1

Our current setup.

We fully outsource our card processing service to a PCI compliant vendor. The way customers enter their card information is from a web page iframe delivered directly to their browser from the 3rd party vendor.

Our understanding this gives us the green light to use Checklist A because we do not control the page and card data never touches our company network.

My question:

We also have a billing application (on our network) that also has an embedded browser to which a credit card entry page is loaded from the 3rd party (iframe). We use this in case a customer calls us to update their card info.

Our accounting department types the updated card number into the web page (delivered from the 3rd party) and posts the update.

Does this process now exclude us from using checklist A?

Many thanks for responses. Regards, Bryan

Vinoth Krishnan
  • 2,925
  • 6
  • 29
  • 34
Bryan
  • 81
  • 2
  • 8

2 Answers2

0

When your agents key in a customers details they are classified as using a Virtual Terminal:

A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser.

SAQ A is likely not applicable, there is a specialised SAQ that covers this: SAQ C-VT which is for:

Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage

This is something you should ask your service provider or a QSA to clarify/help with.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
0

I'd be careful about using SAQ-A as it only applies if:

Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored;

And, you most certainly can't use SAQ-C-VT as it only applies if:

Your company’s only payment processing is via a virtual payment terminal accessed by an Internet connected web browser;

Consequently, if I were in your shoes, I'd be using SAQ-C. SAQ-C sucks though, so if I were in your shoes, I'd be even more tempted to implement a user login/credit card update form so that customers can update their own credit card numbers, keep your accountants entirely out of the loop, and let you stay at an SAQ-A!!

0708
  • 68
  • 6