Yes. PA-DSS applies to any application that stores, processes or transmits credit card information.

PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI DSS compliance review. Note that such an application (which may be referred to as a "bespoke" application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications. PA-DSS also does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold to a third party), since this in-house developed payment application would be covered as part of the merchant's or service provider's normal PCI DSS compliance.

However, using the PA-DSS as a guide to development will help to ensure that the application does not hinder the entity's PCI DSS compliance and therefore can be utilized as a best practice for bespoke and in-house payment applications. The entity may choose to have their application assessed by a PA-QSA to satisfy their internal security requirements, however, this application, if certified to be PA-DSS compliant, would not be listed by the PCI SSC.

The requirements for Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS). This document details what is required for a merchant to be PCI DSS compliant (and therefore what a payment application must support to facilitate a merchant's PCI DSS compliance). Traditional PCI DSS compliance may not apply to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, because these payment applications are used by merchants to store, process, and transmit cardholder data, and merchants are required to be PCI DSS compliant, payment applications should facilitate, and not prevent, merchants' PCI DSS compliance.

Just a few of the ways payment applications can prevent a merchant's compliance are:

1. storage of magnetic stripe data in the merchant's network after authorization;
2. applications that require merchants to disable other features required by PCI DSS, such as anti-virus software or firewalls, and;
3. vendors that use unsecured methods to connect to the application to provide support to the merchant.

The PA-DSS applies to all payment application providers. Whether it is mandatory or not will be determined by the payment brands.

You may view all currently listed PA-DSS certified payment applications at the following link:

https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html

You may view all currently listed PA-DSS certified payment applications at the following link:

https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html

Not necessarily. There is actually a lag between the time an application is considered compliant by the PA-QSA, when it is reviewed by Visa, and when it is posted to the PCI-SSC website. If an application isn't listed yet and you want to verify if it is "in the queue" for listing, you may visit the following link and submit a question to the council regarding the payment application's status:

http://selfservice.talisma.com/display/2/_index1.aspx?tab=atr&r=0.5234722