We are developing and maintaining Payment application. In case we do not store the card info but only store the reference number for the transactions, do we still need to be PA-DSS or PCI-DSS compliant?

Thanks in advance..;)

What exactly does your payment application do (is it part of authorization or settlement or both)?

It does not store the data, but does it process or transmit the card information?

Will your application be for internal use or will it be marketed to 3rd parties?

Assuming that you are going to resell the application, while your application does not store cardholder data, on some level it processes and transmits it, so the PA-DSS is relevant.

I have a similar question regarding the scope of responsibility for PA-DSS. We provide a POS-type application for our customers, but we do not directly touch any PAN data. We interface with 3rd party applications (installed locally) and pass information to them about the transaction (ref#, amount, etc). The 3rd party app is what actually reads the card, transmits, and stores the data for future use.

So, does our app need to go through the PA-DSS certification in some capacity?

I have a similar question regarding the scope of responsibility for PA-DSS. We provide a POS-type application for our customers, but we do not directly touch any PAN data. We interface with 3rd party applications (installed locally) and pass information to them about the transaction (ref#, amount, etc). The 3rd party app is what actually reads the card, transmits, and stores the data for future use.

So, does our app need to go through the PA-DSS certification in some capacity?

PA-DSS applies to payment applications which provide authorisation or settlement functions and which are sold or licenced. By necessity, authorisation or settlement applicaitons will either process, transmit or store card data/PAN.
As it appears your product does not process, transmit or store card data/PAN, so PA-DSS would not apply.
Your customers may, however, find your application in the scope of their PCI DSS environment to some degree, since it probably operates on a POS workstation that does process, transmit or store card data.

lyalc

lyalc

Your customers may, however, find your application in the scope of their PCI DSS environment to some degree, since it probably operates on a POS workstation that does process, transmit or store card data.

Your assessment is how I was interpreting the documentation as well, but you hit the nail on the head with the concern about our customers perspective. It shouldn't have a bearing on whether or not we're required to become PA-DSS compliant, right?

Your assessment is how I was interpreting the documentation as well, but you hit the nail on the head with the concern about our customers perspective. It shouldn't have a bearing on whether or not we're required to become PA-DSS compliant, right?

Indeed, PA-DSS does not apply to this product - and if it isn't handing card data, assessment would be fairly hard to document!
I was just pointing out that all applications, infrastructure and components in a site's PCI card data environment are subject to PCI DSS.
You may find some customers asking about patches, features such authentication, logging etc as they go through their PCI DSS compliance validation activities.

lyalc