I work for a small non-profit who is working toward compliance. (as an organization, a Level 4 overall)

Our three "biggie" software solutions have PA-DSS versions on their way. (which will live in our PCI DSS-compliant environment)

We also run a small online store. The store is open-source software, written and controlled by a "community" and not distributed by a vendor, and licensed under the GPL.

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold,
distributed, or licensed to third parties.


Essentially, the software, takes CC#, and Expiration, and then over SSL transmits the data to the "processor" (e.g. Authorize.net or PayPal) (with no need for storage)

Where would an application like this stand in the world of PA-DSS?

It's not really a "homegrown" application...but at the same time it is...(with the GPL, it's mine as much as it is anyone else's, isn't it?)




(BTW--found my way here through the treasuryinstitute.org blog. Seems to be a wealth of information I'm glad I made it-- Sorry if this is a dumb question, I can't seem to find an answer)

Remember that not all application needs to be PA-DSS compliant, only if they are offered and sold by a software vendor -- but the example you state is between the lines a little on this.

According to the PCI DSS-FAQ Document:

Payment applications that are developed in-house by merchants or service providers and are not sold to a third party are NOT subject to the PA-DSS requirements, however, they must be covered by the merchants’ or service providers’ PCI DSS assessment.

and this from Visa's website:

While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase II, Phase III and Phase V requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS

I would probably classify the open-source (GPL Licensed) software similarly to that of a home grown application. Unless there is a commercial version of the project (if it is dual licensed) you will probably not see a community based PA-DSS validation.

So I would suspect that this applicaiton does not need to be PA-DSS 'compliant' but it would fall under review of your own PCI DSS Assessment.

Which will get really interesting it some areas, especially that of Code Review and Security Fixes to the software and obligations of the GPL license. Which effectively, would in turn you would be a "developer" and maintainer of this software, where you would need to implement the PCI controls related to software development.

Follow up:

This project appears to be a project attempting this (PA-DSS):

https://lists.owasp.org/pipermail/owasp-brisbane/2008-September/000017.html

http://www.openfreeway.org/

I found Freeway too--which made me scratch my head further.

It's definitely blurring the lines which is why I asked the question.
There is no commercial version of the web application.

I understand that it will have to live in the PCI environment.

Thanks for your thoughts.

I would argue that even commercial software does not have to be PA-DSS compliant.

I can see the push for certification working for POS solutions, but not every application will make a good candidate for certification. Obviously, it is better to have the PA-DSS certification, but in my interpretation of the PCI DSS, PA-DSS certification of packaged software is NOT a requirement.

I know some card brands are pushing for mandatory certification, but that creates problems for packages such as Websphere Commerce and the like. This is because while IBM takes their Websphere Commerce solution through the PABP and PA-DSS certification processes, there is no such thing as a 'vanilla' implementation of Websphere Commerce. Therefore, the certification is worthless because Websphere must be customized by the customer for their e-Commerce environment which tosses the certification right out of the window. As a result, Websphere Commerce has to be reassessed in each customer's environment to ensure it is PCI DSS compliant. Why IBM bothers to go after the certification is beyond me, because in the end, it saves the customer nothing.