PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI-DSS compliance review. Please note, that such an application (which may be referred to as a "bespoke" application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications. PA-DSS also does NOT apply to payment applications developed by Merchants and Service Providers if used only in-house (not sold to a Third-Party), since this in-house developed payment application would be covered as part of the Merchant or Service Provider's normal PCI-DSS compliance.

However, using the PA-DSS as a guide to development will help to ensure that the application does not hinder the entity's PCI-DSS compliance and therefore can be utilized as a best practice for bespoke and in-house payment applications. The entity may choose to have its application assessed by a PA-QSA to satisfy its internal security requirements, however, this application, if certified to be PA-DSS compliant, would not be listed by the PCI-SSC.