and significant changes must be revalidated
  • A PA-DSS RoV occurs whenever there is a major change to the application and/or when renewing an expired application

Our Approach and Methodology

SecureState’s approach to a PA DSS Assessment follows a phased approach to make the most effective and efficient use of time. The goals are to:

  • Review documentation prior to the onsite reviews to minimize disruptions
  • Keep you up-to-date on evolving PA DSS requirements and industry trends
  • Provide weekly status updates on remediation requirements

The stages of our PA DSS Assessment, with limited descriptions, are as follows:

Pre-Onsite Visit:

  • Introduce engagement participants and define roles
  • Review assessment activities
  • Establish schedules

Documentation Review:

  • Collect, review, and assess required documentation (i.e. PA DSS Implementation Guide, training and communication programs)

On-Site Review:

  • Validate lab setup
  • Vulnerability analysis of application
  • Forensic analysis of application
  • Identify gaps against the PA DSS requirements
  • Provide recommendations for remediation of gaps


  • Produce and deliver the Report on Validation (RoV) and Attestation of Validation (AoV)
  • Submit RoV and AoV to the PCI SSC

What Makes Us Different


  • Provides comprehensive on-demand security expertise during the engagement and throughout the year
  • Supports its clients’ PCI programs with our proprietary “MyState Portal” and a team of qualified PCI specialists
  • Maintains close relationships with our clients because we care about the outcome of the assessment
  • Provides consistent control requirement interpretations. Any ambiguous requirements are reviewed, researched, and agreed upon by all SecureState PA QSAs to ensure opinions do not differ from year to year or among the PA QSAs
  • Has certified forensics specialists on staff that have experience investigating breaches