Scope of PA DSS

The Payment Application Data Security Standards ("PA-DSS") applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. 

PA DSS applies to payment applications that are typically sold and installed “off the shelf” without much customization by software vendors or resellers.

PA-DSS applies to payment applications provided in modules, which typically includes a “baseline” application products must module and other modules specific to customer types or functions, or customized per customer request. PA-DSS may only apply to the baseline module if that module is the only one performing payment functions (once confirmed by a PA QSA). If other modules also perform payment functions, PA-DSS applies to those modules as well. Note that it is considered “best practice” for software vendors to isolate payment functions into a single or small number of baseline modules, reserving other modules for non-payment functions. This best practice, though not a requirement, can limit the number of modules subject to PA-DSS and therefore reduce the scope of the PA-DSS assessment. 

Steps to Compliance