How do I know if my application requires a PA-DSS (Payment Application Data Security Standard) Assessment?
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. With the following exceptions: 1. PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer’s normal PCI DSS compliance review. Note that such an application (which may be referred to as a “bespoke” application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications. 2. PA-DSS does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant’s or service pr
Related Questions
- What is the relationship between the PCI Data Security Standard and the Payment Application Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) Device requirements?
- How long have these requirements been in place and how do I find out which companies offer products validated against the Payment Application Data Security Standard?
- Please remind me of the background to the Payment Card Industry Data Security Standard (PCI DSS)?
