What is in Scope for eCommerce Outsourcing?
by Viviana Wesley, PCI QSA, ISO 27001 Auditor, CISM
When an organization outsources their eCommerce environment to a third-party service provider (TPSP), the integration method used has a drastic impact on that organization’s PCI DSS compliance scope and applicable PCI DSS requirements. However, this was not explained very well before version 4.0 of the PCI DSS was released. In late 2017, the PCI SSC published a guidance document for best practices when securing outsourced eCommerce environments for PCI DSS compliance. Since it was only a guidance document, the recommendations made within this document did not directly impact the published PCI DSS or SAQs. This document, which is still published on the PCI SSC’s website,[1] includes a very helpful table that explains the compliance impact of eCommerce outsourcing integration types and has been included below for ease of reference. The PCI SSC routinely updates and removes published materials as their relevance fades; therefore, it continues to still be relevant since this is still available on their site. In the table below the “E-commerce Method” is how an organization integrates their website to the third-party service provider. The column with the “Number of Questions under PCI DSS v3.2” provides the number of PCI DSS requirements that must be addressed for PCI DSS compliance purposes. The PCI DSS requirements that are applicable to these integration servers is determined by looking at the applicable Self-Assessment Questionnaire (SAQ) type that is applicable to that integration type as shown in Figure 7 below. Please keep in mind, the numbers in that column have increased since that count was for PCI DSS version 3.2.
Table: PCI DSS requirements by eCommerce outsourcing method
The PCI SSC also has a Frequently Asked Question (FAQ) article published online (and included below for your reference)[2] that explains the council’s stance that the servers hosting integrations to third-party service providers providing outsourced eCommerce services, should be seen as in-scope for PCI DSS compliance, even if it is just for a subset of requirements. This specific article explains how, when using a URL redirect or iFrame integration, the server hosting that integration or that can impact the security of that integration come into scope for compliance. Though this article was published in 2019, the PCI SSC routinely reviews, updates, and removes irrelevant FAQs, therefore meaning that its continued publishment is still relevant.
How do PCI DSS Requirements 2, 6 and 8 apply to SAQ A merchants
Merchants eligible to complete SAQ A are e-commerce or mail-order/telephone-order (MOTO) merchants that outsource all payment processing and do not store, process or transmit cardholder data on their premises or systems. E-commerce merchants eligible for SAQ A include those that completely outsource all website operations, including those using URL redirect or another mechanism that meets SAQ A criteria to redirect consumers to a compliant third party for payment processing.
Where URL redirection mechanisms to third-party payment processing systems reside on merchant-managed websites, those mechanisms must be protected from ongoing threats, such as man-in-the-middle attacks that aim to manipulate URL redirection mechanisms to direct traffic to malicious sites without the consumers’ knowledge. For this reason, requirements for changing default passwords (Requirement 2); implementing basic authentication, such as requiring a unique user ID and strong password (Requirement 8); and installing applicable security patches and ensuring critical patches are applied within one month of release (Requirement 6) are included in SAQ A. These requirements are intended to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism.
In a simple e-commerce environment where the merchant webserver contains the mechanism that redirects customers from their website to a third party for payment processing, the merchant will need to validate these requirements for the webserver upon which the redirection mechanism is located.
It is also possible for a SAQ A merchant to have a more complex e-commerce environment, where additional system components (such as application servers, database servers, and web proxies) control or could impact the integrity of the redirection mechanism. In these scenarios, the requirements would apply to all system components comprising or managing the redirection mechanism.
MOTO or e-commerce merchants that have completely outsourced all operations, including all management of their website, may not have any systems in scope for SAQ A and, in such circumstances, these requirements could be considered “not applicable.” If a requirement is deemed not applicable, the merchant should select the “N/A” option for that requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix C for each “N/A” entry.
May 2019
Article Number: 1439
Lastly, the Self-Assessment Questionnaire type A[3], for outsourced eCommerce includes this Note in the Merchant Eligibility Criteria for Self-Assessment Questionnaire A section of the Completing the Self-Assessment Questionnaire introduction:
Note: For this SAQ, PCI DSS Requirements that address the protection of computer systems (for example,
Requirements 2, 6, 8, and 11) AND requirements that refer to the “cardholder data environment” apply to the following e-commerce merchants:
- Those that redirect customers from their website to a TPSP/payment processor for payment processing, and specifically to the merchant web server upon which the redirection mechanism is located.
- Those with a website(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame), and specifically to the merchant web server that includes the embedded payment page/form.
These PCI DSS requirements are applicable because the above merchant websites impact how the account data is transmitted, even though the websites themselves do not receive account data.
Based on updated guidance and publications from the PCI SSC, eCommerce outsourcing merchants should ensure that any servers in the environment that are hosting integrations to third-party service providers for eCommerce outsourcing, are in-scope for PCI DSS compliance. Solutions that were sold to organizations as fully outsourced eCommerce solutions now need to be verified as being seen as fully outsourced, rather than an outsourced solution where the merchant would still have a PCI DSS compliance obligation for servers hosting integrations to TPSPs. Until that information is verified organizations could inadvertently be excluding in-scope systems from their self-assessment, due to TPSPs shifting how they are explaining PCI DSS responsibilities to their customers for their outsourced solutions.
[1] https://docs-prv.pcisecuritystandards.org/Guidance%20Document/e-Commerce/best_practices_securing_ecommerce.pdf
[2] https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/How-do-PCI-DSS-Requirements-2-6-and-8-apply-to-SAQ-A-merchants/
[3] https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-A-r2.pdf