- Product Catalog
- Payment Methods
- Sales Tax
- Fraud and Chargebacks
- One-Time Purchase
- Push Notifications
Secure Card Handling
- Customer Relationship Management (CRM)
- Vindicia Subscribe for Salesforce
Addressing PCI DSS Compliance with Vindicia’s Hosted Order Automation
Your PCI Compliance Scope is reduced with Vindicia – not eliminated
The Payment Card Industry Data Security Standard (PCI DSS) requirements affect every business that handles, stores, or transacts with credit cards.
Vindicia Vindicia Subscribe (and Select) securely stores and processes card data on our merchants’ behalf. However, merchants have the ultimate responsibility for meeting the PCI DSS standards. Using Vindicia’s services properly will address these requirements, but merchants still need to (at least) complete an annual Self-Assessment Questionnaire (SAQ) in order to be, themselves, PCI compliant. Card associations may suspend your ability to accept credit card payments if they determine that you are not compliant.
Understand the Self-Assessment Questionnaire (SAQ)
There are different types of SAQs. Your Qualified Security Assessor (QSA) can help you choose the right one for your business.
Generally merchants using Vindicia will utilize one of two SAQ forms – SAQ A or SAQ A-EP. When properly implemented, using one of Vindicia’s Hosted Order Automation (HOA) solutions allows our merchants to reduce their scope from SAQ D to one of these two much shorter forms (compare SAQ D’s 326 questions to SAQ-A-EP’s 139 questions or SAQ A’s 14 questions).
SAQ A (expected for merchants implementing the newer HOA-with-Hosted-Fields aka HOA 2):
- Merchant website is entirely hosted and managed by a PCI-compliant, third-party payment processor…
- Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, where no elements of the page originate from the merchant website.
SAQ A-EP (expected for merchants implementing the original HOA, aka HOA 1):
- Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, third-party payment processor…
How It Works
Hosted Order Automation (HOA 1)
Using a “silent, direct post” allows the merchant to be in control of the design and hosting of the payment page. The page silently posts to Vindicia directly from the customer’s browser to manage card information and return either/both a merchant-specified identifier or the Vindicia Record ID which can subsequently be used as a token to execute charges. The merchant only receives the “token” and never has the protected card data.
Hosted Order Automation with Hosted Fields (HOA 2)
The Hosted Fields approach ensures that none of the relevant payment information fields is hosted on the merchant web page. All payment fields are hosted within Vindicia’s secure domain and presented to the user/page in a field-level iframe. These payment fields, most importantly, include:
- Card number (or PAN)
Hosted Fields renders an iframe to handle input for each field where your customer enters card details. This provides you with the ability to customize the look and feel of your web page while ensuring that you are compliant with PCI requirements.
Handling “Out-of-scope” card data
Vindicia’s Vindicia Subscribe API and portal returns data that is not governed by the PCI DSS standards. This information should be handled according to each merchant's policies.
Verifying Vindicia’s PCI Compliance
If you need an Attestation of Compliance (AOC), and/or you are asked to complete a Self-Assessment Questionnaire, ask Vindicia Support or your Customer Success Manager.
PCI Security Standards Council: Understanding the SAQs for PCI DSS version 3 (PDF)
PCI Security Standards Council: Why is there a different approach for Direct Post implementations than for iFrame and URL redirect?
PCI Security Standards Council: Why is SAQ A-EP used for Direct Post while SAQ A is used for iFrame or URL redirect?