Beruflich Dokumente
Kultur Dokumente
http://commercelab.ipcommerce.com
Introduction
In 2004, the payment card brands aligned their individual cardholder data protection programs to create the Payment
Card Industry Data Security Standard (PCI DSS). This alignment in standards provides an industry-wide framework that
forms the basis of each association’s individual security programs. The objective of the individual programs is to compel
merchants and payment service providers to enact measures that protect cardholder information. The goal of the PCI
DSS is to specify the security controls required to protect cardholder data in the transaction-processing environment from
end-to-end.
PCI DSS can be a complex and lengthy process for the merchant to complete with no knowledge of the total cost it will
take to bring a merchant’s payment processing in line with the PCI DSS to prevent decertification. While there is general
understanding and acceptance of the process for the largest of merchants, the smaller merchant is often left without a
resource (or plan) or concept of cost for achieving and demonstrating compliance.
http://commercelab.ipcommerce.com Page 2
Business White Paper Solving PCI Compliance for E-Commerce Merchants
The litmus test for the applicability of PCI DSS guidelines to the merchant business can generally be categorized as
storage, processing, and transmittal of the Primary Account Number (PAN). If a combination of these categories, and
merchant level, define the scope of compliance, how can a small merchant limit, or remove, these items from their
environment while still accepting credit cards as a payment method?
http://commercelab.ipcommerce.com Page 3
Business White Paper Solving PCI Compliance for E-Commerce Merchants
Seamless branding
and Checkout flow
occurs across
merchant and secure
payment
environments
FIGURE 2: Normal checkout activities occur at the merchant site FIGURE 3: Hosted payment page using HTML clone technology
http://commercelab.ipcommerce.com Page 4
Business White Paper Solving PCI Compliance for E-Commerce Merchants
The implementation of the workflow shown above involves leveraging a secure form post to pass a series of required
fields to the Hosted Payments Page servers. The transaction itself, including the collection and routing of all sensitive
data, is then managed via the servers hosted in a PCI compliant data center. Upon successful completion of the
transaction, a response is returned as key/value pairs in an HTTP POST (postback) to the supplied return URL. An
example of a successful transaction (where return.aspx is the return URL):
https://mydomain.com/return.aspx?order_id=6&code=000&msg=Success&error=&mPAN=XXXXXXXX
XXXX1234&name=Joe%20Shopper&type=Visa&exp=1012&transID=&osCsid=ddc2e76644e8dde7308d42
606f7f7e74
As referenced earlier, the majority of PCI Compliance requirements are addressed, as the merchant e-commerce
shopping cart is not collecting, transmitting or storing cardholder data. This “punch through” of security to the shopping
cart, powered by a Hosted Payment Page, greatly reduces compliance scope without sacrificing branding and customer
experience.
Leveraging a PCI Certified Commerce Hosted Payment Page can place a sense of relief with many e-commerce
merchants that the handling of cardholder data is secure and that the majority of what was once their PCI compliance
obligation is being handled by a known certified service at a highly reduced cost compared to “go it alone” security
compliance or, worse yet, the unbearable fines of a data breach.
Visit CommerceLab to learn how setting up a Commerce Hosted Payment Page in a day can get you on the path to PCI
Compliance.
http://commercelab.ipcommerce.com Page 5