utknuclear
03-30-2010, 12:47 PM
My client has developed an interface to collect credit card data and transmit the information securely to a well-known Gateway using its API.
The process is as follows:
Merchant Setup:
1. the Gateway approves a merchant account for broker(Merchant).
2. the Gateway builds a Gateway account with MID/TID to the processor
3. Gateway username and password is provided to Merchant
4. Merchant provides my client the Gateway username and password.
5. My client inserts username and password for storage on their website in order to facilitate credit card processing for the Merchant.
Process Flow:
1. Cardholder searches my clients website for item
2. Cardholder finds item and wishes to pay for it online and have it delivered.
3. Cardholder is shown payment form hosted by my client. Credit card information is entered on this form.
4. Credit card information is transmitted via SSL HTTPS POST to this "well-known Gateway" using its proprietary API. By using the proper username and password for the Merchant, my client can manage transactions for multiple brokers on their system.
5. Transaction is processed by the Gateway and the response is transmitted back to my client immediately.
6. my client sends the Merchant a notice of the transaction attempt and its result for delivery of item.
The issue at hand are steps #3 and 4 of the Process Flow. The gosh darn Risk department at the "well-known" gateway and Acquiring partners feel this falls into a PA-DSS scope since:
1. The merchant did not develop this payment interface nor is managing it.
2. The merchant does not have access to the source code or network environment.
3. Card holder data is being collected and transmitted by my client via hosted software solution.
The exact paragraph being referenced is found in the following document:
https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_security_audit_procedures_v1-1.pdf
Page 4, under “Scope of PA-DSS”
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or
transmit cardholder data as part of authorization or settlement, where these payment applications are sold,
distributed, or licensed to third parties.
*I think personally, as a QSA, that my client is completely out of scope for a PA DSS audit. A self asessment QSAC, sure? But a PA DSS????? Sounds a little overboard.
The process is as follows:
Merchant Setup:
1. the Gateway approves a merchant account for broker(Merchant).
2. the Gateway builds a Gateway account with MID/TID to the processor
3. Gateway username and password is provided to Merchant
4. Merchant provides my client the Gateway username and password.
5. My client inserts username and password for storage on their website in order to facilitate credit card processing for the Merchant.
Process Flow:
1. Cardholder searches my clients website for item
2. Cardholder finds item and wishes to pay for it online and have it delivered.
3. Cardholder is shown payment form hosted by my client. Credit card information is entered on this form.
4. Credit card information is transmitted via SSL HTTPS POST to this "well-known Gateway" using its proprietary API. By using the proper username and password for the Merchant, my client can manage transactions for multiple brokers on their system.
5. Transaction is processed by the Gateway and the response is transmitted back to my client immediately.
6. my client sends the Merchant a notice of the transaction attempt and its result for delivery of item.
The issue at hand are steps #3 and 4 of the Process Flow. The gosh darn Risk department at the "well-known" gateway and Acquiring partners feel this falls into a PA-DSS scope since:
1. The merchant did not develop this payment interface nor is managing it.
2. The merchant does not have access to the source code or network environment.
3. Card holder data is being collected and transmitted by my client via hosted software solution.
The exact paragraph being referenced is found in the following document:
https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_security_audit_procedures_v1-1.pdf
Page 4, under “Scope of PA-DSS”
The PA-DSS applies to software vendors and others who develop payment applications that store, process, or
transmit cardholder data as part of authorization or settlement, where these payment applications are sold,
distributed, or licensed to third parties.
*I think personally, as a QSA, that my client is completely out of scope for a PA DSS audit. A self asessment QSAC, sure? But a PA DSS????? Sounds a little overboard.