Complying with PCI DSS when using a hosted payment page

This is part two of a post about moving away from PayPal to your own merchant account and hosted payment page solution – read part one here. The advice below is for those who are using hosted payment pages on a compliant Payment Service Provider (PSP) and is based on my experiences, please always check with your bank and PSP.

The Payment Card Industry Data Security Standard is the source of large amount of misinformation and appears to be becoming a nice little earner for companies who will help you to become compliant. If you are only using a hosted Pay Page as described in my last post, card numbers are never entered on your server, and you do not take phone/fax or in-person orders that you process through a physical or virtual terminal then PCI Compliance is a simple process of filling out a form. It takes a few minutes.

You might first become aware of needing to comply with the PCI DSS when your bank sends you a letter telling you that you are non-compliant and so they are going to take an extra percentage of each transaction they process. This letter will point you to a third party company who will help you to become compliant – for a fee.

I object to paying people to fill in forms for me and so when this happened after switching our payments for Perch away from PayPal to a full PSP and merchant account solution, I told the third party that I would be completing the form myself and was given an email address to send it to once I had done that.

Completing the SAQ A

If you are only taking payments via a third party hosted payment page and the PSP is “Level One PCI Compliant” you need to fill in the form called SAQ A.

The role of this form is to declare that you don’t handle any card data but outsource all of that to your PSP, however you need to declare this in the most confusing and unclear way possible. Below I have explained what was accepted for us – I am not an expert in PCI compliance, so use this information at your own risk, and obviously if you are touching cardholder data in any way you need to get advice as to which SAQ you need to complete.

Part 1 and 2a contains some basic company details you need to complete.

Part 2b. Eligibility to complete SAQ A is where the form checks that you are not actually doing anything other than using a PSP. So you should be able to check all of these if you never touch, see or hear credit card information and have no access to it.

Part 3 is where you confirm that you are compliant, so you can tick the compliant checkbox. In Part 3a you need to confirm that PCI DSS Self Assessment Questionnaire was completed according to the instructions therein. The questionnaire this refers to will be at the bottom of the document you are completing if you downloaded the SAQ A Self Assessment Questionnaires rather than just the Attestation of Compliance.

Self Assessment Questionnaire A

Despite the fact that we have declared that we do not touch or store any cardholder data, you have to indicate that you have completed a questionnaire which asks what you do with the cardholder data you store. Baffled? I was too. If you need to submit this questionnaire in completed form then go down the form entering N/A in the column headed “Special”. Then keep on scrolling until you find the … Appendix D: Explanation of Non-Applicability and here we can explain, again, that we don’t touch any cardholder data. Under requirement you need a line for 9.6, 9.7, 9.8, 9.9, 9.10 and in the column “reason requirement is not applicable” put something like “Cardholder data is never received or stored by us”, then create a line for 12.8 and write “cardholder data is never shared with service providers”.

You can then happily check the checkboxes under Part 3a, sign and date the form and send it by whatever method your bank or their third party company has requested.

If your situation changes

Remember that it is up to you to maintain compliance. As long as your situation doesn’t change and you continue to only take card payments via a page hosted on a secure PSP, then each year you will just need to fill out this form and you are deemed compliant. If you do start doing anything that involves you processing, handling or storing card numbers then you need to take advice as to which level of the PCI DSS you need to comply with. Having dealt with applications that do store card data in the past I am very happy to continue to outsource that liability to my PSP for my own business.

Let me know your experiences

It is really hard to get any reasonable information and guides to complying with the PCI DSS. The cynic in me says this is because the banks and third party security companies are making money out of this. If you are storing cardholder data then it stands to reason that complying with strict security measures is important, however for those of us who have sensibly opted to pass this responsibility onto a third party I really wish this process wasn’t made to seem more complicated than it is.

So, if you have any experiences or information that might help other people with the SAQ A or see any errors in my information please add a comment. I have written this purely from my experience, I’m sure it can be improved with input from other people who have worked with different banks and PSPs – let’s make sure this information is available so people aren’t paying someone else to fill in a form that essentially says “we don’t touch any cardholder data”.

2 Comments

Annette September 16, 2011 Reply

Oh the joys of this paperwork! I have to fill in Questionnaire B because I have a hand held device – which stores no information at all. I do feel like a very small nut staring up at a sledgehammer… The “quick guide” runs to 34 pages – hate to see the long version. So much of it seems to repeat itself – how many people worked on this?? I do understand it for large companies, and to make small businesses aware of the problems, but for sole traders who don’t store any kind of information there still seems to be a mountain of paperwork, with very little relevant guidance. I dropped a line to this effect to the Security Standards Council stating as much, and I suggest that others do the same.

Derek February 24, 2012 Reply

I’m so confused. I wanted to open a merchant account with my bank and through the whole process they never mentioned to me about PCI DSS. Then when I called to question this they advised me that if I could not complete the PCI my charges would be £50 per month! Thank you HSBC for that. I shall of course comply but it would have been nice to be informed at the time of setting up a merchant account. I’m just a small start up business and already I feel the pressure of a multinational.

Leave a Reply