When does a PA-DSS certified application expire?

Question

When you search the PCI website for validated payment applications it shows a re-validation date and an expiry date. There is also two categories of payment applications, "Acceptable for new Deployments" and "Acceptable only for Pre-Existing Deployments".

There are applications listed that are past the Expiry date. These are in the Pre-Existing Deployments section. Does this mean as long as the application was installed before the expiry date you can use it and be compliant for as long as you want and not have to upgrade to the latest version? From reading the PCI docs on this it sounds like that is the case. But that doesn't really make sense to me. Any insight from PCI experts would be helpful.

Answer 1

You've got it correctly - if you install an approved PA-DSS application during its "Acceptable for New Deployments" phase, then you may continue to use it indefinitely. To quote the PA-DSS Program Guide:

There is currently no sunset date for PA-DSS validated payment
applications that were on the list at the time of deployment.
Deployed payment applications that expire may continue to be
used. The expiration timeframe is associated with new
purchases/deployments, not existing deployments. 

Of course, as both the Program Guide and the Requirements and Security Assessment Procedures state:

A PA-DSS compliant payment application alone 
is no guarantee of PCI DSS compliance.

It's likely that the age and unmaintained status of a former PA-DSS compliant application would be a factor for your QSA, especially if there are reported problems with the software. Your question suggests that a large grandfather clause loophole wouldn't make sense - it doesn't, and the compensation is that your QSA is allowed to call BS if they feel the grandfathering has gone long enough.