PCI-DSS:
If your organization processes, stores, or transmits credit card information your organization is subject to PCI Compliance.
PA-DSS:
If you are a software application vendor and your application processes, stores, or transmits credit card information then the software is considered a Payment Application and is subject to PA-DSS compliance.
I’ve talked about PCI-DSS in past posts. This time I want to take a closer look at PA-DSS.
The term "Payment Application" is very broad. Apparently, any application that touches credit card information could be considered a payment application. That includes millions of software applications. The good news is that the PCI council does not require PCI certification for all these applications. They do; however, provide best practices (PABP – Payment Application Best Practices) that they recommend for every PA. When you look at the list of certified Payment Applications on https://www.pcisecuritystandards.org/security_standards/vpa/ you’ll see that the list is a bit more specific and categorized under specific application types.
My question back to the PCI council is why multi-channel (call, email, chat, fax) recording applications are not listed as a specific payment application type. Anyone care to comment?
Peter "Am I considered a Payment Application?" Nees
We’ve also created a fun PCI compliance tool called the PCI Compliance Quiz: http://www.elementps.com/pci-compliance-quiz/
Hope those links are helpful!