Payment Application Data Security Standard (PA-DSS) is a comprehensive set of requirements for payment application software vendors to facilitate their customers’ PCI DSS compliance. It is distinct from but aligned with PCI-DSS. PA-DSS applies to third-party payment applications that store, process, or transmit cardholder data as part of authorization and/or settlement.
The first consideration when determining whether an application should undergo a PA-DSS assessment is to verify whether it is a payment application. Specifically, only applications that store, process, or transmit cardholder data as part of the authorization and/or settlement of payments are considered to be payment applications. Applications not related to authorization and settlement, but handle payment card data for other purposes (for examplem loyalty programs) would not be required to undergo PA-DSS assessment.
We should also make an important note here that while the PA-DSS Program Guide provides guidance on the types of applications which would undergo an assessment, it does not mandate which applications must undergo an assessment. Remember that whether or not an application is required to undergo a PA-DSS assessment is determined by the individual payment brands.