In the PA-DSS context, what is a dependency?

In PA-DSS, a dependency is any software or hardware component that the payment application relies on to meet the security requirements. This includes external libraries, runtime environments, encryption modules, middleware, or hardware devices the app uses to function securely. These components are essential for the PA-DSS controls to be satisfied, so they must be considered during validation. For example, using a specific cryptographic library or an HSM for key management makes that library or device a dependency. It isn’t a risk assessment document, a cryptographic key itself, or a service level agreement, which is why the correct interpretation is that a dependency is a necessary software or hardware component for the payment application's PA-DSS requirements. If a dependency changes, revalidation may be needed to ensure ongoing compliance.