thePCI Portal

Category: ecommerce

Don’t descope your redirecting ecommerce web server!

Another fresh article regarding the risks to consider when implementing a fully redirected e-commerce solution.  Benj Hosack writes about something the forensics team at Foregenix have seen.  While it discusses a few variants that are not specifically of the SAQ A variety, it has a few relevant examples of risks. And don’t forget about the old paypaul.ca…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…