0

I am developing a Multi-tenant application to allow tenants to open an e-commerce shop (similar to Shopify). We are hosted on AWS.

At this point there will be under 20,000 transactions in the first year but I am a bit confused regarding PCI Compliance in this case.

I (and my tenants) will use a payment provider that allow a Direct POST request via their API with credit card details over HTTPS. That means credit card details will be sent directly from customer to payment provider, using custom payment form generated by our application.

We will not be storing any credit cards details except for last 4 digits (which is received from the payment provider after successful transaction).

I would appreciate comments regarding PCI Compliance for the application, both for myself and my tenants. (Am I considered a Level 2 service provider and SAQ-D is enough?)

shimsag
  • 1
  • 1

1 Answers1

1

From the description of your service, your merchants (and I'm assuming they are small merchants, so SAQ eligible) will be required to provide an SAQ A-EP to their acquiring banks. There's lots of confusion in the world about what service providers need to do, so excuse the length of this because there are actually two questions to be addressed.

TL;DR Summary

  1. Your customers need to be PCI DSS compliant, and they will rely on you for some of the evidence to support that. You can have a QSA produce a Report on Compliance (RoC) or self-assess with an Self Assessment Questionnaire (SAQ). You provide the RoC or SAQ to your customer, they use that to complete their SAQ A-EP which they give to their acquirer. Given JavaScript skimming attacks are so prevalent at the moment, having an independent QSA assessment would be good -- especially for a new system -- and if ever anything went wrong, would show you'd not been negligent.

  2. Being a listed service provider by a brand is a completely separate thing and is where the L1 and L2 designation comes from. Each brand has its own rules about who it lists and what evidence (SAQ or RoC) is required. You do not have to do this unless you work with a card brand's customer (i.e. a bank or other financial institution). However, some card brands allow you to choose to do this for marketing purposes.

Providing evidence of PCI DSS compliance to your customers

You are a service provider to those merchants, and you will be responsible for providing evidence to each merchant that you are meeting the requirements in SAQ A-EP on their behalf. So you need to be in a position to provide this evidence.

The best way to do this would be to have a QSA assess your environment and produce a report on compliance (RoC) that you could provide to each of your customers when they ask about PCI DSS. Although the QSA would use the full RoC template they would only assess you against the requirements in SAQ A-EP, marking the others 'Not Applicable' or 'Not Tested' (that's a long conversation with your QSA). What you're doing is producing the evidence for your merchants to prove their compliance to their acquirer.

Rather than having a QSA do this, you could choose to self-assess, and whether your self assessment is sufficient for your merchants is a question for each merchant - the standard does not make this distinction, it is a question of contract etc. between you and your customers. If you self-assess you should use SAQ D for service providers, but only completing the requirements contained in SAQ A-EP. PCI SSC FAQs 1131 and 1382 are useful.

Providing evidence to the card brands' service provider programs

Now, the question of being a "Service Provider". The L1 and L2 service provider programmes are run by some card brands (Mastercard and Visa). Each has their own separate definition of what an L1 or L2 service provider is (although they are both the same at the moment).

If you want to be 'listed' as a complaint service provider by Visa - given the number of transactions, you would be a L2 service provider and most probably need to provide the SAQ D (with just the SAQ A-EP requirements completed) - I'm no longer an expert on Visa's compliance programs, but this is the page to consult.

Mastercard's listing requires you to be registered by a Mastercard customer. Again here's the relevant page.

withoutfire
  • 1,000
  • 4
  • 7
  • Thank you very much for the detailed explanation. My tenants (merchants) will be mostly ecommerce shops selling simple goods such as clothing and food products.. So it seems that being listed as a Service Provider is irrelevant. I will use an ASV to scan my infastructure to. However I will look into the option of using QSA (I believe it will be too expensive for me at this point but worth checking). By the way, would it make any difference on compliance requirements if we use iFrame or page redirects instead? – shimsag Feb 16 '21 at 10:52
  • 1
    If you were to use an IFRAME then your merchants would probably need to compete SAQ-A which has much fewer requirements, but also poses less risk to both you and them, there are fewer attacks against IFRAMEs. Modern IFRAME implementations can be very customizable. It would dramatically reduce your and your customers' compliance obligations. – withoutfire Feb 17 '21 at 09:23