Is my desktop app in scope for PCI certification? [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 9 years ago.

Improve this question

I have a payment processing client that runs exclusively on the desktop. The operator enters payment data and clicks a button and my app sends the data off to a payment gateway via a secure channel. My app never stores sensitive payment data, although it does encrypts and saves the merchant's gateway login info.

Am I in scope? If I am, why are web browsers out of scope when the perform the exact same function in the same way?

Answer 1

Your app handles card numbers and is involved in the authorisation and/or settlement of card transactions. If you are providing it as off the shelf software it is in scope for PA-DSS.

The organisation that installs your app and runs it in their environment is in scope for PCI-DSS.

Answer 2

If the operator keys in a credit card card number then yes; your software both accepts & transmits cardholder data so it, the machine running it & any network(s) its attached to are all in scope of PCI and so must be compliant.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply

Browsers are not in scope only when the person using one to enter card details is the owner of the card & not a 3rd party merchant. PCI only applies to merchants & other processing entities, not the customers of the issuing card schemes.