Final answer:
PA-DSS applies to third-party payment applications that handle authorization and settlement of payment card data. A third-party application designed for one company must be compliant if it processes cardholder data. However, if it does not handle this data at all, it might not be subject to PA-DSS, but businesses should still confirm with security assessors.
Step-by-step explanation:
The Payment Application Data Security Standard (PA-DSS) is a set of requirements intended to ensure that third-party payment applications store, process, and transmit payment card data in a secure environment to reduce the risk of cardholder data breaches. Whether PA-DSS applies to a third-party payment application designed specifically for one company depends on how payment card data is handled within that application.
If the application is involved in the authorization and settlement processing where payment card data is captured, processed, or transmitted, then PA-DSS would typically apply. Companies using such applications are often required to use only those which are PA-DSS compliant to meet the larger Payment Card Industry Data Security Standard (PCI DSS) requirements.
However, if the third-party application has been designed for use by only one company and does not store, process, or transmit any cardholder data itself, then it might not be subject to PA-DSS requirements, provided no other aspects of the standard are applicable. In any case, it is always important for a business to consult with their payment processor or a PCI Qualified Security Assessor to make an accurate determination of applicability.