This question is regarding online shopping cart software hat only accepts the cardholder data via a payment form and then encrypts and trasmits that data to the card processor but the shopping cart software does not store the cardholder information.
If the shopping cart software is not PA-DSS compliant certified, can the merchant using the software still be PCI-DSS compliant by explaining how the cardholder data is not stored on the server and is encrypted when transmitted to the processor. (The processor’s website IS PA-DSS compliant in this case.) Or, is it impossible for the merchant to meet PCI-DSS compliance requirements (Level 4 merchant) if the shopping cart software itself is not certified PA-DSS compliant?