pci dss - Is PCI SAQ A sufficient for an eCommerce website with a custom payment page? -
the question - our payment flow follows:
1 - customer adds items basket.
2 - when viewing basket, customer can see products & has option of entering delivery address , billing address, no sensitive card details.
3 - customer proceeds new page, hosted on our website. customer enters sensitive card details here.
4 - crucially, on pressing "order", card details posted directly our payment processor. not sent our server first.
i'm trying argue merchant bank fall under saq - is case?
my reasoning:
1) our dedicated server managed third-party, pci compliant host.
2) never store card details.
3) while customer enters card data on webpage hosted ourselves, dynamically generated , exists in customer browser. on submitting order, details posted directly our payment processor. these details therefore never touch our server , a) not stored on server hdd or database session or b) not fleetingly held in server ram
4) have passed number of pci scans different authorities make sure compliant , have ssl, tfa server etc etc
5) far can see, 2 main attack vectors here compromised customer computer (not under our jurisdiction) or if managed gain control of our server , changed how checkout works. surely affects ecommerce site, 1 outsources pages card details entered (a malicious attacker server access redirect fake set... it's pretty game over)
however, eligibility criteria saq ambiguous (to mind anyway). states:
- merchant not store, process or transmit , cardholder data on merchant systems or premises relies entirely on third party service provider(s) handle these functions *
for me, 'merchant systems' include wider meta-system of checkout whole. in case, our checkout transmit card details, albeit in believe secure fashion. however, if 'merchant systems' means, example, hardware, not have pos systems or servers transmit details.
i've not been able straight answer out of compliance liaison. suggest fill out d, it's not applicable me fill out saq c, 'payment applications' such physical terminals connected internet.
i think crucial pivot our argument though host payment pages, card data never reaches our server.
any gratefully appreciated. i'd offer bounty won't let me atm :(
thank in advance!
i think right , should able use saq a. however, how "3 - customer proceeds new page, hosted on our website. customer enters sensitive card details here." implemented? full redirect, iframe or else? hand off effects things. remember, it's between , bank, if want saq d, may have saq d.
cheers, nate
Comments
Post a Comment