Many of us have had questions regarding hosted Virtual Terminals and E-commerce Buy Buttons that are PCI DSS certified and housed behind a certified service provider’s firewalls. The following explanations have been provided to us by Aperia based on PCI requirements:

  • Hosted Virtual Terminal (CashPractice.com): Hosted Virtual terminals used for swipe or key entered transactions may require a scan to verify appropriate security and firewall settings are in place so that card data is not compromised for the following reason:
    • Key Entered Transactions – Without appropriate security settings and firewalls at the member's location, “keystroke logging” devices can be utilized to track entries into the merchant’s system outside the hosted payment application. In other words, the computers in your business can record keystrokes. The analysis will let you know if that is occurring.
    • Swiped transactions – Without appropriate security settings and firewalls at the member's location, card data transmitted from the card swipe device can be intercepted.
  • E-commerce Buy Button (Shopping Cart): Hosted e-commerce buy buttons used for internet transactions will require a scan to ensure that merchant practices and system integrations protect cardholder data.
    • Ensure merchants are not utilizing their system as a virtual terminal.
    • Make certain merchant's internal system integrations into the buy button are secure.
    • Guarantee the shopping cart is not capturing cardholder data and if so, the data is transmitted to the buy button securely.

Why is scanning important?

The benefit of having a quarterly network scan is to ensure your payment environment is sealed off to individuals with malicious intent. In addition to safeguarding your customer's cardholder data, performing network scans may be a requirement for ongoing PCI DSS compliance, depending on the SAQ version you selected.

These scans are non-intrusive tests that involve probing external-facing systems and reporting on the services available through your Internet connection.

The bottom line is there are security requirements for YOUR computers in addition to the computers that host our software.  The scan ensures your computers are secure.