Hi,

I'm working for a company that has developed an in-house application that accepts credit card information and is PCI-DCC compliant, however the company is now selling this software to third-parties as a hosted solution (i.e. the application resides on my company's network / servers, and third parties only accesses it via the web).

I do not believe we will need to be PA-DSS compliant, since this is a hosted software solution, however I could not find any specific language that precludes us from PA-DSS compliance. Thanks!

In the situation where the software is under your control and it is being provided as a service, then PA-DSS wouldn't apply.

However, if your service is that you support the software (or an instance of it) at the customer's direction, then you probably would need PA-DSS, as the customer is controlling how the software is configured and used.

You may also need to meet the PCI DSS shared hosting provider requirements.

Tricky nuances here.

lyalc

Even if your software is used only internally, I would recommend as a 'best practice' that you follow the PA-DSS just to ensure that your software is compliant even though you do not resell it.

The PA-DSS is a good set of secure programming practices that all development groups should follow to ensure that all personally identifiable information (PII) such as drivers license and social security numbers, not just CHD, are properly protected.

I appreciate your answers and I will definitely look in the PA-DSS standards as well from a best practices standpoint.

I have a follow-up question on this:

"If your service is that you support the software (or an instance of it) at the customer's direction, then you probably would need PA-DSS, as the customer is controlling how the software is configured and used."

So, in my situation we do provide a website instance and the customer does direct us to do things such as charge $1 to determine if the card is valid, directs the aesthetics and content of the webpage, however does not direct the mechanics behind it (like what db we are using, os, how we store info, etc). Would this make us PA-DSS (let me know if you need more info).

I'm a little confused now.

If you are selling your software, even as a service offered by your hosting company and you are managing and supporting it on the customer's behalf, then I would say it should be PA-DSS certified because now it is no different from any other Web based application purchased and used by a merchant. If it's not certified, you will have every merchant running in this configuration asking for your PCI ROC or to assess your development controls and everything else related to the application. So it's just easier to get the PA-DSS certification.

However, if it is just a service offered and is managed by the customer, then I would say it doesn't require PA-DSS certification.

Thank you for the reply, that helped clear up my question.

I have another question (theoretical):

If a company collects credit card information from customers, and performs he following activities are they legally required to become PCI-DSS compliant:

1) Place a hold on the account to ascertain whether sufficient funds are available, which expires after X number of days using a company like VeriSign. (no financial transaction occurs) Eventually, the credit card information is passed onto a third-party who performs a financial transaction and collects actual money.

and

2) The company is authorized by a third-party to log into their merchant account and perform a financial transaction using the credit card information collected from the customer on their behalf. Note, the transaction is performed under the third-parties merchant account, so the company never receives any money and no financial transaction occurs under the company's name (only the third party).

My thoughts are that since the company does not directly receive any money in either of these two situations that the company is not legally required to be PCI-DSS compliant. I realize that it would make good business sense, and that the third-parties are probably legally required to have the company be PCI-DSS compliant.

Thanks again!

PCI doesn't care if your company receives any money from the transactions or not. If you "store, process or tansmit" ANY cardholder data, then you HAVE to be PCI compliant.

Becuase you are not the merchant, I "think" you would be considered some type of service provider. But it sounds like you store and transmit CHD, and that brings you in scope.

After re-reading your post, I can see your train of thought, that sense you probably don't have any type of contractual relationship with any card brand or acquirer, then no one can say you have to be compliant becuase of some contract your company signed.

But I would guess, that your customers will, at some point, draw up a contract requiring your company to be compliant because they would be the ones left holding the bag if a breach occurred and your company was the source of it.

Exactly! It is really only the third-parties that carry the legal burden, and therefore it is in their interest to require all of their service providers to become PCI-DSS compliant. Thanks!