Information Security
pci-dss pci-scope
Updated Sat, 10 Sep 2022 04:58:46 GMT

PCI-DSS Is the infrastructure really in-scope?


Say I have an application that takes credit cards, but this is actually a payment gateway on the internet that I don't control.

The web site used HTTPS and only returns if the card was authorized or not and stores the last 4 digits of the PAN.

With this setup, how much, if any, of the infrastructure is really in-scope?




Solution

PCI-DSS only applies to computers and systems that handle PCI (Payment Card Industry) information. If it is handled by a third party and you are only given a receipt token, then no PCI data is being handled by your system and it doesn't fall under PCI-DSS.





Comments (4)

  • +0 – Does this extend to a full client that would be used on a machine hosted on our network? The full client would do the same thing, connect to the payment gateway then receive minimal information back. — Dec 06, 2013 at 15:44  
  • +0 – @Justin - I'm not sure what you mean by full client. If the payment card information or any of the other protected information under PCI-DSS ever travels across the machine or is entered on the machine, then it falls under PCI-DSS to some level. The only time that payment card information can be entered without it mattering is if the computer is the consumer's computer and they are entering it themselves. If you, as a third party, run the hardware and their data is being entered or transmitted, then PCI-DSS covers the security needed for the system. — Dec 06, 2013 at 15:53  
  • +0 – @AJHenderson - I take it that if it is being handled by the third-party (e.g. redirection to a payment gateway page), you are still responsible for validating and verifying that the third-party is PCI-DSS accredited. I don't believe you can absolve yourself of application completely. — Apr 12, 2016 at 08:49  
  • +0 – @motivated That is a fair point. Whoever has a merchant account is responsible for making sure they use it appropriately, however using a third party means your systems don't need to be, you just need to verify your vendor is compliant which generally just means checking their certification. — Apr 12, 2016 at 12:56