Questions and concerns over PCI compliance continue to increase.  Have you noticed the same?

PCI-DSS:
If your organization processes, stores, or transmits credit card information your organization is subject to PCI Compliance.  

PA-DSS:
If you are a software application vendor and your application processes, stores, or transmits credit card information then the software is considered a Payment Application and is subject to PA-DSS compliance.

I've talked about PCI-DSS in past posts.  This time I want to take a closer look at PA-DSS.

The term "Payment Application" is very broad.  Apparently, any application that touches credit card information could be considered a payment application.  That includes millions of software applications.  The good news is that the PCI council does not require PCI certification for all these applications.  They do; however, provide best practices (PABP - Payment Application Best Practices) that they recommend for every PA.  When you look at the list of certified Payment Applications on https://www.pcisecuritystandards.org/security_standards/vpa/ you'll see that the list is a bit more specific and categorized under specific application types.

My question back to the PCI council is why multi-channel (call, email, chat, fax) recording applications are not listed as a specific payment application type.  Anyone care to comment?


Peter "Am I considered a Payment Application?" Nees