Cardholder data such as Primary Account Number (PAN), Cardholder Name, Expiration Date, CVV code, PIN, and authentication data is highly sensitive customer data that needs high protection.
Industry standard Payment Card Industry (PCI) Data Security Standard (DSS) defines compliancy rules for processing cardholder data in order to prevent credit card fraud. With this report, PAR Ordering describes its role in the context of the PCI DSS.
Fig. 1: Merchant of Record Model applied by PAR Ordering
Roles
When using the PAR Ordering system, the PAR Ordering client (typically a franchisee) takes the role of a merchant of record (MoR). The MoR is the legal entity selling goods or services to a cardholder and to whom the cardholder owes payment for such goods and services.
The MoR processes all payments and takes on all of the liability related to those transactions, including collecting sales tax, ensuring payment card industry (PCI) compliance, and honoring refunds and chargebacks.
The MoR uses the PAR Ordering system to execute these operations. The PAR Ordering system outsources the storage, processing and transmission of cardholder data to third party services (payment gateways and payment processors).
The payment service provider (PSP) handles the transaction process – the part where money leaves the customer’s bank account and arrives in the merchants bank account. With PSP, sensitive data is sent directly from the payer's browser to the Payment Provider, without actually running through 'merchants' servers. PSP assumes responsibility for the payments, relieving the merchants of transactional security risks.
Implementation
The PAR Ordering system does not store nor process or transmit any sensitive cardholder data. Depending on the specific payment integration, this is implemented with native SDKs on mobile devices and hosted pages in iFrames in the web application.
Users insert credit card information directly in forms provided by the PSP. The PSP returns a token to the PAR Ordering system that uniquely identifies the payment without exposing the cardholder data.
PCI Standards
Because the PAR Ordering system is not storing nor processing nor transmitting any sensitive cardholder data, it is PCI compliant according to PCI DSS version 3 conforms to SAQ A. See the self-assessment questionnaire (SAQ) of 8.2.2021 for reference.
For the same reasons, PCI Payment Application Data Security Standard (PA-DSS) is not applicable to PAR Ordering. PA-DSS applies to payment application vendors.
PAR Ordering fully outsources all cardholder data functions to a payment provider. This payment provider needs to adhere to PA-DSS.
Comments
0 comments
Please sign in to leave a comment.