Your selected question
I am an e-commerce merchant, is there a way of reducing the scope of PCI DSS?
If an ecommerce merchant is using a compliant Payment Service Provider to handle all of their ecommerce trade in such a way that the merchant does not handle/view any cardholder data then quarterly network scans are not required reducing the cost and scope of PCI DSS. For merchants that do not need to see the cardholder data then using Barclaycard ePDQ in a fully hosted payment page or ePDQ with POWA is the most PCI DSS efficient way of transacting over the internet. All that would be required of these merchants is the completion of SAQ A* which is the shortest of the Questionnaires as the cardholder data functions are fully outsourced.
The important point to remember is that if the merchant uses the virtual terminal facility of any payment gateway e.g. from our ePDQ range and logs onto the secure site to manually input card payments then they may put themselves back into scope for needing a scan as there is a potential vulnerability with their internet connection prior to accessing the secure site. A scan(s) would need to be carried out by a Security Standards Council Approved Scanning Vendor (ASV) and a fee would be chargeable for the service. Version 2 of PCI DSS has introduced SAQ C-VT* which may apply depending on the card processing environment, if the merchant can complete all questions in the eligibility section and qualifies for this SAQ then a scan is not required. Alternatively to avoid the necessity for scans those merchants who have customers that don't want to pay via a website should run payments taken over the telephone or face to face through a standalone card terminal connected to an analogue telephone line. Taking payments via the standalone card terminal would negate the need for a network vulnerability scan and therefore qualify for SAQ B*.
Should the business need dictate that the merchant must see the cardholder data then ePDQ MPI or ePDQ Extra Plus will allow them to have full control of the process. In terms of PCI DSS the merchant will qualify for SAQ C or D* depending on if storing electronic cardholder data and will need to have quarterly network scans.
* Barclaycard has worked with Sysnet Global Solutions who are a security specialist to create the profile questioning to correctly identify the SAQ type that applies given the various processing scenarios. In addition the agent will analyse the profile answers to look for scope reduction opportunities; we can refer merchants to one of Sysnet's experts for technical discussions where necessary. Merchants are at liberty to consult with any Qualified Security Assessor (QSA) for advice. View a list of certified QSAs.
How useful did you find the answer given?Not at all Very useful