Here's my scenario...

Recently, (back in November of 2009), we got an email by one of the major vendors for POS devices/PC apps that indicated that one of their PC apps has been validated for PA-DSS ver 1.2 recently. I asked them that the version previous to that email (and that was recently released - back in September 2009) - if that is still a PA-DSS compliant app and for how much longer are they good for - to which they never replied...

So, in our case, we've been testing with the previous version for many months and have not tested the newly released version and would not be deploying the newest version in production without sufficient testing - how do people expect a merchant to keep up with the latest release if it is occurring in such a manner?? Nobody in their right mind would be deploying the latest nilly willy right???

Firstly, if you click 'accept" at this link https://www.pcisecuritystandards.org/security_standards/vpa/
then you'll be able to see the list of PA-DSS and PABP apps (and their versions) that are recognised by the PCI council.

Secondly, PCI DSS requires that you have all latest patches and updates installed for your version, not that you have the latest version. In some cases, of course, updates come as new versions, but this isn't a forum on version release management.

Given the deadlines imposed by Visa, I'd recommend you migrate to a PA-DSS compliant product as soon as practical. As you are in the pre-implementation phase for what may be a non-compliant app, you may find it more cost effective to go to the compliant version, assuming licensing costs are resolvable favourably.

Apart from Visa's deadlines, you can still be PCI DSS compliant without a PA-DSS app, as long as the same requirements are validated as 'in place' as part of your PCI DSS assessment.

See http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais_applications.shtml#Security and
http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html for details of Visa' timelines for PA-DSS.


lyalc