A common scenario for e-commerce credit card types of transactions is a website with a connection to a third party payment processor. For a number of reasons you might not want to use an iFrame or page redirect, but doing so opens up your PCI scope significantly. Assuming the cardholder data would never be sent to your servers I would like to know if using a PCI compliant third party CDN (e.g. AWS CloudFront) would reduce your PCI scope regarding infrastructure significantly?
Take this example; a merchant's website consists of one html file that contains a form for collecting a customer's information and their credit card details. When the customer has filled in the details and presses submit the credit card data would be sent to the third party processors directly from the browser via an ajax POST, and receives a token in return. The token and other data is then sent off to the merchant's server, of course excluding any cardholder data.
Assuming the website is the only in scope system it would seem like a lot of the PCI requirements would no longer apply. It would be segmented by default, the CDN provider would take care of antivirus and IDS/IPS, you can't SSH into it, there are no internal services like SMTP, the firewall configuration would be greatly reduced or removed (since there may be only one port in and out)...I'm sure there's more.
Of course you'd still need to ensure the code is written in a secure way, have penetration test, and there are many other requirements that still apply, but at first glance this seems like a very secure solution, like a sealed box, that could greatly reduce scope.
Questions:
- For the example above what will the scope be? Just the CDN distribution? The origin? The development computer used to upload the html file?
- Will it be a problem if you can't monitor/log the low level traffic yourself? I guess the CDN will be responsible for that.
Edits: I changed the question from iFrames to using an API as that seems more useful, as often using an iFrame will reduce a merchant to SAQ A unless you're a service provider.