Difference between PCI compliance and PA-DSS validation

The responsibility of IBM® as a software vendor is to be validated by the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).

IBM has performed an assessment and certification compliance review with an independent assessment firm to ensure that its platform conforms to industry best practices when handling, managing, and storing payment-related information.

PCI PA-DSS is the standard against which Payment Applications have been tested, assessed, and validated.

PCI DSS Compliance is later obtained by the merchant, and is an assessment of your actual server (or hosting) environment.

Obtaining PCI DSS Compliance is the responsibility of the merchant and your hosting provider, working together, using PCI-compliant server architecture with proper hardware and software configurations and access control procedures.

The PCI PA-DSS Validation is intended to ensure that the Payment Application will help you achieve and maintain PCI DSS Compliance with respect to how the Payment Application handles user accounts, passwords, encryption, and other payment data-related information.

The Payment Card Industry has developed security standards for handling cardholder information in a published standard called the “PCI Data Security Standard.” The security requirements defined in the DSS apply to all members, merchants, and service providers who store, process, or transmit cardholder data.

The PCI DSS requirements apply to all system components within the payment application environment, which is defined as any network device, host, or application that is included in or connected to a network segment where cardholder data is stored, processed, or transmitted.