Companies frequently ask us about what constitutes a payment application as it relates to PCI Compliance. The term payment application has a very broad meaning in PCI. So hopefully the content of this brief article will help clarify the subject and better define the term.
We define a payment application as anything that stores, processes, or transmits card data electronically. In most cases, this does not include the hardware running the application unless the hardware and software are intertwined similar to a credit card swipe terminal. This means that anything from a Point of Sale System (e.g., Verifone swipe terminals, ALOHA terminals, etc.) in a restaurant to a Website e-commerce shopping cart (e.g., CreLoaded, osCommerce, etc) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.
So, ask yourself – when you were sold the vehicle to process credit cards, did it arrive as a piece of hardware or was it downloadable software or a CD? If it arrived as hardware, then the hardware you received is most likely your payment application. If the latter is the case, then the software/CD would typically be the payment application.