Payment applications

Visa Europe is committed to ensuring that payment application products are secure and validated using criteria recognised and accepted across the industry.

In 2005, Visa developed the Payment Application Best Practices (PABP) to guide software vendors in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (full magnetic-stripe data, CVV2 or PIN data) and support overall compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Since 2005, 254 vendors independently validated 555 products against the PABP through a Qualified Security Assessor (QSA). In 2008, the PCI Security Standards Council (PCI SSC) adopted our PABP and released the standard as the Payment Application Data Security Standard (PA-DSS). The PA-DSS now replaces PABP for the purpose of Visa’s compliance program.

Lists of validated payment applications

The PCI SSC is currently in the process of moving all 555 products previously validated under the PABP over to a consolidated list located at the PCI SSC website, comprised of the validated PABP applications and newly validated PA-DSS applications. During this migration, both lists will be available to ensure a smooth transition. All new payment application assessments should undergo PA-DSS validation by a Payment Application Qualified Security Assessor (PA-QSA) as well as being listed with the PCI SSC.

View the PCI SSC List of PA-DSS Validated Payment Applications

Download the Visa List of PABP Validated Payment Applications (PDF 0.5MB)

Payment Application Data Security Standard

Visa Europe strongly encourages payment application vendors to ensure their products undergo PA-DSS validation. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data and support overall compliance with the PCI DSS.

PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorisation or settlement. It does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent’s PCI DSS assessment.

The PCI SSC is responsible for:

  • Maintaining and updating the PA-DSS and all related documentation
  • Payment Application Qualified Security Assessor qualification and training
  • Reports of Validation submissions and quality assurance
  • The listing of PA-DSS validated payment applications

For more information on the PA-DSS, including validation requirements and a list of PA-DSS-validated applications, please visit the PCI SSC website

Notify Visa Europe of vulnerable payment applications

Visa Europe is aware that certain payment applications are designed by software vendors to store sensitive cardholder data subsequent to transaction authorisation. Storage of these cardholder data elements is in direct violation of PCI DSS and Visa Europe rules. Criminals are targeting merchants and agents that use these vulnerable payment applications and are exploiting security vulnerabilities to find and steal cardholder data.

On a quarterly basis, Visa Europe proactively alerts key stakeholders, including acquirers, with an updated list of vulnerable payment applications. If you discover a vulnerable payment application, please notify Visa at padss@visa.com.  Please include specific information about the payment application vendor, the application version, where sensitive cardholder data is stored and vendor contact information

All information provided will be verified through the software vendor. Visa Europe will not reveal to any software vendor the source of information or disclose information that would reveal the source’s identity.