0

We (merchant) will be using a SaaS to sell learning modules and accept credit card payments through a redirect to a service provider that will process the credit card payments. The SaaS will be hosted by Amazon web services.

Should the SaaS provider needs to be PCI compliant (because since PCI v.3.1 those who redirects are in scope). Or should the Amazon who will be hosting the Saas should be the one subject to PCI compliance?

Raul Ramos
  • 1

1 Answers1

2

There're 3 elements you need to take in place with the business model you describe:

  1. Amazon needs to be PCI compliant because they operate the infrastructure behind companies that accept debit, credit or pre-paid cards. No worries here because, as a matter of fact, Amazon is PCI Compliant (https://aws.amazon.com/es/compliance/pci-dss-level-1-faqs/)
  2. Your eCommerce SaaS provider also needs to be PCI compliant. Depending on the vendor you have signed a contract with, they might also need to take an ASV Scan for vulnerabilities. I can only guess that your provider won't process or store payment data, only transmit it to the third-party payment processor. In any case, that's your vendor's responsability, so choose your vendor carefully. (If you wanna learn more about this, please refer to this table https://www.pcicomplianceguide.org/wp-content/uploads/2016/01/3.1-SAQ-Routing-for-the-E-Commerce-Merchant-ControlScan-3.png)
  3. The third-party payment data processor obviously has to be PCI Complaint (and probably is, so there's no need to go deeper here).

Needless to say, if your company (SaaS provider aside) process, transmit or store any payment data on premise or by phone or any other way you come across in your business model, then you need to be PCI Compliant as well.

franpen
  • 153
  • 8