I saw that Amazon extended its payment infrastructure out to other retail websites, enabling shoppers on those...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
sites to use their Amazon login information to make purchases. What are the PCI DSS compliance implications for retailers that choose to offload the payment infrastructure to Amazon payment processing? Is this generally a good security move for smaller sites?
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Small merchants generally achieve three significant benefits from outsourcing credit card payment processing to options like Amazon Payments. First, such organizations often find that their costs are reduced from the economies of scale that the large provider brings to the table compared to the costs of operating a credit card processing infrastructure themselves. Second, outsourcing payment operations reduces the technical complexity of the merchant's environment; and third, if properly implemented, outsourcing greatly reduces the merchant's PCI DSS compliance burden.
As for whether choosing Amazon payment processing will provide those benefits to merchants, the critical detail is identifying whether the merchant outsources sufficient activities to qualify for the easiest PCI DSS Self-Assessment Questionnaire, SAQ A. Websites using Amazon Payments and similar services may qualify for SAQ A if they meet the following criteria:
- They do not engage in any face-to-face credit card transactions. All transactions take place through the website or via mail/phone order.
- They do not store, process or transmit any cardholder information on their own systems or premises, and they rely upon the service provider to cover these activities.
- They verify that the service provider is PCI DSS compliant.
- They retain only paper reports with cardholder information and do not receive those reports electronically.
- They do not store any cardholder data in electronic form.
If a website operator meets all of these requirements, it is eligible to complete the brief SAQ A, which includes only two pages of requirements relating to the organization's physical security and information security policy. This leads to a much easier life compared to dealing with the more detailed and complex SAQs required of other merchants.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.