Am I compliant? PCI-DSS and PA-DSS

Questions and concerns over PCI compliance continue to increase.  Have you noticed the same?

If your organization processes, stores, or transmits credit card information your organization is subject to PCI Compliance.  

If you are a software application vendor and your application processes, stores, or transmits credit card information then the software is considered a Payment Application and is subject to PA-DSS compliance.

I’ve talked about PCI-DSS in past posts.  This time I want to take a closer look at PA-DSS.

The term "Payment Application" is very broad.  Apparently, any application that touches credit card information could be considered a payment application.  That includes millions of software applications.  The good news is that the PCI council does not require PCI certification for all these applications.  They do; however, provide best practices (PABP – Payment Application Best Practices) that they recommend for every PA.  When you look at the list of certified Payment Applications on you’ll see that the list is a bit more specific and categorized under specific application types.

My question back to the PCI council is why multi-channel (call, email, chat, fax) recording applications are not listed as a specific payment application type.  Anyone care to comment?

Peter "Am I considered a Payment Application?" Nees