Complying with PCI DSS when using a hosted payment page
This is part two of a post about moving away from PayPal to your own merchant account and hosted payment page solution – read part one here. The advice below is for those who are using hosted payment pages on a compliant Payment Service Provider (PSP) and is based on my experiences, please always check with your bank and PSP.
The Payment Card Industry Data Security Standard is the source of large amount of misinformation and appears to be becoming a nice little earner for companies who will help you to become compliant. If you are only using a hosted Pay Page as described in my last post, card numbers are never entered on your server, and you do not take phone/fax or in-person orders that you process through a physical or virtual terminal then PCI Compliance is a simple process of filling out a form. It takes a few minutes.
You might first become aware of needing to comply with the PCI DSS when your bank sends you a letter telling you that you are non-compliant and so they are going to take an extra percentage of each transaction they process. This letter will point you to a third party company who will help you to become compliant – for a fee.
I object to paying people to fill in forms for me and so when this happened after switching our payments for Perch away from PayPal to a full PSP and merchant account solution, I told the third party that I would be completing the form myself and was given an email address to send it to once I had done that.
Completing the SAQ A
If you are only taking payments via a third party hosted payment page and the PSP is “Level One PCI Compliant” you need to fill in the form called SAQ A.
The role of this form is to declare that you don’t handle any card data but outsource all of that to your PSP, however you need to declare this in the most confusing and unclear way possible. Below I have explained what was accepted for us – I am not an expert in PCI compliance, so use this information at your own risk, and obviously if you are touching cardholder data in any way you need to get advice as to which SAQ you need to complete.
Part 1 and 2a contains some basic company details you need to complete.
Part 2b. Eligibility to complete SAQ A is where the form checks that you are not actually doing anything other than using a PSP. So you should be able to check all of these if you never touch, see or hear credit card information and have no access to it.
Part 3 is where you confirm that you are compliant, so you can tick the compliant checkbox. In Part 3a you need to confirm that PCI DSS Self Assessment Questionnaire was completed according to the instructions therein. The questionnaire this refers to will be at the bottom of the document you are completing if you downloaded the SAQ A Self Assessment Questionnaires rather than just the Attestation of Compliance.
Self Assessment Questionnaire A
Despite the fact that we have declared that we do not touch or store any cardholder data, you have to indicate that you have completed a questionnaire which asks what you do with the cardholder data you store. Baffled? I was too. If you need to submit this questionnaire in completed form then go down the form entering N/A in the column headed “Special”. Then keep on scrolling until you find the … Appendix D: Explanation of Non-Applicability and here we can explain, again, that we don’t touch any cardholder data. Under requirement you need a line for 9.6, 9.7, 9.8, 9.9, 9.10 and in the column “reason requirement is not applicable” put something like “Cardholder data is never received or stored by us”, then create a line for 12.8 and write “cardholder data is never shared with service providers”.
You can then happily check the checkboxes under Part 3a, sign and date the form and send it by whatever method your bank or their third party company has requested.
If your situation changes
Remember that it is up to you to maintain compliance. As long as your situation doesn’t change and you continue to only take card payments via a page hosted on a secure PSP, then each year you will just need to fill out this form and you are deemed compliant. If you do start doing anything that involves you processing, handling or storing card numbers then you need to take advice as to which level of the PCI DSS you need to comply with. Having dealt with applications that do store card data in the past I am very happy to continue to outsource that liability to my PSP for my own business.
Let me know your experiences
It is really hard to get any reasonable information and guides to complying with the PCI DSS. The cynic in me says this is because the banks and third party security companies are making money out of this. If you are storing cardholder data then it stands to reason that complying with strict security measures is important, however for those of us who have sensibly opted to pass this responsibility onto a third party I really wish this process wasn’t made to seem more complicated than it is.
So, if you have any experiences or information that might help other people with the SAQ A or see any errors in my information please add a comment. I have written this purely from my experience, I’m sure it can be improved with input from other people who have worked with different banks and PSPs – let’s make sure this information is available so people aren’t paying someone else to fill in a form that essentially says “we don’t touch any cardholder data”.