Do not hide issues around PCI PA-DSS

[damz]

The current version of the document tip-toes around PCI PA-DSS by saying:

Note: This paper specifically excludes PA-DSS because Drupal is Open Source Software and (whether right or wrong) falls outside the PA-DSS standard.

As I explained before, there is nothing that I know of in the PCI PA-DSS standard that would exclude Open Source Software from the scope of standard.

The "Payment application" (i.e. what generates the payment form, receives and processes the credit card information) is only excluded from the standard if it is "developed for and sold to a single customer for the sole use of that customer" or "developed by merchants and service providers if used only in-house".

While it probably doesn't matter that much given the payment network unwillingness to enforce the standard, it would be good to clarify that things have the potential to get very messy here.

Or maybe you have more information than I do, in that case it would be good to add more sources here.

[rickmanelius]

Hi @damz. Tagging this for consideration of 1.3 (I'm currently focusing on getting 1.2 out the door and will address after that).

[greggles]

Has there been any progress on this topic in the world since the issue was filed?

[greggles]

If it's a murky situation I'm ok with the document saying that, FWIW. If someone can propose text, especially with a reference footnote, it would be likely to get merged.