Does PA-DSS Apply to my In-House Application?
PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI-DSS compliance review. Please note, that such an application (which may be referred to as a "bespoke" application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications. PA-DSS also does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold to a 3rd Party), since this in-house developed payment application would be covered as part of the merchant's or service provider's normal PCI-DSS compliance.
However, using the PA-DSS as a guide to development will help to ensure that the application does not hinder the entity's PCI-DSS compliance and therefore can be utilized as a best practice for bespoke and in-house payment applications. The entity may choose to have their application assessed by a PA-QSA to satisfy their internal security requirements, however, this application, if certified to be PA-DSS compliant, would not be listed by the PCI-SSC.