3

Say I have an application that takes credit cards, but this is actually a payment gateway on the internet that I don't control.

The web site used HTTPS and only returns if the card was authorized or not and stores the last 4 digits of the PAN.

With this setup, how much, if any, of the infrastructure is really in-scope?

Justin
  • 133
  • 4

2 Answers2

7

PCI-DSS only applies to computers and systems that handle PCI (Payment Card Industry) information. If it is handled by a third party and you are only given a receipt token, then no PCI data is being handled by your system and it doesn't fall under PCI-DSS.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Does this extend to a full client that would be used on a machine hosted on our network? The full client would do the same thing, connect to the payment gateway then receive minimal information back. – Justin Dec 06 '13 at 15:44
  • @Justin - I'm not sure what you mean by full client. If the payment card information or any of the other protected information under PCI-DSS ever travels across the machine or is entered on the machine, then it falls under PCI-DSS to some level. The only time that payment card information can be entered without it mattering is if the computer is the consumer's computer and they are entering it themselves. If you, as a third party, run the hardware and their data is being entered or transmitted, then PCI-DSS covers the security needed for the system. – AJ Henderson Dec 06 '13 at 15:53
  • @AJHenderson - I take it that if it is being handled by the third-party (e.g. redirection to a payment gateway page), you are still responsible for validating and verifying that the third-party is PCI-DSS accredited. I don't believe you can absolve yourself of application completely. – Motivated Apr 12 '16 at 08:49
  • @motivated That is a fair point. Whoever has a merchant account is responsible for making sure they use it appropriately, however using a third party means your systems don't need to be, you just need to verify your vendor is compliant which generally just means checking their certification. – AJ Henderson Apr 12 '16 at 12:56
0

The application infrastructure is in scope, because the PAN is transmitted through it.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
PCI Initiative
  • 96
  • 1