Open damz opened 10 years ago
Hi @damz. Tagging this for consideration of 1.3 (I'm currently focusing on getting 1.2 out the door and will address after that).
Has there been any progress on this topic in the world since the issue was filed?
If it's a murky situation I'm ok with the document saying that, FWIW. If someone can propose text, especially with a reference footnote, it would be likely to get merged.
The current version of the document tip-toes around PCI PA-DSS by saying:
As I explained before, there is nothing that I know of in the PCI PA-DSS standard that would exclude Open Source Software from the scope of standard.
The "Payment application" (i.e. what generates the payment form, receives and processes the credit card information) is only excluded from the standard if it is "developed for and sold to a single customer for the sole use of that customer" or "developed by merchants and service providers if used only in-house".
While it probably doesn't matter that much given the payment network unwillingness to enforce the standard, it would be good to clarify that things have the potential to get very messy here.
Or maybe you have more information than I do, in that case it would be good to add more sources here.