PCI DSS

The PCI Security Standards Council has released an updated version of their requirements and security assessment procedures which took affect from Jan 2015. This update required all players in the payment chain to certify and comply with Version 3.0 requirements.

Over recent months we have been working hard on incorporating the new payment security standard into our products and services, so we will be highlighting the most important changes in a series of blog posts. The new standard will bring some very significant changes to PCI compliance; however the good news for our clients and their merchants is that we will handle all of the necessary updates behind the scenes.

Impact of new requirements

The PCI Council is raising the bar for compliance, in an attempt to reduce the risk of data being exploited if a merchant’s servers are attacked or hacked. The idea behind this is that the PCI Council has identified merchants as the weakest link in the payment security chain, even if those merchants outsource PCI compliance to a highly-secure and fully compliant and certified PCI DSS Level 1 payment provider, such as us.

To address this, the PCI Security Standards Council has decided to implement a new extended questionnaire for merchants. This is the Self-Assessment Questionnaire A-EP (SAQ A-EP), which will have around 140 questions, compared to the 14 questions in the traditional SAQ A. In addition, the new extended SAQ A-EP mandates merchants to undergo regular penetration testing, which is common in the service provider space. This presents a major hurdle for merchants, particularly smaller ones, both financially and operationally.

Following the release of these new standards, there was considerable debate around the impact and the implications of the requirements. This lead to the council attempting to clarify the requirements, which favor traditional, widely-used hosted payment pages over "direct post" or widget-based payment forms. Essentially, those using hosted payment pages would qualify under certain circumstances for the more straightforward SAQ A. Those using widget-based payment forms would be required to complete the extended SAQ A-EP.

However, widget-based payment pages are clearly the preferred choice of merchants, as they embed naturally into a web shops and are much easier to integrate and customize. They also create a better experience for shoppers, avoiding style breaks through using hosted iFrame payment pages, and providing the best experience across all devices. This helps create trust, ultimately resulting in higher conversions for the merchant.

Our mission was to find an elegant solution that offers all the aforementioned advantages of widget-based payment forms, such as those available through our COPYandPAY integration, but also meets the reduced SAQ A requirements. Thanks to our combination of technical expertise and a deep understanding of payment workflows and compliance, we were able to come up with an innovative solution that combines the ease of a widget library with a security level that qualifies for the simplified SAQ A. During all phases of the development process we were in close contact with our QSAs (Qualified Security Assessors) and PCI experts who work closely alongside the PCI Council. We now have confirmation of compliance, which means that we will be offering reduced SAQ scope from day one, benefiting our clients and their merchants.

Our implementation ensures that critical card data in the payment form cannot be touched by the merchant, while ensuring that the forms still embed naturally within web shops. This allows merchants to stay in full control of the style of their payment forms.