Can't seem to find this info but need to find out what is "card holder data"
Say I have a shopping cart that uses WPS for processing the payment on PayPal site or another "Secure hosted payment form like Auth.net" but the shopping cart software stores the users name and shipping info (which is also used to calculate shipping) minus any CC PAN/CVV/Exp/etc.. does the cart fall into the scope of PA-DSS (Not PCI)?
Say I have a shopping cart that uses WPS for processing the payment on PayPal site or another "Secure hosted payment form like Auth.net" but the shopping cart software only stores the County/Province/Posta-Zip codes for shipping calculation and I retrieve/get the customer billing/shipping info off the third party processors site by logging in to that site once they are charged on the processor site.Does the cart in this situation fall into the scope of PA-DSS (Not PCI)?
+ NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES
If your site does not process, store or transmit the PAN, then any data you store would not be considered cardholder data. If your site does process, store or transmit the PAN, then most anything related to the card number or cardholder is considered cardholder data.
I strongly recommend using a PCI certified gateway that hosts the payment pages and/or tokenization. If your site qualifies for PCI SAQ-A (which from your description it most likely does), then the data you mention is not considered cardholder data.
In the example you give, you are effectively outsourcing the PA / PCI compliance burden to a 3rd party processor. This should make you fall under SAQ A as stated above.
If any card info (PAN, CVV) is entered directly in to a form on your site then your application will need to be PA DSS compliant and your environment will fall under SAQ D which is ugly if you aren't geared up for it.
BTW, various PCI certified providers have API's that can virtually hide the offloading of cardholder data so the average customer does not know they left your site. In other words, it does not have to be obvious that you left one site to make a payment on another site -- as the case with most Paypal integrations.
This record is for identifying the customer only, there is no any fraudulent intention. Suppose in future they have to return the customer's money they should know from where they got this payment. It helps in arranging refund to the right account.