PCI DSS was released in 1999 when Visa created a Cardholder Information Security Program. This was to respond to the rise in online credit card fraud. Currently, businesses are using the PCI DSS 3.2.1 standard to keep their e-commerce sites secure. The data security standard, PCI DSS 4.0 is set to be released very soon.
In the meantime, companies are relying on the 3.2.1 version to secure their credit and debit card transactions. The PCI DSS 4.0 standard's primary goal is to boost security with more support and flexibility than the current version. This standard is expected to help businesses comply in numerous ways. Payment orchestration will still be a crucial strategy for minimizing the scope and reducing ongoing maintenance costs.
Many online merchants prefer the PCI SAQ A standard because it is a simple and less time-consuming certification. Before the PCI DSS 3.0 version, certification was through a Direct Post, URL Redirect to a hosted payment page, or a JavaScript library.
Nowadays, most payment gateways and merchants use a Direct Post or JavaScript approach. Often preferring this over a URL Redirect. This is because their customers prefer the control it gives when creating their payment page. PCI DSS 3.0 stated that Direct Post offered greater scope and required more arduous SAQ A-EP. This may be the cause of confusion.
The second significant impact of the release of PCI DSS 3.0 was the indication that the iFrame approach enables a merchant to qualify for an SAQ A. The use of an iFrame became the neutral ground between the URL Redirect and Direct Post approach.
During this time, Spreedly responded quickly to establish an iFrame. The goal was to give their clients the same design freedom they enjoyed with the Direct Post. All while ensuring their approach was safe and had certification under the PCI SAQ A. Many of their current customers use Spreedly because of their iFrame system.
To comply with PCI, larger entities are required to go through an on-site audit performed by a Qualified Security Assessor. The assessor will file a Report on Compliance if you pass the audit. However, mid-size and smaller businesses can avoid the audit. Instead, they must complete a self-assessment questionnaire and then file an Attestation of Compliance (AOC). Perform PCI compliance continually to adjust to changes. As such, organizations can modify their security controls to conform to updates.
The PCI SCC guidance helps demonstrate the council's thinking concerning the approaches that online merchants adopt when integrating payment pages. Some of these approaches include an inline iFrame, URL Redirect to a third-party hosted payment page, and embedded content in a merchant’s page like JavaScript built forms or Direct Post.
The PCI 3.0 standard caused confusion on the best ways to create a safe and secure e-commerce site environment and the impact of PCI compliance. This guidance's release helps provide clear descriptions of the different ways to create a secure payment solution. However, there is a notable difference in the work required for PCI SAQ A and SAQ A-EP. For a merchant who wants to avoid SAQ A-EP requirements, there are advantages of using an iFrame over JavaScript or Direct Post methods.
Spreedly customers have also provided feedback about the ease and flexibility of using iFrame to customize their payment page over methods such as JavaScript or Direct Post.