thePCI Portal

Category: SAQ A

Does requirement 6.4.3 mean that a merchant who uses an iframe so that their payment service provider collects the payment information have to implement a method to ensure the integrity of scripts on their web page?

Did you come here looking for an answer to this question?  If so, YOU ARE IN LUCK.  We have lots of answers to this question.  I am sure you can find one that fits your requirements.   NOTE:  all of the answers below are real.  QSACs really said these things (not just a QSA, but…

What is a “payment page”?

What is a “payment page”? A simple question?  Maybe not. I think a layperson would say that its the webpage where you input your payment details.  A merchant completing an SAQ-A compliance assessment might disagree.  Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete…

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce.  A couple of the tidbits…

Redirect, but don’t forget

  Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…

Don’t descope your redirecting ecommerce web server!

Another fresh article regarding the risks to consider when implementing a fully redirected e-commerce solution.  Benj Hosack writes about something the forensics team at Foregenix have seen.  While it discusses a few variants that are not specifically of the SAQ A variety, it has a few relevant examples of risks. And don’t forget about the old paypaul.ca…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…

Does an SAQ-A merchant need ASV scans?

UPDATED FOR V4! If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? YES!  V4 clearly includes PCI DSS requirement 11.3.2! (Note the new V4 numbering) Self-Assessment Questionnaire A and Attestation of…