Crucial: So in enters Secure Payment Bridge, offering you a way to pass SAQ-C more easily?
The Secure Payment Bridge doesn’t really change anything. What it does is provide a PA-DSS compliant software for Professional Edition and Enterprise Edition clients. It really has zero effect on the Self Assessment Questionaire that is required for your SAQ level, in this case, SAQ-C.
Effective July 1, 2010, all merchants that transmit or store credit card data were required to use a PA-DSS compliant software, assuming the software was an ‘off the shelf’ solution. The PA-DSS does not apply if you have developed your own software for transmitting or storing card data - it is stictly for distributed software solutions.
The SAQ level is determined by a number of questions - all available in the SAQ of your choice/need. For SAQ-C those requirements are;
1. Merchant has a payment application system and an Internet or public network connection on the same
2. The payment application system/Internet device is not connected to any other system within the merchant
3. Merchant does not store cardholder data in electronic format;
4. If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is
not received electronically;
5. Merchant’s payment application software vendor uses secure techniques to provide remote support to
merchant’s payment application system. (In comes PA-DSS)
If your organization meets these criteria then you are eligible for SAQ-C compliance.
Let’s point out now that any merchant not meeting the requirements of SAQ-A, SAQ-B (primarily offline businesses) or SAQ-C then fall into the SAQ-D requirement by default. For example, simply storing cardholder data automatically qualifies the organization for SAQ-D Compliance. SAQ-D is sort of the ‘catch all’ for any merchant not neatly fitting into SAQ-A through SAQ-C.
SAQ-C Compliancy has 43 controls that must be met. While these controls are far less than the 210 controls that must be complied with for SAQ-D they should not be diminished in their complexity. Specifically Requirement 10 (Track and monitor all access to network resources and cardholder data.) and requirement 12 (Maintain a policy that addresses information security for employees and contractors).
While at the surface these issues may seem trivial in the even of a breach an assigned Auditor will not see things the same way. The auditor is in place to protect the Credit Card companies and ensure that the merchant was, in fact, compliant with the ‘appropriate’ SAQ, to the letter. The SAQ must be signed by the Merchant Executive Officer and the organization and the guarantor of the merchant account will be held liable for ‘any’ inconsistencies. PCI Compliance is an ‘all or nothing’ compliance. Fail a single requirement and you are 100% not PCI Compliant and liable for all cost incurred due to the breach.
I would advise that any readers interested in this topic take two hours and watch the following two Webinars presented by Varien, the creators of Magento.
1. PCI Compliance 101 for Magento Merchants - Presented by Magento and Coalfire Systems
Unfortunately - it doesn’t look like the second part of these PCI Compliance series has been posted for viewing at the time of this post, but suffice to say that you should be able to find it at the following URL in a short time.
TW: Some “average” consumers I’ve talked to give PayPal absolutely no trust… Perhaps the worries about losing conversions ARE overstated, but as long as I see an SSL certificate and some trustmarks I’d always prefer to just type my credit card number in with the merchant, instead of jumping through the hoops of logging into PayPal or Google and selecting the credit card there. To each their own, I suppose… but it sounds like perhaps not, anymore
I have to agree with this statement - I feel that a client that has an established Merchant Account promotes a stronger degree of trust of that Merchant.
Has anyone tried CRE Secure or another outsourced-embedded option?
This is an excellent option - we have multiple clients using this system and have heard no complaints regarding the service personally. You can bet that other systems very similar to this are being developed as you read this as this will be the way small Merchants will be forced to do business in the future.