Industrial organizations always attract attention from both cybercriminals and politically-motivated threat actors. Reflecting on the previous half year, we have seen among other findings, growth in the number of cyberespionage and malicious credential stealing campaigns. Their success has most likely been the main factor raising the ransomware threat to such [...]
Outsourcing the payment page doesn’t eliminate your PCI DSS responsibility.
When you outsource to a third party service provider, the point of redirection needs to be protected.
You also have the responsibility to choose a partner that is compliant with PCI DSS.
There are different e-commerce implementations along with their potential impact to the merchant, recommendations for secure implementation, advantages and disadvantages of the implementation type, potential applicability of PCI DSS SAQ, other e-commerce implementations, scoping considerations, and additional features a merchant may want to consider. Some common e-commerce implementations include:
These examples represent some of the most common implementations and are not all inclusive of every deployment option that may exist.
1 URL Redirects
Since the redirect e-commerce method is usually easier for merchants to secure and results in fewer applicable PCI DSS requirements and lower risk of merchant systems being compromised, this method may be the best option for merchants with limited security or technical ability. However, this option may not suit many merchants wishing to provide advanced features or a more customizable customer payment experience. Merchants should consider the benefits and costs of customization versus the increased need for security controls and resulting increase in the security responsibility and number of applicable PCI DSS requirements.
2 The iFrame
The iFrame e-commerce method is usually easier for merchants to secure, and results in fewer applicable PCI DSS requirements and lower risk of merchant systems being compromised (although not as low as the redirect method). However, this method also offers a better customer payment experience, as the customer remains on the merchant website throughout. The inline payment form can provide a better “look and feel” than the redirect payment method as the payment page can be customized to match the website design.
3 The Direct Post Method
This architecture may be suitable for e-commerce implementations where the merchant prefers more control over the website look and feel and is comfortable with the additional responsibility for securing its website. The organization’s appetite for payment-card data risk and PCI DSS scope may require avoidance of a fully merchant managed solution.
4 JavaScript Form
All recommendations for the Direct Post Method also apply to the JavaScript Form payment method. The decision to choose one method over the other may be an architectural decision overall. With Direct Post, the merchant will lose control over the session momentarily, whereas with JavaScript, the merchant can maintain some level of control over the session by watching for a timeout and seamlessly delivering an error message to the customer.
5 Application Programming Interface (API)
For smaller merchants, this may not be a cost-effective e-commerce payment route due to the associated level of security responsibly. The API method is generally used by larger organizations with specific processing needs, or organizations that wish to retain cardholder data.
The applicable controls to secure all systems, people, and processes within an organization for PCI DSS compliance should not be underestimated.
Merchants are advised not to store, process, or transmit cardholder within their own systems unless the nature of their payment acceptance is not compatible with any of the other models described previously.
6 Wholly Outsourced E-commerce Solutions
The use of such a solution can alleviate many but not all of the merchant’s PCI DSS responsibilities. All merchants have a responsibility to implement policies and procedures that govern safe handling of cardholder data even if they never expect to encounter credit cards. Furthermore, it is the responsibility of the merchant to vet the service provider and monitor its compliance to PCI DSS.
PCI DSS Documentation Requirements by E-commerce Method
The table below summarizes the relevant PCI DSS documentation for merchants that may be required to submit a ROC, as well as for those that may be eligible to self-assess via an SAQ. The corresponding number of PCI DSS requirements is included for each reporting method.
PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler ...
