The PCI Security Standards Council (PCI SSC) recently updated their criteria for merchants that validate PCI DSS compliance using the Security Assessment Questionnaire (SAQ) A.
They have removed the requirement for merchants to implement authorization and integrity checks for every script they load and execute in a consumer's browser.
You’re required to use the SAQ A to validate PCI DSS compliance if you process less than 6 million transactions per year on a single card brand, and use any of the following:
- Flow
- Frames
- Hosted Payments Page
- Payment Link
The PCI SSC has introduced a new requirement for merchants to confirm that:
- All elements of the payment page(s)/form(s) delivered to the customer’s browser originate only and directly from a PCI DSS compliant TPSP/payment processor.
- Your site is not susceptible to attacks from scripts that could affect the merchant’s ecommerce system.
What this means for you
When you next fill in your SAQ A as part of your PCI DSS assessment, you can confirm both of the previous statements on the following basis:
- Checkout.com is a PCI DSS compliant TPSP/payment processor.
- The payment page originates only and directly from Checkout.com systems
- The separation between your website and the Checkout.com payments solution means your e-commerce system is not susceptible to attacks from scripts
If you’ve already deployed solutions to manage JavaScript on your site, we encourage you to keep using them, as they will improve your security.
If you have questions about this update, we recommend speaking to your PCI DSS Qualified Security Assessor. Checkout.com partners with SecurityMetrics, a QSA company, to help our merchants with PCI compliance.
SecurityMetrics is best equipped to answer specific questions about your scope of compliance. For the best way to contact SecurityMetrics, visit their website.