What is a “payment page”?
A simple question? Maybe not. I think a layperson would say that its the webpage where you input your payment details. A merchant completing an SAQ-A compliance assessment might disagree. Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete their orders. SAQ-A eligible merchants generally load the payment collection form in an iframe supplied by their PCI DSS compliant payment service provider and consider the iframe itself to be the “payment page” not the hosting page.
Is “payment page” what is inside the iframe or is it the page that hosts the iframe is the “payment page”?
FAQs 1292, 1293 and 1348 seem to support the definition “payment page” as what is inside the iframe, not the page that hosts the iframe.
FAQ 1292 – “payment page” can be embedded in an iframe
- A merchant website can either redirect the consumer to a third-party payment page, or embed the third-party payment page in an iFrame.
FAQ 1293 – no part of outsourced “payment page” from merchant
- To be eligible for SAQ A, all elements of the payment pages must only originate from PCI DSS compliant service provider(s), and no single element of a payment page can originate from the merchant’s website.
FAQ 1348 how to determine the payment page
- To be eligible for SAQ A, all elements of the payment page delivered to the consumer’s (cardholder’s) browser must originate only and directly from a PCI DSS validated third-party service provider(s). The term “payment page” refers to a collection of web elements used to collect and/or process payment card data. Payment pages can exist as a standalone web page or be embedded into another web page using iframe.
NOTE: If you are attempting to determine applicability of v4 6.4.3 and 11.6.1 to a SAQ A merchant using an iframe, definitions and logic are not applicable. The Dec2022 version of the v4.0 SAQ A has the answers. 6.4.3 and 11.6.1 are applicable to more than the “payment page” and are applicable to the merchant’s page which hosts the iframe.
Ad below this line: