If card data is stolen from your environment, you’re still likely to suffer reputational damage. We suggest you do your research into PCI DSS; assess the likely benefits v costs; and make a balanced business decision.
This really depends on your budget and also internal capabilities. We will always recommend some level of support but we try to be honest in our appraisal. As these entities do not need a full audit there’s more flexibility in the level of assistance.
The key test here is remembering if you can impact the security of card data. Examples include: 1) Your web server handles the redirect to the payment gateway. If it gets compromised, an attacker could create a mirror site to a gateway looking payment page. 2) You manage an entity’s firewall. If you mismanage this configuration an attacker may enter the network. 3) You develop a payment page that is pushed to the customer’s browser and data transmitted to the gateway. In this scenario, you have numerous PCI obligations as the security of the payment page and underlying infrastructure is your responsibility.
No. Any serious payment gateway is always PCI compliant. The method of integration with the payment gateway is the defining factor in determining scope. Even if all payment data is entered directly into the gateway’s payment page you will still have a handful of PCI obligations.
No. Merchants have multiple SAQ templates to choose from. Service providers must complete SAQ-D. It should be understood there is a difference between scope and template. Just because you have to fill in the SAQ-D template does not automatically mean all those requirements are in scope. There may be a significant number of ‘N/A’ answers completed.
You should be completing Attestations of Compliance for both. Being a service provider means there are a few additional requirements to consider which are deemed out of scope for merchants.
In our experience, this rarely works. The scope may be wrong or critical BAU tasks not being performed. If you have been on the journey for a while, we often suggest a readiness assessment rather than the full gap assessment. Less time and commitment and we believe a balanced solution rather than jumping into an assessment likely to end in failure.
We would stress a key point here: stakeholder management. Any third party asking you to be PCI compliant also recognises it doesn’t happen overnight. Often committing to the process, planning the journey, and presenting the plan itself can be enough in the short term, provided there’s a realistic commitment and timeframe for the end goal. Don’t panic when a request comes in. Do your research, make a plan and most importantly stay in communication.