- PA-DSS does apply to payment applications that are typically sold and installed “off the shell” without much customization by software vendors
- PA-DSS does apply to payment applications provided in modules, which typically includes a “baseline” module and other modules specific to customer types or functions, or customized per customer request.
– PA-DSS may only apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA-QSA)
– if other modules alse perform payment functions, PA-DSS applies to those modules as well.
– Note that it is considered a “best practice” for software vendors to isolate payment functions into a single or small number of baseline modules, reserving other modules for non-payment functions. This best practice (though not a requirement) can limit the number of modules subject to PA-DSS.
- PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer’s PCI DSS compliance review. – Note that such an application (which may be referred to as a “bespoke” application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications.
- PA-DSS does NOT apply to payment applications developed by merchants and service providers of used only in-house (not sold to a third party), since this in-house developed payment application would be convered as part of the merchant’s or service provider’s PCI DSS compliance