Assessors: Prepare for the Closure of PA-DSS

On 28 October 2022, the Payment Application Data Security Standard (PA-DSS) and Program will close and will be replaced by the PCI Secure Software Standard. To prepare for this transition, assessors should be aware of the following information:

PA-DSS Application Validation and Listing:

• Change submissions to listed PA-DSS applications must be complete (i.e., all required documentation supplied and submitted to PCI SSC for review) by 28 October 2022. Complete submissions must have a paid invoice to be accepted and placed in the queue for PCI SSC review. PA-DSS change submissions that are incomplete (in a draft state) or do not have a paid invoice by 8 p.m. EST 28 October 2022 will not be considered for acceptance.
• PA-DSS change submissions that have been accepted and placed in the queue for review by PCI SSC prior to 8 p.m. EST 28 October 2022 will have until 31 March 2023 to complete. If the evaluation of the change request is not completed by this date, the change will not be included on the “Acceptable only for Pre-Existing Deployments” list and the change request will be closed.
• All PA-DSS payment applications currently listed as “Acceptable for New Deployments” will be moved to the “Acceptable only for Pre-Existing Deployments” list after 28 October 2022. It is recommended that vendors wishing to maintain an active listing for their software undergo PCI SSC Secure Software validation.
• Portal access to historical PA-DSS records is not guaranteed after 28 October 2022. Retrieval of records, if needed, should be done prior to 28 October 2022. However, it should be noted, PA-QSA companies with in-flight change submissions will have access to the Portal until those submissions are complete. 

Assessors: 

• PA-QSA companies and their employees that would like to continue assessing software applications after 28 October 2022, including PA-QSA(P2PE) companies and their employees, will need to qualify under the PCI SSC Software Security Framework as Secure Software Companies and Secure Software Assessors.
• The names for the P2PE assessors will also be changing as of 28 October 2022. QSA(P2PE)s will become “P2PE Assessors” and PA-QSA(P2PE)s will become “P2PE Application Assessors”.
• The list of PA-QSAs on the PCI SSC website will be removed after 28 October 2022.
• Only PA-QSA(P2PE)s who are also qualified as Secure Software Assessors by 28 October 2022 will remain on the PCI Point-to-Point Encryption (P2PE) Assessors list as P2PE Application Assessors.

Computer-based Secure Software Assessor Training Option for PA-QSAs Ending:

• To help existing PA-QSAs obtain their Secure Software Assessor qualification, computer-based training has been an available option. However, when the PA-DSS and PA-QSA programs close at the end of October this year, this computer-based training option for PA-QSAs will also end.
• After 28 October 2022, all Secure Software Assessor candidates must complete in-person training and sit for the subsequent exam, regardless of prior PA-QSA status. Full details of the Secure Software Assessor qualification requirements can be found in the currently published version of the PCI Software Security Framework Qualification Requirements for Assessors, available in the Document Library.
• Current PA-QSAs have until 28 October 2022 to take advantage of the computer-based training and exam to qualify as a Secure Software Assessor. No extensions will be granted, or refunds given for computer-based enrollments not completed (training and passed exam) by 28 October 2022.

Also on the blog: How to Successfully Transition Software from PA-DSS to the PCI Secure Software Standard