Security risks associated with payment applications have never been greater or more publicized. The Payment Application Data Security Standard (PA-DSS) and application penetration testing under the broader PCI DSS requirement 11.3 both aim to address application threat vectors, albeit through different tools and mechanisms. In this presentation, we will cover: • An overview of PA-DSS and application penetration testing • The shared elements and compare and contrast some of the more detailed differences • The requirements, where they apply, and how they play a role in securing payment applications