Our website is using external payment application, do we need to comply with PCI DSS?

PCI DSS 3.2.1 PCI today 151 118 4

share close

Outsourcing the payment page doesn’t eliminate your PCI DSS responsibility.

When you outsource to a third party service provider, the point of redirection needs to be protected.

You also have the responsibility to choose a partner that is compliant with PCI DSS.

There are different e-commerce implementations along with their potential impact to the merchant, recommendations for secure implementation, advantages and disadvantages of the implementation type, potential applicability of PCI DSS SAQ, other e-commerce implementations, scoping considerations, and additional features a merchant may want to consider. Some common e-commerce implementations include:

  • Merchant-managed e-commerce implementations:
    • Proprietary/custom-developed shopping cart/payment application
    • Commercial shopping cart/payment application implementation fully managed by the merchant
    • Shared-management e-commerce implementations:
      • URL redirection to a third-party hosted payment page
      • An Inline Frame (or “iFrame”) that allows a payment form hosted by a third party to be embedded within the merchant’s web page(s)
      • Embedded content within the merchant’s page(s) using non-iFrame tags.
      • Direct Post Method (Form)
      • JavaScript Form
      • Merchant gateway with third-party embedded application programming interfaces (APIs)
    • Wholly outsourced e-commerce implementations

These examples represent some of the most common implementations and are not all inclusive of every deployment option that may exist.

1 URL Redirects

Since the redirect e-commerce method is usually easier for merchants to secure and results in fewer applicable PCI DSS requirements and lower risk of merchant systems being compromised, this method may be the best option for merchants with limited security or technical ability. However, this option may not suit many merchants wishing to provide advanced features or a more customizable customer payment experience. Merchants should consider the benefits and costs of customization versus the increased need for security controls and resulting increase in the security responsibility and number of applicable PCI DSS requirements.

2 The iFrame

The iFrame e-commerce method is usually easier for merchants to secure, and results in fewer applicable PCI DSS requirements and lower risk of merchant systems being compromised (although not as low as the redirect method). However, this method also offers a better customer payment experience, as the customer remains on the merchant website throughout. The inline payment form can provide a better “look and feel” than the redirect payment method as the payment page can be customized to match the website design.

3 The Direct Post Method

This architecture may be suitable for e-commerce implementations where the merchant prefers more control over the website look and feel and is comfortable with the additional responsibility for securing its website. The organization’s appetite for payment-card data risk and PCI DSS scope may require avoidance of a fully merchant managed solution.

4 JavaScript Form

All recommendations for the Direct Post Method also apply to the JavaScript Form payment method. The decision to choose one method over the other may be an architectural decision overall. With Direct Post, the merchant will lose control over the session momentarily, whereas with JavaScript, the merchant can maintain some level of control over the session by watching for a timeout and seamlessly delivering an error message to the customer.

5 Application Programming Interface (API)

For smaller merchants, this may not be a cost-effective e-commerce payment route due to the associated level of security responsibly. The API method is generally used by larger organizations with specific  processing needs, or organizations that wish to retain cardholder data.
The applicable controls to secure all systems, people, and processes within an organization for PCI DSS compliance should not be underestimated.
Merchants are advised not to store, process, or transmit cardholder within their own systems unless the nature of their payment acceptance is not compatible with any of the other models described previously.

6 Wholly Outsourced E-commerce Solutions

The use of such a solution can alleviate many but not all of the merchant’s PCI DSS responsibilities. All merchants have a responsibility to implement policies and procedures that govern safe handling of cardholder data even if they never expect to encounter credit cards. Furthermore, it is the responsibility of the merchant to vet the service provider and monitor its compliance to PCI DSS. 

PCI DSS Documentation Requirements by E-commerce Method

The table below summarizes the relevant PCI DSS documentation for merchants that may be required to submit a ROC, as well as for those that may be eligible to self-assess via an SAQ. The corresponding number of PCI DSS requirements is included for each reporting method.

Written by: PCI

Tagged as: , .

Rate it
Previous post