E-commerce merchants who have close relationships with their acquiring banks, credit card brands and Qualified Security Assessor (QSA) can considerably reduce their level of effort when it comes to selecting the right Payment Card Industry (PCI DSS) compliance reporting method. Because less work is always better, e-commerce merchants who handle card-not-present payments and outsource the authorization of purchases to a PCI DSS certified Payment Service Provider (PSP), may be eligible to only complete a QSA validated Self-Assessment Questionnaire or SAQ-A. The SAQ-A is a mere twenty-two PCI DSS requirements versus the full-blown 250! Now who wouldn’t want that?
As a QSA, I urge merchants to regularly contact their acquiring banks and card brands not only so the lines of communication are open, but to inquire about outsourcing payment processing altogether. It significantly reduces merchant risk. All it takes is an email from either their card brand or acquiring bank (both is better) stating they approve the smaller and limited SAQ-A approach. Keep in mind both the acquirer and brands will rely on the recommendation of the QSA who is familiar with the merchant environment to advocate for the SAQ-A validated report.
“But Dennis, how much influence does a Compliance Officer have over the merchant business to recommend such a change”?
Probably not much. However, a PCI Officer could make it a point during next year’s assessment to outline the benefits of making such a payment outsourcing move to executive management. Merchants considering such a move to outsource to a certified payment service provider could lubricate the wheels of innovation and desire to improve security for next year. Visa Inc. has a really good suggestions for merchant payments.
Merchants should first understand how they are capturing credit card data into their website.
What technology method is used to create the payment page? E-commerce merchants should understand where their website ends, and the PSP payment page begins. This is especially true for the PCI DSS project manager who’s keen on making next year’s assessment less painful and cost effective. Many merchants I see in today’s market who are on the path toward outsourcing already know the pain of processing payments themselves.
What merchants should know about payment page technology.
E-commerce merchants should know there are five main methods commonly used in today’s market to create a payment page that will capture credit card numbers and card validation codes.
- The URL Redirect - This method has the customer’s browser pull a payment page URL from the PSP instead of the merchant. That way, no credit card data ever goes back to the merchant to worry about. Yay!
- The iFrame - This method also pulls the merchant webpage containing a parent payment page which includes an instruction to pull a child page from the PSP. Think bounded sandbox embedded in the merchant webpage. Also yay!
- The Direct Post - Here, the merchant webpage creates the form where you enter your credit card number but when you hit “submit” to purchase an item, it goes directly to the PSP. Still good.
- The API - The merchant creates the payment form and sends it to the customer. They enter their credit card number and when they hit “submit”, it goes BACK to the Merchant. Meh! Not so hot.
These methods have been listed from best to worst (1 being the best) from a risk acceptance point of view. APIs are last because it’s the only method that sends cardholder data back into the hands of the merchant to transmit and process (insert sad emoji). The only benefit is the highly customized aspect of APIs are the “look and feel” of the website is seamless. If merchants do select to build their own payment API, there are some strategic concerns that should come with a security strategy. Therefore, during a validated PCI Self-Assessment, this could disqualify a merchant from being eligible for only having to fill out the SAQ-A which would be unfortunate.
Instead, a merchant’s acquiring bank or brand could insist the merchant complete the longer SAQ A-EP or SAQ-D.
This requires much more work for the merchant. To look like a rock-star on the internet, merchants can save time, money and effort by reducing their PCI DSS compliance scope to a manageable 22 requirements vs. 250. Think of the infrastructure savings alone. No more payment gateway and supporting infrastructure costs. Once merchants see the SAQ-A light and understand the benefits, the sooner we can keep improving e-commerce security, one outsource at a time.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Dennis Steenbergen is a Qualified Security Assessor (QSA) working for SecureTrust's EMEA Global Compliance and Risk Services as a Security Consultant. He holds a Master of Arts in Information Management from Webster University and Bachelor of Arts degree in Economics from Colorado State University.