The following guide can be used to determine whether PA-DSS applies to a given payment application:
- PA-DSS does apply to payment applications that are typically sold and installed “off the shelf” without much customization by software vendors.
- PA-DSS does apply to payment applications provided in modules, which typically includes a “baseline” module and other modules specific to customer types or functions, or customized per customer request. PA-DSS may only apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well. Note that it is considered a “best practice” for software vendors to isolate payment functions into a single or small number of baseline modules, reserving other modules for non-payment functions. This best practice (though not a requirement) can limit the number of modules subject to PA-DSS.
- PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review. Note that such an application (which may be referred to as a “bespoke” application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications.
- PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold to a third party), since this in-house developed payment application would be covered as part of the merchant’s or service provider’s normal PCI DSS compliance.
For further information on PA-DSS v1.2 for supporting documents, please visit https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml
