2 Questions:

1- If a service provider supply an API to their clients so that their clients can interface internal application with the service provider's payement solution, would you consider that this API requires a PA-DSS certification ?

2- Hardware drivers (over serial connection) used to control a PED device with commands such as Display or "wait for swipe" etc. Should they fall under the PA-DSS or PED-DSS ?

thanks,

1- If a service provider supply an API to their clients so that their clients can interface internal application with the service provider's payement solution, would you consider that this API requires a PA-DSS certification?

If it processes, stores or transmit cardholder data (CHD), then it is in scope and should be PA-DSS compliant if it is resold.

If the API is not resold, it is not covered by the PA-DSS. However, if the service provider offers the API through a licensing arrangement, I would say that the PA-DSS does apply. That said, even if it is not covered by the PA-DSS, it would behoove the service provider to certify it just to keep the questions and independent PCI assessments down.

2- Hardware drivers (over serial connection) used to control a PED device with commands such as Display or "wait for swipe" etc. Should they fall under the PA-DSS or PED-DSS?

As long as the drivers do not handle CHD or come in contact with CHD in any way, shape or form, you should be okay on both the PA-DSS and PED. However, if they are coded in such a way that they could be a compromise point for the CHD in the PED, then they would be in scope. As a result, you need to make sure you have some form of proof that they cannot be used as an attack point.