I'm working on a project that requires PCI protected data (card PIN numbers) to be made visible to customers, via a Third Party (a non PCI compliant) company site.
The hierarchy is as follows:
- Us > PCI Complaint > Platform Provider
- Third-party > Not PCI Complaint > Our Customer
- Customer > Card User > Third Party Customer (but we are responsible for financial data)
We can show the PIN via a web page (if it is served under SSL) but we cannot allow the PIN to be passed to the Third Party in any way in case it is stored. So REST calls are out of the question, as are iframes.
The ideal process would be:
- Customer visits the Third Party site and requests to view their card PIN.
- The PIN is displayed (served from our site) on a page served under SSL.
The process required to do this is difficult to figure out because:
- We need the PIN request [to appear] to be made from the Third Party site as the customer is 'theirs', we provide the platform for the cards.
We need it to be served under SSL to meet PCI compliance.
We cannot serve this with a REST call to the Third Party.
We cannot have the Third Party retrieve this PIN in case it is stored or an app is written to scan and retrieve all their customers PIN's.
We need all this to be managed via Web Browser(s) and transparently, so the customer doesn't have to enter a password or provide an encryption key.
We can show the PIN on one of our own unbranded pages but I cannot see how we can pass any required sensitive data (via the Third Party site) to instantiate this request - without providing/leaving sensitive data on the Third Parties site.
This doesn't sound possible to me - without the customer providing some sort of secret key to retrieve the PIN "directly" via the Third Party Site. But I wanted to ask, in case somebody has any ideas or has experienced similar issues?
Thank you in advance!