There are two major techniques in e-Commerce these days for processing payments: redirects and reposts. Redirects are when the e-Commerce site sends their customer to the payment processor’s site for the processing of the payment. Reposts are where the e-Commerce site posts the payment data to the payment processor by just changing the URL used to post the data to the processor’s site.
I have had a number of clients and prospects recently prompt me on my take regarding this topic as they are attempting to shrink their PCI compliance footprint as small as possible. A lot of them like the idea of the repost because it requires only a simple change to their existing e-Commerce sites. But all of them are concerned about whether or not one technique reduces their PCI compliance footprint more than the other. So, here is my take on the subject.
Redirects cause a new window or a new page to be generated to the on-line customer. This windows/page is where the e-Commerce site’s customer will enter their credit card information to pay for their e-Commerce order. This window/page is code written by the payment processor and usually carries a URL that is not the same as the e-Commerce site. Typically, while the e-Commerce merchant’s logo may appear on the window/page, the processor’s logo will also appear. As a result, it is usually very clear to the customer that this is not the e-Commerce site any more.
Regardless of the identifiers that this new window/page does not belong to the e-Commerce site, the key fact in the redirect method is that the window/page is driven by code developed by the processor, not the e-Commerce organization. As a result, it is the processor’s responsibility to ensure this windows/page is PCI compliant and protects cardholder information. The e-Commerce site is not in-scope for PCI compliance since it does not process, store or transmit cardholder data.
In the repost scenario, the e-Commerce site is collecting the cardholder information and is then posting that information to the processor. From a customer perspective, the e-Commerce site is the processor of their credit card. And while the e-Commerce site is typically not storing the cardholder data, the e-Commerce site is processing and transmitting cardholder data. So, the e-Commerce site is in-scope for PCI compliance because the code of the e-Commerce site is collecting and transmitting cardholder data. As a result, the e-Commerce site could be manipulated by an attacker to send the cardholder data to the processor and any other location on the Internet.
Under the repost scenario, the control of cardholder data is under the purview of the e-Commerce organization and the processor has no input as to the how the cardholder data is controlled until it receives it from the e-Commerce site. Therefore, the e-Commerce organization is responsible for the safety and security of the cardholder data and that puts the e-Commerce site in-scope for PCI compliance.
So for all of you trying to minimize your PCI compliance footprint, there is my take on redirects versus reposts. If you really want to minimize your compliance footprint, use the redirect approach.