Does PA-DSS apply to my in-house application?
PA-DSS does NOT apply to a payment application developed for and sold to only one customer since this application will be covered as part of the customer's normal PCI DSS compliance review. Note that such an application (which may be referred to as a "bespoke" application) is sold to only one customer (usually a large merchant or service provider), and it is designed and developed according to customer-provided specifications. PA-DSS also does NOT apply to payment applications developed by merchants and service providers if used only in-house (not sold to a third party), since this in-house developed payment application would be covered as part of the merchant's or service provider's normal PCI DSS compliance.
However, using the PA-DSS as a guide to development will help to ensure that the application does not hinder the entity's PCI DSS compliance and therefore can be utilized as a best practice for bespoke and in-house payment applications. The entity may choose to have their application assessed by a PA-QSA to satisfy their internal security requirements, however, this application, if certified to be PA-DSS compliant, would not be listed by the PCI SSC.