Our applications are certified and on the list of certified PABP compliant applications. We were certified with the latest PABP 1.4. Now, PA-DSS is the new kid on the block. Is it an automatic upgrade to PA-DSS from PABP 1.4 or do we have to be re-audited?
+2
A:
I believe their is a "legacy exception" type deal that will allow you to stay under PABP as long as you haven't released a new version. Though you'll need to ask an auditor to be sure.
Generally if you've just finished certification, you don't need to do anything until the next year. At that point PA-DSS will likely apply if you've released a new version of the software.
An application I work heavily on has not had a major or minor release for a year. Since we only patched it, we were able to maintain our current PABP certification without a re-audit. There may have been some special circumstances with this, so don't count on this to be true unless an auditor tells you that they'll submit a new ROC for you.
Nathan
2009-11-19 13:38:41
Thanks for the info. We first appeared on the list in December 2008. However, CISP just released a FAQ yesterday that states that applications do not have to be on the List of Validated Applications to be considered PABP or PA-DSS compliant. Having said that, most acquirers are still requiring it even though VISA does not.
0A0D
2009-11-19 14:06:01