Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a payment processing client that runs exclusively on the desktop. The operator enters payment data and clicks a button and my app sends the data off to a payment gateway via a secure channel. My app never stores sensitive payment data, although it does encrypts and saves the merchant’s gateway login info.
Am I in scope? If I am, why are web browsers out of scope when the perform the exact same function in the same way?
Your app handles card numbers and is involved in the authorisation and/or settlement of card transactions. If you are providing it as off the shelf software it is in scope for PA-DSS.
The organisation that installs your app and runs it in their environment is in scope for PCI-DSS.