An e-commerce site uses the Direct-Post method (see page 14 PCI e-commerce security). Is the server for the e-commerce application and network it resides on in scope for PCI? There are questions in the SAQ A-EP for servers and networking that appear to apply.
Asked
Active
Viewed 122 times
1 Answers
1
To quote the document you've provided, emphasis mine:
[When performing Direct Post] the payment form is provided by the merchant; therefore, the merchant’s systems are in scope for additional PCI DSS controls, which are necessary to protect the merchant website against malicious individuals changing the form and capturing cardholder data.
And SAQ A-EP is applicable to Direct Post merchants:
Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;
So, yes, your server that provides the checkout page is in-scope for PCI, even though the Direct Post sends card data directly to the payment processor. You should fill out SAQ A-EP accordingly.
gowenfawr
- 71,975
- 17
- 161
- 198