thePCI Portal

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario:

Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman).

All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!).
Merchant does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions.
Merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant (no one but acquirer).

SAQ A eligible?  Sounds like it.

Scenario variation A:Website hosted and maintained by the Merchant

SAQ A has no requirements specific to the webserver security controls.

The physical media controls aren’t applicable as cardholder data (CHD) is not on paper in any form.

The service provider requirements aren’t really applicable either as the Merchant does not have to worry about their acquirer’s compliance.  The acquirer is the one calling the Merchant and asking!

So really, maybe an ASV scan and this merchant is compliant.

Scenario variation B:  Website hosted and maintained by a small website hoster

Website hoster is small, is totally uninvolved with payment data processing and has certainly not completed a PCI DSS compliance assessment.

Is the webhoster now a service provider and subject to the controls of 12.8.x (which are in SAQ A)?

The website hoster certainly does NOT store, process or transmit CHD.

Can they impact the security of cardholder data?    Sure, they could facilitate a website redirection attack.  Or they could implement poor security controls on the host or webserver allowing anyone on the internet to implement a website redirection attack.  The attack could involve altering the website to redirect users to instead of the correct payment site allowing them to scoop up payment data.

If the merchant hosted the site internally, PCI DSS SAQ-A doesn’t provide any guidance on which controls to apply to a webserver, so what changes when the webserver is outsourced?  Nothing.  Current thinking is that the website redirection attack on a fully redirected payment page is a lower risk than the other e-commerce options where the webserver handles the data.   The web hoster is not a service provider and PCI DSS does not prescribe controls for the merchant web page totally uninvolved with payment data.

BUT, please don’t stop there.

The Risk Based Approach

If you wanted to apply some controls to the webserver (say you were taking a risk based approach!) you might just use the controls from SAQ A-EP.  Those would serve you well in both the internal and outsourced webserver scenario.  You are paying for webhosting, so why not pay for good webhosting where you know the provider has controls in place and is willing to commit to them in the contract.

Even if the website is not an e-commerce site, its not a good idea to put a webserver out on the internet without at least some basic controls in place (SAQ A-EP again?).  Please don’t do it. 🙂

Ad below this line:




13 comments for “Who is a service provider for a SAQ A ecommerce only Merchant?

  1. August 22, 2015 at 4:12 pm

    No one can do it better than you.

    • thePCIportal
      September 17, 2015 at 3:17 pm

      It may or may not be true, but keep spreading it! SL.

  2. August 24, 2015 at 6:36 am

    I respect your work.

    • thePCIportal
      September 17, 2015 at 3:16 pm

      It appreciates that. SL.

  3. October 8, 2015 at 6:35 am

    Appreciate this post. Will try it out.

  4. October 26, 2015 at 7:40 pm

    I do not even know the way I ended up here, but I believed this post
    was once great. I do not know who you are but certainly you are going to a famous blogger
    should you aren’t already. Cheers!

  5. October 30, 2015 at 8:09 pm

    Simply want to say your article is as amazing. The clarity to
    your post is simply excellent and that i could think you’re a professional in this subject.
    Well with your permission let me to grasp your feed to stay updated with imminent post.
    Thanks one million and please continue the gratifying work.

    • thePCIportal
      December 4, 2015 at 4:10 pm

      You could think that, but I wouldn’t recommend it. One BILLION thank yous to you! S.

  6. November 13, 2015 at 2:02 pm

    Thanks for sharing exceptional informations. Your website is extremely cool.I’m astounded by the details that you’ve put on this web site.It reveals how effectively you understand this subject.Bookmarked this web page, will return for a lot more articles.You, amigo, ROCK! I discovered simply the information I alreadysearched all over the place and simply couldn’t come across.What a perfect website.

    • thePCIportal
      December 4, 2015 at 4:04 pm

      Nothing is perfect. Gaps in regular content, slow server, etc. Maybe someday, but not yet! S.

  7. November 14, 2015 at 12:39 pm

    An impressive share! I have just forwarded this onto a coworker who has
    been doing a little research on this. And he in fact ordered me dinner simply because I found
    it for him… lol. So allow me to reword this…. Thank YOU for the meal!!
    But yeah, thanx for spending time to discuss this issue here on your
    web page.

    • thePCIportal
      December 4, 2015 at 4:01 pm

      you owe me a snack. S.

  8. what's the best hair extensions
    March 28, 2017 at 3:51 am

    Hola!I’ve ben reading your blg for a long time now and finally got the bravery to go ahead and give yyou a shout out from Kingwood Tx!
    Just wanted to tell you kwep up the excellent work!

Leave a Reply

Your email address will not be published. Required fields are marked *