I get a lot of inquiries asking about these sorts of situations and thought I should clear this up before too many organizations get hurt. The scenario goes something like this.
“I outsource my eCommerce site to a third party. The third party’s Web site does a redirect to [pick your processor]. I asked the third party for their Attestation Of Compliance (AOC) and they are telling me they do not need to be PCI compliant because they are out of scope. This is because their servers do not process, store or transmit cardholder data (CHD).”
From the PCI DSS Glossary v3.1, the PCI SSC defines a ‘Service Provider’ as:
“Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).”
So here we go again – organizations splitting legal hairs, this time on the meaning of “directly involved.” The discussion from the service providers seems to revolve around the fact that issuing a redirect to the actual payment processor puts them out of scope because they are not “directly involved.”
I hate to rain on your parade, but it is my job.
First, as an outsourcer, you are a service provider to your customers. You can split legal hairs all you want on the first part of the definition, but your organization definitely meets the second part of the definition that this “also includes companies that provide services that control or could impact the security of cardholder data.”
Oh, that is right, you do not believe that your service could “control or impact the security of cardholder data.” Really? Your Web site that issues the redirect does not “control” the security of cardholder data or your site that issues the redirect could not impact the security of cardholder data if that redirect is changed. Who is liable for those problems? Your merchant customers? Think again and think about how that will play out in the media.
Second. To add insult to injury, a lot of you service providers point to SAQ A to support your argument. Seriously? SAQ A at least requires your organization to comply with certain requirements in sections 9 and 12 which means your organization is in scope for PCI compliance. Talk about twisted logic. But you are a service provider, so you cannot use SAQ A because only SAQ D or a Report On Compliance (ROC) can be used by service providers.
But if the first two points do not convince you, let us talk about how the card brands and payment processors dole out responsibility and liability if a problem occurs. Do you really believe that you have no skin in this game? As the outsourcer, you have all the skin in the game. If any redirect is tampered with, it’s not your merchant customers that will be on the hook. Yes, they will likely be the first one’s taken to the woodshed, but when the truth comes out that it was all your organization’s fault, your customers and their processors will come after your organization. It was not the merchants that created the problem, it was your organization. Your organization will be the one held liable for the problem, not your merchant customers.
The bottom line here is that you are a service provider and you are in-scope for PCI compliance. Get over it. You go right ahead and try to get around PCI compliance with your warped logic. When it hits the fan, it will be your organization that will be held liable, not your customers.
For all you merchants that are using these sorts of service providers, you need to either:  badger them to give you an AOC,  assess them as part of your own PCI assessment, or  find a new service provider that can provide an AOC. The choice is yours.