Service Provider or PA-DSS?
December 7th, 2008 by admin Posted in Payment Applications, pa-dssChris asks,
Our company doesn’t do any credit card transactions whatsoever. However,
some of our clients need to install our software on their back office
computers. And some of those clients are worried that we aren’t PCI
“Certified”. How do we assure them that we are OK with PCI compliance
rules? Is there a certification we can get for our application?
If your company does not store, process, or transmit cardholder data then you do not need to be PCI compliant. One question for you is if your software is used for the storage, processing, or transmission of cardholder data. Two things:
- If you resell software that is used by others for transaction processing then you may want to look into PA-DSS compliance for your software.
- If you remotely manage that software, such that you could negatively impact the security of cardholder data, then you may be considered a service provider and thus need to comply with the PCI DSS.
If your software is not used for handling payments and you do not have access to your client’s cardholder data environment then you may not need to be PCI compliant. The question is, are you a Service Provider or do you create PA-DSS applications.
The PCI SSC has language that defines the PA-DSS as it pertains to software vendors:
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
