Payment Service Providers

The PCI DSS has relevance for any organisation that processes, transmits or stores credit card data. Transactional websites that partake in e-commerce can be developed in 2 ways. It is important for developers to understand these approaches and their scope for attracting PCI DSS assessment.




Option 1 - Site Processes/Stores data If the site processes, transmits or stores cardholder data, it is scope for a full PCI DSS assessment (240+ controls). If the site does not store data, but collects data in a form and transmits is straight away to a payment service provider the scope of assessment remains at the full extent of the PCI DSS. Option 2 - Site Redirect If the site redirects users at the point of entering cardholder data to a 3rd party payment provider (Paypal, Worldpay etc) and the data is entered in to this site instead, it 'may' be possible to reduce the scope of the PCI DSS from 240 controls to less than 10 controls. For this to be true, the e-commerce site must not store, process or transmit any form of cardholder data whatsoever. To find out more about how Nettitude can help you with your Compliance requirements, please complete our contact form, and a Consultant will respond to your enquiry.		In this article Visa note that a series of organisations' websites that use the redirect approach have been hacked and had the redirect modified to target a 3rd party hacker's site. As a consequence, Visa has recommended that even redirected websites undergo more thorough security assessments.

Call Back

Live Chats