The Truth About PA-DSS
Recently, you may have noticed the confusion surrounding PA-DSS (Payment Application Data Security Standard) validation. What is it? And what does it mean for institutions and vendors providing payment processing services?
PA-DSS provides industry standards for developing payment applications, but not all software applications that play a role in payment transactions need to undergo review and listing by the Security Standards Council.
Services not required to undergo PA-DSS certification include applications offered only on a software as a service (SAAS) model (software that that is not sold or licensed to third parties). Read another way, PA-DSS certification comes into play only with vendors whose software is resident in the school’s environment.
However, best practices in payment processing dictate that software not be installed in the school’s environment. In fact, the best approach is a payment processing service that is completely hosted in a secure data center designed to withstand the regulations and rigors of this kind of business.
At Nelnet Business Solutions, we know one of the main reasons campuses look to payment processing partners like us is to completely outsource the risk involved in processing financial transactions. Our solution has always been completely hosted, meaning no software deployed on campus, and no need for PA-DSS.
For more information on PA-DSS and an update on security and compliance in general, watch our PCI compliance webinar for higher education.