If the payment application is not storing any credit card information, does it needs to be PA-DSS? The application takes the Credit card information using DTMF and pass-through via secure XML for payment processing.

Thanks RB

  • 11
  • 1

2 Answers2


Storage of card data is not the deciding factor for PA-DSS scope. If the application handles card data, even if it does not store it, it could be in scope.

See p. 16 of the PA-DSS Program Guide for the "To Which Applications Does PA-DSS Apply?" section: https://www.pcisecuritystandards.org/documents/PA-DSS_Program_Guide_v3_1.pdf

Included in that section is a list of types of applications to which it does not apply.

  • If card data is handled, one of the major factors is whether the
    software is COTS - are you distributing non-customized software to
    many customers? If so, PA-DSS likely applies.
  • If you are creating custom software for a single customer? PA-DSS likely does not apply.
  • If you will be hosting the software as a service yourself and not distributing any components, PA-DSS likely does not apply. However, you may be in scope as a service provider and need to undergo PCI DSS validation.

If in doubt, it is best to speak with a PA-QSA; that is the type of assessor that performs PA-DSS validations. They can work with you on whether your application is eligible.

I've said "likely" in many places above because depending on your application's place in the payment chain, certain tokenization models, other "scope reduction" solutions, etc., it can change the situation. For example, I am aware of some DTMF-oriented payment applications where the solution provider was in scope for PCI DSS themselves, but did not need PA-DSS validation on their software due to the hosting model.

  • 116
  • 2

Notice that if you are passing the credit card data to a different service provider you are required to monitor his compliance statues

  • 539
  • 4
  • 10