Which Applications Are Eligible for PA DSS?

If you can answer “yes” to any of the following questions, then your application is not eligible for validation under PA DSS 

  1. Is this a beta version of the application?
  2. Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement?
  3. Does the application facilitate authorization or settlement, but has no access to cardholder data or sensitive authentication data?
  4. Does the application require source code customization or significant configuration by the customer (as opposed to being sold and installed “off the shelf”) such that the changes impact one or more PA-DSS requirements?
  5. Is the application a back-office system that stores cardholder data but does not facilitate authorization or settlement of credit card transactions? For example Reporting and CRM, or Rewards or fraud scoring
  6. Is the application developed in-house and only used by the company that developed the application?
  7. Is the application developed and sold to a single customer for the sole use of that customer?
  8. Does the application function as a shared library (such as a DLL) that must be implemented with another software component in order to function, but that is not bundled (that is, sold, licensed and/or distributed as a single package) with the supporting software components?
  9. Does the application depend on other software in order to meet one or more PA-DSS requirements, but is not bundled (that is, sold, licensed and/or distributed as a single package) with the supporting software?
  10. Is the application a single module that is not submitted as part of a suite, and that does not facilitate authorization or settlement on its own?
  11. Is the application offered only as software as a service (SAAS) that is not sold, distributed, or licensed to third parties?
  12. Is the application an operating system, database or platform; even one that may store, process, or transmit cardholder data?
  13. Does the application operate on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing?

Remember that even if your application is not eligible for assessment under PA DSS, it may still be required to operate in a PCI compliant fashion. Speak with your QSA for further advice.

Point 13 above is expanded upon in the SSC document “Mobile Payment Acceptance FAQ“, where the different categories of mobile payment acceptance applications are detailed.

The above information is taken from the full PCI SSC guidance note available from here.

Related Posts:

PCI Penetration Testing

Leave a Reply