A business man looks at the future and changes expected for PCI DSS and PA DSS
Mike Mariano
Listen to: "New Changes for PCI DSS and PA DSS Expected in 2021"

There are distinct differences in PCI DSS and PA DSS. Any organization storing, processing and transmitting credit card data – regardless of how small or large the transaction – must be compliant with PCI DSS standards. Vendors making and selling payment applications also need to meet PA DSS requirements.

Now, there are a number of changes in store for both. Let’s start by looking at the four specific areas in the new PCI DSS 4.0.

What’s the Difference Between PCI DSS and PA DSS?

Good question. The main difference is that PCI DSS applies to every company and entity that handles credit card data. Organizations that store, process or transmit credit card information are required to comply with PCI DSS. PA DSS, on the other hand, only applies to vendors that produce and sell payment applications.

PCI DSS 4.0 Is Expected to Change in 2021

The new DSS version is slated for release by the middle of next year with new payment initiatives supported within the industry. They include:

Critical Control Testing

This is a higher level of critical control testing, which includes a significant increase in the amount of testing required. Though Designated Entities Supplemental Validation (DESV) requirements are nothing new, they were previously mandatory only for companies that had been compromised. In this new version, these requirements may be a mandated requirement for all companies to achieve compliance.


NIST/Password Guidance moves to the forefront in this new version. The PCI SSC places more focus on applying stronger authentication standards to payment and control process access log-ins. It has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization.

This new standard opens the door for organizations to build their own unique pluggable authentication standards to meet data security regulatory requirements. At the same time, they can be scaled to fit the company’s transaction objectives.


The push for more secure standards related to cardholder data security has increased. Cyberthreats that include malicious code is one of the biggest problems that financial institutions face. Once the code is embedded in the network, information can be retrieved through cardholder data being transmitted. The new version of PCI DSS 4.0 specifically addresses this issue, with best practices and insight on how to fully protect network transmissions.


As risk continues to grow, so does the need for more detailed, risk-based approaches. The PCI Software Security Framework provides solutions to quickly deploy processes in compliance with standards even if the technology is not located in a specific control area.

Changes Are Coming for PA-DSS V3.2

Once the PCI-DSS 4.0 transition is complete, all roads lead to a change in PA-DSS 3.2 in 2022. The current program is fully supported through October 2022 with no apparent changes to how the current validated applications are handled. New validation programs from the PCI SSF called the Secure Software Lifecycle (Secure SLC) are on the horizon to support the new PCI Software Security Standards.

Together, the new standards and programs will provide a robust payment software solution for vendors. It will continue to work within the framework that designs, develops, and maintains modern payment software.

Understanding the PCI Software Security Framework

The current PCI Software Security Framework (SSF) consists of two standards – Secure Software Standard, and Secure Software Lifecycle (SLC) Standard. Both are part of a collection of associated validation and listing programs, and related software security standards.

With a focus on the SLC, this standard defines a set of security requirements and associated test procedures for software vendors. It serves to guide testing and validation for management of security protocols within their payment processing systems throughout the software lifecycle. Validation indicates the vendor currently has mature management lifecycle practices in place. These work to minimize, defend, and possibly alleviate attacks.

PCI SSC will start conducting training in 2020 for SSF Assessors.

What’s the Difference Between PCI SSF and PA-DSS?

Another good question. PA-DSS is expected to be phased out starting in 2022; PCI SSF should replace this legacy program. The new validation program will likely include components of PA-DSS. It will be built to better support PCI Software Security Standards and outline a stronger framework for designing, developing and maintaining modern payment software.

Related article:6 Key Changes to Anticipate with PCI DSS 4.0

Ensuring Your Compliance with AWA

With all the changes coming down the pipeline, achieving and maintaining compliance can be challenging. Our team ensures you’re ready for the PCI Software Security Framework Compliance in October 2022. We provide comprehensive, robust assessments and testing to minimize risks make sure your systems are PCI DSS compliant.

Our PCI DSS Assessment identifies any weaknesses in your security protocols while providing the most secure protection advice for cardholder data based on your business model and industry. For a quote on our services, fill out our contact form or call us at 215-675-1400.

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal