PDA

View Full Version : PCI-DSS 3.0: New requirements for HPP and DP



Brian Altenhofel
07-15-2014, 11:59 PM
In the past, some developers have recommended that their clients use Hosted Payment Pages (i.e. redirect to PayPal) or Direct Post (i.e. Stripe) so they could still be PCI compliant on shared hosting services. However, with the new standards, that's no longer a viable possibility. Sites using HPP or DP credit card processing now fall under SAQ A-EP instead of the rather trivial SAQ-A (or arguably the much more difficult SAQ-C) because the security of their site can impact whether or not data is transmitted securely to the wholly outsourced provider.

Instead of a 14 controls to meet, eCommerce sites using HPP or DP now have to meet 139 controls, most of which are outside of the control of a shared hosting customer.

https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

nerochat
01-09-2015, 03:20 PM
Brian, are you sure ? As far as I know website which redirects customers to another website for payment not required to be PCI DSS complaint at all.

Brian Altenhofel
01-09-2015, 06:56 PM
Brian, are you sure ? As far as I know website which redirects customers to another website for payment not required to be PCI DSS complaint at all.

Very sure. The PCI-DSS document above is very clear. Any website involved in credit card transactions is subject to PCI-DSS. What level of compliance depends on volume and responsibility.

At an absolute minimum, a merchant would need SAQ-A. SAQ-A pretty much requires that the entire site be managed under the responsibility of a third party vendor.

When the merchant has responsibility for the site, but they redirect to a hosted payment page off-site for payment, they fall under SAQ-A-EP.

nerochat
01-10-2015, 01:57 PM
Seems very strange to me, what is the difference between
Website O(owner not secured) -> which redirects to website P (payment, like paypal)
and
Website Z (some 3d party website) -> website O (owner on trusted platform) -> Website P (payment)
Even if the owner stores some content on the "secure" hosting, it will be always someone else from not secured hosting pointed to it.

So my point is, if I want to create content by myself I will create website X on not secured hosting, then I will redirect it to "secure hosting" with some minor content, which redirects it to secure payment page.

What you think ?

Brian Altenhofel
01-11-2015, 12:35 AM
Website O(owner not secured) -> which redirects to website P (payment, like paypal)

If "Website O" is part of the e-commerce experience, such as populating the cart or collecting personally identifiable information related to the order, then it must be PCI compliant.


Website Z (some 3d party website) -> website O (owner on trusted platform) -> Website P (payment)

Assuming "Website O" is something like a hosted Shopify or such and completely separate from "Website Z", then PCI does not apply to "Website Z" because it is not part of the e-commerce experience.


if I want to create content by myself I will create website X on not secured hosting, then I will redirect it to "secure hosting" with some minor content, which redirects it to secure payment page.

What you think ?

Sounds like you want something like www. example. com as your main site, shop.example.com either on a hosted platform or at the very least a non-shared hosting platform, and then use a third-party payment processor? www. example. com isn't subject to PCI, shop.example.com would be.

nerochat
01-12-2015, 02:56 AM
Hi,

What you call e-commerce experience? Have a catalog only makes it e-commerce ? Add to cart button ?
Seems to me they push it too much

Alex

Brian Altenhofel
01-12-2015, 09:09 AM
Hi,

What you call e-commerce experience? Have a catalog only makes it e-commerce ? Add to cart button ?
Seems to me they push it too much

Alex

Simply displaying a catalog of products is not e-commerce.

E-commerce is engaging in commerce online.