If I take payments from customers only via an application on their mobile handheld device, is that ecommerce? (Should my assessor check e-commerce off in my ROC and AOC?) The application is one I distribute and not a browser.
What is e-Commerce?
The term ecommerce is not in the PCI SSC Glossary. There is a one sentence definition on this payment term guidance page:
“When you sell products or services online, you are classified as a e-commerce merchant. “
(the word “online” isn’t defined in the glossary either, but I am comfortable with something like “via internet network connection”)
That guidance page appears to list web servers and web pages as only an example of a type of ecommerce payment system and not necessarily the only type.
Rhetorical Questions
Does it always mean a browser? Does it require IP networking or are other protocols acceptable? Does there need to be a webserver involved? What if the device is not handheld? What is the intent of the ecommerce classification in the ROC and AOC?
Look at the Risk
The risks relative to most mobile apps are similar to an ecommerce web page (particularly if both of redirecting to the acquirer to handle payment information like a type 9 merchant). The device the consumer is using is beyond our control (consumer ownership of the end point) and they only enter one (their own) credit card data.
Conclusion
The intent of the ecommerce category is likely to classify merchants and potentially identify relative risk levels. I think you should check off ecommerce on your assessment materials even though you do not take payments from consumers via web browsers.
Ad below this line:
