Information Security
pci-dss pci-scope
Updated Thu, 02 Jun 2022 02:46:57 GMT

Platform Change


So we converted our website from an internally created site to a Magento Cloud environment. In the process, we had to change how we handle credit cards.

We used to redirect the user to the payment processor's site to complete the payment then come back to our site for the final receipt.

Now we have to handle the credit cards on the site because the developers could not get that redirection working with our current payment processor. We still do not store anything other than the token.

Since we are in the Magento Cloud and we have no admin rights to the code for the cart. Isn't that essentially a third party handling the payment process for us?




Solution

If the card number touches your servers in a readable form at all, you're under the full PCI SAQ D. You may be able to report N/A for parts of it (such as card data storage if you're not storing anything, assuming you aren't accidentally storing it server logs), but you still have to deal with evaluating the whole thing. Depending on your size, you may also be required to get an external QSA to audit you annually, but you're likely well below that threshold (6 million card transactions per year).

You can mitigate this in several ways other than a straight redirect. This question lists out the general options, and the accepted answer explains which SAQ level they'd each be.