contact us

+44 (0)845 52 000 85

excellence as standard

Advice and Guidance for E-commerce Retailers

With the growth of the Internet, many organisations have moved services online. By moving retail to the web, merchants change their risk and threat model and become more prone to exposure from hackers and external intruders.

Banks and Acquirers recognise that there is heightened risk of fraud for merchants that engage in retail over the web. As a consequence, there tends to be 2 types of approaches to PCI DSS that will be applicable for merchants:

  • Self Assessment Questionnaire A (SAQ A) –                           Reduced PCI DSS Scope

  • Self Assessment Questionnaire D (SAQ D) –                          Full DSS

    •  

    If an online retailer uses a 3rd party payment provider to authorise and process transactions, there is a possibility that the retailer may be eligible to complete SAQ A. The tests for SAQ A applicability are as follows.

    SAQ A

    The merchant must NOT store, process or transmit card data.

    The merchant must redirect the customer to the payment providers website at the point in the transaction where the user is required to enter their card details. The card details must be entered in to the payment providers website directly.

    It would not be permissible for a merchant co complete a SAQ A assessment if they collect the card data in their web application, and even although they do not store the data, the send it instantaneously via XML to the payment providers environment. In this instance the merchant would be classed as ‘processing’ data, and consequently would be required to complete SAQ D.

    SAQ D

    E-commerce merchants that do not fall within the remit of SAQ A, will be required to complete SAQ D. This will cover the following types of environments:

    • E-commerce merchants that store card data.
    • E-commerce merchants that do not store card data, but do collect it via their website and send it to a payment provider for authorisation.
    • Nettitude has a vast range of experience with PCI DSS and has been heavily involved in the standard since its inception. There are tried and tested mechanisms that can reduce risk associated with online retail. Nettitude can offer advice and guidance around these techniques which ultimately can result in reduced compliance costs, and reduced exposure to compromise.

    To understand how Nettitude can help you achieve PCI DSS compliance, or to gain a free provisional consultation, please complete our contact form and a Security Consultant will respond to your enquiry.

    QUOTE REQUEST
     
     
     
     

    We will provide you with testimonials, sample reports, methodology and a proposal, once we have understood your requirements.

    Phone: +44 (0)845 52 000 85 E-mail: