This is a great article. I would add a couple of data points for context:
- Visa won't come after you. Your merchant account provider is on the hook. They let you process cards so they need to ensure you're PCI compliant. That's how the flow works.
- PCI 3.0 kicked in in January. People reassess annually. So if you reassessed last year under 2.0 standards you're still good until your renewal comes due. That's why this is slowly creeping across the payments space in terms of realization.
- The card networks saw longer, sustained ongoing fraud happening in online commerce from .js or transparent redirects than they did from hosted payment pages. So the big change in PCI 2.0 to 3.0 was this idea of wanting to make it harder to completely build your own custom payment pages vs using a hosted payment page. HPP's are SAQ-A and customized payments pages - A EP
- iFrame's and checkouts are really trying to be the best of both worlds. That's why they're currently treated as SAQ-A. There was definitely a lot of thrashing around how they would be treated when the 3.0 specs were being drafted and published.
Again, I really enjoyed the article and appreciated Spreedly being included as a reference. I would agree with the major premise that in general merchants are unaware that the way they implemented their payments pages now mean they're in greater scope and that the providers aren't doing a good job educating them. It's an open secret in the industry that many payment gateways add a (pure margin) fine for $20 to $50 per month onto your account if you don't have valid certification. In a low margin business that reduces motivation to push small and medium merchants to ensure they're PCI compliant.
- Visa won't come after you. Your merchant account provider is on the hook. They let you process cards so they need to ensure you're PCI compliant. That's how the flow works.
- PCI 3.0 kicked in in January. People reassess annually. So if you reassessed last year under 2.0 standards you're still good until your renewal comes due. That's why this is slowly creeping across the payments space in terms of realization.
- The card networks saw longer, sustained ongoing fraud happening in online commerce from .js or transparent redirects than they did from hosted payment pages. So the big change in PCI 2.0 to 3.0 was this idea of wanting to make it harder to completely build your own custom payment pages vs using a hosted payment page. HPP's are SAQ-A and customized payments pages - A EP
- iFrame's and checkouts are really trying to be the best of both worlds. That's why they're currently treated as SAQ-A. There was definitely a lot of thrashing around how they would be treated when the 3.0 specs were being drafted and published.
Again, I really enjoyed the article and appreciated Spreedly being included as a reference. I would agree with the major premise that in general merchants are unaware that the way they implemented their payments pages now mean they're in greater scope and that the providers aren't doing a good job educating them. It's an open secret in the industry that many payment gateways add a (pure margin) fine for $20 to $50 per month onto your account if you don't have valid certification. In a low margin business that reduces motivation to push small and medium merchants to ensure they're PCI compliant.