Ultimately (and I stress this word), who would be responsible to make sure that the payment application/equipment is compliant?

The vendor who supplies this or the merchant (user)?

The reason why I ask this is that there have been talks to put the onus on customers who purchased our equipment (ie. we will help them get compliant - which means that customer will have to pay my company for any required changes if their PCI assessor deems any part to be changed to comply with current PCI requirements). Logically, this makes sense for our company as we can't keep paying $30,000 annually just so that we get listed on Visa's website as we are no longer actively selling our products; just supporting our current customer base.

Technically speaking, doesn't the boarded application approval ultimately rest with the Acquirer?

I'm somewhat fuzzy on this one myself, except that if the Acquirer allows us to use it on their network we can. We fill out reports every year that lists our payment applications and versions. It is my assumption they are checking this against "the naughty list" (known vulnerable payment application list), since that list is not available to me as a merchant. Also, all of the dates and mandates I have seen regarding applications have been from the brands to the Acquirers.

That's why it is crucial to pre-approve any payment application with the Acquirer before purchasing it. If you go out and buy a "new" POS system that has been sitting in a warehouse for 4 years, you might have to buy another one. I think from a merchant's perspective, all being on the PA-DSS list does is assure me that I don't have to call the bank before I buy it.

PA-DSS, is a security standard set for payment application developers, outlining security and auditing procedures for electronic payment applications. Software that falls under the PA-DSS envelope could include anything from a POS system to online shopping cart software. PA-DSS requires that a program be audited by a 3rd party and pass a series of security test and adhere to best-practices before it can be distributed. If it is not audited or fails any part of the audit, it cannot be used as a payment application.

Ultimately (and I stress this word), who would be responsible to make sure that the payment application/equipment is compliant?

The vendor who supplies this or the merchant (user)?

Under the PA-DSS, the software vendor is responsible for obtaining the PA-DSS certification by hiring a PA-QSA to conduct an assessment and certify that the software complies with the PA-DSS. A Attestation Of Validation (AOV) form is filed with the PCI SSC and after their acceptance, the vendor's name, software package name and version are posted to the PCI SSC's Web site as being PA-DSS certified.

In regard to equipment, if the equipment is a PIN Entry Device (PED), it must comply with both the PCI PED standard as well as the PCI DSS. The PCI PED certification process is similar to the PA-DSS process and must be conducted by a certified PED assessor. Once certified, the PED compliance is filed with the PCI SSC who posts it to their Web site.

Otherwise, the equipment must only comply with the PCI DSS. Since most non-PED equipment is PC-based, it's up to the custoemr to ensure compliance with the PCI DSS since implementation of these devices is under their control.

In all cases, the vendor should provide some form of guidance to the customer to ensure that the customer does their part to ensure that PCI compliance is maintained. This also gives the vendor and out if the customer does not follow the guidance and improperly implements software and equipment.