Skip to main content
Vindicia Knowledge Center

Addressing PCI DSS Compliance with Vindicia’s Hosted Order Automation

Addressing PCI DSS Compliance with Vindicia’s Hosted Order Automation

Your PCI Compliance Scope is reduced with Vindicia – not eliminated

The Payment Card Industry Data Security Standard (PCI DSS) requirements affect every business that handles, stores, or transacts with credit cards.

Vindicia CashBox (and Select) securely stores and processes card data on our merchants’ behalf. However, merchants have the ultimate responsibility for meeting the PCI DSS standards.  Using Vindicia’s services properly will address these requirements, but merchants still need to (at least) complete an annual Self-Assessment Questionnaire (SAQ) in order to be, themselves, PCI compliant. Card associations may suspend your ability to accept credit card payments if they determine that you are not compliant.

Understand the Self-Assessment Questionnaire (SAQ)

There are different types of SAQs. Your Qualified Security Assessor (QSA) can help you choose the right one for your business.

Generally merchants using Vindicia will utilize one of two SAQ forms – SAQ A or SAQ A-EP.  When properly implemented, using one of Vindicia’s Hosted Order Automation (HOA) solutions allows our merchants to reduce their scope from SAQ D to one of these two much shorter forms (compare SAQ D’s 326 questions to SAQ-A-EP’s 139 questions or SAQ A’s 14 questions).

SAQ A (expected for merchants implementing the newer HOA-with-Hosted-Fields aka HOA 2):

  • Merchant website is entirely hosted and managed by a PCI-compliant, third-party payment processor…

Or

  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, where no elements of the page originate from the merchant website.

SAQ A-EP (expected for merchants implementing the original HOA, aka HOA 1):

  • Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, third-party payment processor…

Or

  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, BUT some elements of the payment page originate from the merchant website.  (Elements could be JavaScript, CSS, or any functionality that supports how the payment page is created.)

 

How It Works

Hosted Order Automation (HOA 1)

Using a “silent, direct post” allows the merchant to be in control of the design and hosting of the payment page.  The page silently posts to Vindicia directly from the customer’s browser to manage card information and return either/both a merchant-specified identifier or the Vindicia Record ID which can subsequently be used as a token to execute charges. The merchant only receives the “token” and never has the protected card data.

Hosted Order Automation with Hosted Fields (HOA 2)

The Hosted Fields approach ensures that none of the relevant payment information fields is hosted on the merchant web page. All payment fields are hosted within Vindicia’s secure domain and presented to the user/page in a field-level iframe. These payment fields, most importantly, include:

  • Card number (or PAN)
  • CVV

Hosted Fields renders an iframe to handle input for each field where your customer enters card details. This provides you with the ability to customize the look and feel of your web page while ensuring that you are compliant with PCI requirements.

Handling “Out-of-scope” card data

Vindicia’s CashBox API and portal returns data that is not governed by the PCI DSS standards.  This information should be handled according to each merchant's policies.

Verifying Vindicia’s PCI Compliance

If you need an Attestation of Compliance (AOC), and/or you are asked to complete a Self-Assessment Questionnaire, ask Vindicia Support or your Customer Success Manager.

 

For Developers

Learn More
For Developers

For Users

Learn More
For Users
Back to Top