Is outsourcing a viable option for reducing PCI scope?

Gary Glover, CISSP, QSA
By: Gary Glover
Creating an easily navigated, customer friendly ecommerce solution is challenging. Building an ecommerce website that conforms to Payment Card Industry Data Security Standard (PCI DSS) requirements is even more difficult. That’s why many ecommerce merchants choose to outsource some or all of their website content.
The million dollar question is, should your business outsource the payment portions of your ecommerce website and leave site security to those with expertise?
Depending on how you outsource, you may be able to decrease your PCI scope and business risk. PCI scope is how PCI DSS applies to your business. Specifically, any system, application, or process that has access to credit card information is in-scope.

SEE ALSO: The Ultimate Cheat Sheet on Making Online PCI Compliance Work for You

With the introduction of PCI DSS version 3.0, a new SAQ was announced (A-EP) that changed which PCI requirements need to be validated for some types of ecommerce merchants. So how do you figure out which method of ecommerce outsourcing reduces the most scope?

Of course, outsourcing payment pages does not eliminate PCI DSS responsibility. After all, third parties are not weakness-free. That’s why I can’t overemphasize the importance of choosing a PCI DSS compliant service provider who takes security seriously. Consider choosing a Visa-approved PCI compliant ecommerce website host with validated dedication to payments security. If a provider is attempting to pitch you on a cheaper, simpler ecommerce solution that downplays security or claims to be secure, don’t fall prey.

What are your outsourcing options?

  • Outsource entire website: If you outsource the entire ecommerce website to a third party, no ecommerce payment data should flow through your company systems. If you choose to outsource your entire website, (this means no web servers at your company!) your SAQ is A. Do note there is a price tag involved with an entire site’s creation, and you will have less flexibility in regards to design changes.
  • Outsource payment page only: Outsourcing just pages that involve the collection and/or viewing of credit card information is very popular among small to medium merchants. There are about five different ways an ecommerce payment page could be outsourced. The method used will determine your PCI Self-Assessment Questionnaire (SAQ). The key is to understand where the payment data fields actually reside, and to whom that information is transferred throughout the payment process.
The following is a technical breakdown of the five most common ways outsourced payment pages are created.

Redirection Link

In this very common process, customers are passed from the merchant website to a separate, third party site to process the card transaction by clicking on a link or button that fully redirects to a third party site. Traditionally, small merchants use redirection links to minimize scope and reduce liability.

The risk of compromise is reduced to an attacker accessing your web site and changing the link destination to one of his choosing. Since this is a fairly overt attack that requires a more complex backend built by the attacker, the impact related to a redirection breach is very low. This is part of the reason the PCI Security Standards Council (SSC) classifies redirection processing as SAQ A.


An IFRAME (inline frame) element on a merchant web page can be used to view a third party hosted payment page through a seamless window in the source page.

This solution is very similar to a redirection link since there is no HTML code hosted on the merchant website that is taking any payment data. The biggest advantage of IFRAMEs is they allow the merchant site to maintain branding while outsourcing all card data collection and processing to a third party.

Like redirection, payment pages viewed through IFRAMEs are infrequently involved in card compromises. As such, the PCI SSC classifies merchants utilizing IFRAME as SAQ A.

Direct Client Post

The direct client post (i.e. client side redirect) payment fields originate from the merchant website, but are processed by the user’s browser. This allows the merchant more control over the look and feel of the payment process, and results in no credit card data coming back to the merchant website.

Credit card data is posted directly from the user’s browser to the third party payment service provider (PSP). However, the merchant is still in charge of protecting the location of the payment form code.

Because there is a higher risk of an attacker modifying one of these direct client post pages, PCI DSS 3.0 classifies this processing method as a higher risk and requires merchant to validate using SAQ A-EP.


The JavaScript method is a bit unique in that the customer computer executes code, which comes from the PSP, to create the payment form or operate on payment data in some other way (such as encryption).

Similar to direct post, JavaScript is a moderate-risk ecommerce processing method, and merchants processing in this manner are required to validate to SAQ A-EP.

Traditional Ecommerce

There’s always the option to find or write your own shopping cart, but taking the full burden of PCI DSS on your shoulders is quite demanding. With traditional ecommerce architecture, the merchant controls nearly the entire payment process, which may even include storing credit card data.

It may seem attractive up front because of lower costs and increased control over the payment process, but after considering the effort to develop and maintain full PCI compliance for all ecommerce systems, it’s likely not worth it.

Hackers are always looking for the biggest bang for their buck. In ecommerce processing, traditional ecommerce can be the Holy Grail. Because this approach can lead to a larger breach footprint, it is considered a moderate-risk processing method and requires a full SAQ D validation.

SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches

Next steps

Hopefully now, the reasoning behind certain SAQ ecommerce qualifications is a little clearer. Hopefully you’ve also realized that the outsourcing method you use dictates both your risk and the security you must implement in order to stay secure. PCI DSS 3.0 makes it very clear that merchants hold the responsibility to protect ecommerce transactions that originate from their website.

Whichever way is best for your business, third party outsourcing means you have a few tasks to achieve PCI DSS compliance.
  • Do research to make sure your third party is following PCI DSS, and have a contract to back that up
  • Complete your required SAQ based on your ecommerce methodology and submit a report to your merchant processor

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.