In 2008 Visa laid out a series of mandates, forcing merchants to migrate towards compliant applications. Below are the specific mandates from Visa. Each one and its meaning will be discussed in detail.
| Phase | Compliance Mandate | Effective Date |
| 1 | Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications | 1/1/08 |
| 2 | VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant | 7/1/08 |
| 3 | Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications* | 10/1/08/ |
| 4 | VNPs and agents must decertify all vulnerable payment applications** | 10/1/09 |
| 5 | Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications | 7/1/10 |
Phase 1 – This mandate was the first attempt to begin eliminating Known Vulnerable applications from the merchant base and eliminate the certification of Known Vulnerable applications by acquirers and processors. Effective January 1, 2008 WorldPay stopped boarding merchants utilizing a Known Vulnerable application. WorldPay’s Terminal Products team discontinued certifications of applications that appeared on the Known Vulnerable list.
Phase 2 – In the second phase, not only did WorldPay NOT certify Known Vulnerable applications, but now only certify payment applications to their platform that received a PA DSS validation certificate.
Phase 3 – With this mandate, merchants now began to see the effects of PA DSS compliance and how the Visa mandates affect their processing. Essentially, any new merchant utilizing a payment application that boarded with WorldPay could only board under one of the following conditions: A) The merchant was using a PA DSS certified application or B) That merchant was PCI DSS compliant.
Phase 4 – The Phase 4 mandate stated that all acquirers and processors must examine their existing merchant base and remove all merchants using a Known Vulnerable application. Combining Phase 1, which captured new merchants, with Phase 4, which captured existing merchants boarded prior to January 1, 2008, all merchants would be evaluated for elimination of Known Vulnerable applications in the payment system.
Phase 5 – This is the final deadline for all Phases 1-4 compliancy. For all merchants utilizing payment applications in the payment system would either be PA DSS compliant or PCI DSS compliant as of July 1, 2010.
* In-house use only developed applications and stand-alone POS hardware terminals are not applicable
** VisaNet Processors (VNP's) and agents must decertify vulnerable payment applications within 12 months of identification
