Making Your E-Commerce Site Secure
PCI DSS was released in 1999 when Visa created a Cardholder Information Security Program. This was to respond to the rise in online credit card fraud. Currently, businesses are using the PCI DSS 3.2.1 standard to keep their e-commerce sites secure. The data security standard, PCI DSS 4.0 is set to be released very soon.
In the meantime, companies are relying on the 3.2.1 version to secure their credit and debit card transactions. The PCI DSS 4.0 standard’s primary goal is to boost security with more support and flexibility than the current version. This standard is expected to help businesses comply in numerous ways. Payment orchestration will still be a crucial strategy for minimizing the scope and reducing ongoing maintenance costs.
Why Do People Confuse PCI SAQ A & A-EP?
The iFrame Middle Ground
The second significant impact of the release of PCI DSS 3.0 was the indication that the iFrame approach enables a merchant to qualify for an SAQ A. The use of an iFrame became the neutral ground between the URL Redirect and Direct Post approach.
During this time, Spreedly responded quickly to establish an iFrame. The goal was to give their clients the same design freedom they enjoyed with the Direct Post. All while ensuring their approach was safe and had certification under the PCI SAQ A. Many of their current customers use Spreedly because of their iFrame system.
Providing PCI Compliance Clarification
To comply with PCI, larger entities are required to go through an on-site audit performed by a Qualified Security Assessor. The assessor will file a Report on Compliance if you pass the audit. However, mid-size and smaller businesses can avoid the audit. Instead, they must complete a self-assessment questionnaire and then file an Attestation of Compliance (AOC). Perform PCI compliance continually to adjust to changes. As such, organizations can modify their security controls to conform to updates.
PCI SCC guidance to help the clients and other merchants:
- Merchants who use an e-commerce store that uses iFrames to load their payment content from a PCI DSS compliant service provider may qualify to assess its PCI compliance. This is done through some of the controls featured in SAQ A. Which is the smallest subset of PCI DSS requirements. This is because most of the PCI DSS requirements are handled by the Payment Service Provider (PSP).
- Merchants who use the Direct Post approach qualify for PCI SAQ A-EP. However, they must meet the requirements of that SAQ. We advise merchants to consult their merchant bank or payment brands to determine if they should validate their PCI compliance and the reporting method that they should use.