PCI DSS SAQ A

PCI DSS SAQ A

Payment Card Industry Data Security Standard Self-Assessment Questionnaire A is a security standard and best practices in the credit card industry. Following this standard, a merchant’s website is not allowed to handle sensitive credit card-specific data by itself.

QENTA is a PCI DSS-certified third-party payment processor. The merchant or integrator can decide whether integrate QMORE Checkout Seamless without the "PCI DSS SAQ A Compliance" feature requiring PCI DSS v3.2.1 certification and compliance with SAQ A-EP, or with the "PCI DSS SAQ A Compliance" feature which was developed especially for QMORE Checkout Seamless and ensures compliance with PCI DSS v3.2.1 and is based on the less stringent SAQ A.

Implementation

When using QMORE Checkout Seamless, sensitive payment data are entered by the consumers in HTML forms in the online shop and directly transferred to QENTA via JavaScript to be stored in the QENTA Data Storage. Although sensitive data are never transferred to the online shop, compliance with the new PCI DSS v3.2.1 and corresponding SAQ A-EP is required.

For "PCI DSS SAQ A Compliance" credit card relevant data are no longer transferred to QENTA via JavaScript but are entered directly in a web form delivered by QENTA. For this purpose, an iframe is displayed containing the relevant credit card input fields where the content of this iframe is directly delivered by QENTA.

Parameters

Request parameters are optional parameters used to display or hide credit card-related input fields.

Iframe

For Credit Card
<div id="creditcardDataIframe"></div>

<script type="text/javascript">
  var wd = new QentaCEE_DataStorage();
  wd.buildIframeCreditCard('creditcardDataIframe', '100%', '250px');
</script>
For Credit Card-Mail Order and Telephone Order
<div id="creditcardMotoDataIframe"></div>

<script type="text/javascript">
  var wd = new QentaCEE_DataStorage();
  wd.buildIframeCreditCardMoto('creditcardMotoDataIframe', '100%', '250px');
</script>
For Maestro SecureCode
<div id="MaestroDataIframe"></div>

<script type="text/javascript">
  var wd = new QentaCEE_DataStorage();
  wd.buildIframeMaestro('MaestroDataIframe', '100%', '250px');
</script>

The buildIframe function contains:

  1. ID of the HTML element

  2. Iframe width

  3. Iframe height

Verification

In order to immediately verify the correctness of entered credit card data and to proceed to the next step of the payment process.

Credit Card

dataStorage.storeCreditCardInformation(null, callbackFunction);

Credit Card-Mail Order and Telephone Order

dataStorage.storeCreditCardMotoInformation(null, callbackFunction);

Maestro SecureCode

dataStorage.storeMaestroInformation(null, callbackFunction);

callbackFunction is a JavaScript function that allows handling the result of the storage operations, however, this function is optional since credit card-specific data are already stored during input when the consumer changes from one field to another. The result is only returned if the consumer’s browser supports postMessages; otherwise, the returned value is null.

Browser minimum versions that support postMessage are Internet Explorer v8.0, Mozilla Firefox v3.0, Google Chrome v1.0, Safari v4.0, and Opera 9.5; older Android versions, e.g. v 2.3, might not support postMessage.

Customization via CSS

QENTA ensures the possibility to customize the iframe input fields according to the needs by using the parameter iframeCssUrl.

To ensure that all elements within the checkout seamless are hosted by QENTA systems and in order to provide for SAQ A compliance, this CSS file is received via the given URL in the request parameter iframeCssUrl from the server to the QENTA server. After successful validation, the CSS file is subsequently loaded during each Data Storage init, parsed and delivered as an inline CSS file within the iframe.

Our system uses a URL-based caching mechanism for this iframeCssUrl. To disable this mechanism, append the current timestamp as GET parameter, e.g. https://www.servername.com/iframe.css?2347.

Due to security reasons, neither url() functions nor @import directives (e.g. external fonts) are allowed in the CSS file, and if they’re used they will be ignored. Never send any font changes within the CSS file, because security checks may last several minutes and lead to payment cancellation.