Best answer: I don't know much about PA-DSS, but have been heavily involved on the merchant side for PCI. I am not your QSA. PCI and PA-DSS apply to systems and software that 'store, transmit or process' PANs (credit card numbers).

Obviously, the PA-DSS standard is written with commercial products in mind.

The standard says:

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

So I suppose that, even if you don't sell Satchmo, you do distribute or license it?

Further down, it says:

PA-DSS does apply to payment applications that are typically sold and installed “off the shelf” without much customization by software vendors.

Does this exclude you?

From scanning the standard, it looks like, unlike PCI-DSS, there's no option to simply self-assess (and not use a third-party QSA) for the PA-DSS. So if the standard applies to you, you have to go outside for certification.

A couple thoughts and questions:

- Where did this come up? Who is saying you must be compliant?
- The PA-DSS form requires the signature of an executive. Does Satchmo even have someone in that role?
- From that, I think you should contact PCI and possibly a couple QSAs to get their take on it. What have other open source store frameworks done? In my experience from the merchant point of view, there can often be questions of scoping. Make sure you're careful about what is and is not 'in scope'.

Sorry this isn't more of an answer. Feel free to contact me if you have further questions, sadly my understanding on the PA side is limited.
posted by These Premises Are Alarmed at 7:47 PM on December 2, 2009