It is nightmare for ecommerce.

I agree.

It seems that somebody wants to earn more money.

Acquirers have no idea how to, nor the means to police the situation. This is exactly why we’ve all seen the emergence of the PCI compliance fee, that most level 4 merchants are now subject to. Even FDR added a PCI fee for non-compliant level 4 merchants. Many ISO’s charge an additional fee if their customer’s don’t use their prefered PCI scanning vendor…

I’ve worked with about 8 ISO’s related to the PCI mess, and none of them have any real idea on what PCI is, or who it actually applies to, or why we have it, or what it actually is.

They simply add a PCI compliance fee to their customer’s accounts because it somehow removes their liability from a data breach.

And Visa… Visa is so far removed from the situation that they have no idea what is actually happening on the merchants level. The whole situation is out of control…

While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.”

If they do not then they must demonstrate that the payment applications they use are compliant with the PCI DSS which won’t need to do if the apps are PA-DSS certified.

Having said this, a merchant cannot use an application that would fail the PA-DSS (eg if it stored CVV2 permanently or stored CHD unencrypted) without compensating controls.

The long and the short of it is that PA-DSS is not mandatory but not having it is a major drawback for payment application vendors.