SaaS Compliance and Levels
December 7th, 2008 by admin Posted in PCI DSSA reader recently wrote in and asked about Software as a Service (SaaS) companies and their need for PCI DSS compliance. Let’s begin by discussing a few terms and then a few reminders about ‘levels’.
A SaaS firm, by definition, is a service provider. The question is what kind of service provider are they. If the software the firm provides is not involved in aggregating transactions (i.e. connectivity or remote access software) then they are a generic service provider. If the SaaS firm does aggregate transactions (i.e. payment processor or shared e-commerce provider) then they are a specific type of service provider called a ‘gateway’.
The most basic definition of a gateway is anyone who sits between the merchant/customer and acquirer/processors for the purposes of authorization/settlement of transactions. The typical example of this would be a shared e-commerce provider or independent sales organization (ISO) that aggregates transactions. All service providers that “store, process, or transmit” cardholder data need to comply with the PCI DSS requirements. One way to avoid this was documented in another post.
Up until recently this definition has been critical, but in February 2009 that is all changing. Visa Inc. (all regions except Europe) has defined new level definitions for service providers and removed the usage of ‘gateway’ from this definition. This change does not take effect until Feb. 1, 2009 so companies wishing to validate now should do so under the current rules.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
1 Trackback(s)
Sorry, comments for this entry are closed at this time.