If a Chip/Pin POS solution has been certified compliant with EMV Level 1 and 2, does this also have to be certified for PA-DSS? Can anyone shed some light on how these 2 different certifications work together?

EMV level 1 is a standard that looks at the low level functionality of the card accepting device (or Inter-Face Device - IFD). This looks at the physical and link layer interface of the device with the card - timings and voltage levels, that sort of stuff. EMV Level 1 is actually not really concerned with payments at all, other than ensuring device can intercommunicate.

EMV Level 2 is a certification that looks at the actual payment transaction messaging, and ensures that it proceeds in such a way that will be compatible with other, back end, systems. It is not concerned with security, and does not look at the clearing of buffers, or if files are written to the hard disk, or logs kept, etc. It also does not concern itself with the security of the PIN entry device, or the IFD, from a physical point of view - this is why we have the PCI PED standard.

PA-DSS will concern itself with how the payment application handles the security of the data of the message - not the card, but on the POS device and how it is secured when sent to the host. This is outside of the scope of EMV level 2, and PCI PED is only concerned with the security of the PIN block (not other CHD).

Therefore, you can have an EMV L1 & L2 approved application that does not meet the requirements of PCI DSS - just as you could have a chip and PIN application that is PA-DSS certified, but may fail EMV L2 certification. I would imagine that certification for L2 application kernels that may exist on a PED style hardware device is not too much of a priority for PCI SSC at this time - however an EMV L2 application that sits on a PC based POS is definitely something that would be in-scope for PA-DSS, and compliance is certainly not guaranteed.

Andrew, Thanks for the great tutorial on EMV (and PCI PED).:D