|
|
|
|
|
|
Option 1 - Site Processes/Stores data
If the site processes, transmits or stores cardholder data, it is scope for a full
PCI DSS assessment (240+ controls). If the site does not store data, but collects
data in a form and transmits is straight away to a payment service provider the
scope of assessment remains at the full extent of the PCI DSS.
Option 2 - Site Redirect
If the site redirects users at the point of entering cardholder data to a 3rd party
payment provider (Paypal, Worldpay etc) and the data is entered in to this site
instead, it 'may' be possible to reduce the scope of the PCI DSS from 240 controls
to less than 10 controls. For this to be true, the e-commerce site must not store,
process or transmit any form of cardholder data whatsoever.
|
|
|
In this article Visa note that a series of organisations' websites that use the
redirect approach have been hacked and had the redirect modified to target a 3rd
party hacker's site. As a consequence, Visa has recommended that even redirected
websites undergo more thorough security assessments.
To find out more about how Nettitude can help you with your Compliance requirements,
please complete our contact form,
and a Consultant will respond to your enquiry.