This chapter is for those service providers who choose the increasingly popular approach of leaving the responsibility of handling payment card data to payment processing systems. Information in this chapter will help such service providers to prove that their CloudBlue Commerce system does not have access to any payment card information. This will ensure a much faster and simpler PCI DSS certification process outlined by the following self-assessment questionnaires (SAQ):
- PCI DSS SAQ A – for service providers who fully outsource cardholder processing functions to third-party payment processing systems and do not store cardholder information in CloudBlue Commerce.
- PCI DSS SAQ A-EP – for service providers who partially outsource cardholder processing functions to third-party payment processing systems and do not store cardholder information in CloudBlue Commerce.
Important: If your CloudBlue Commerce installation satisfies PCI DSS Tokenization Guidelines, your PCI DSS certification process may be more simplified.
Applicable Types of CloudBlue Commerce Integration with Payment Processing Systems
1. Redirects and tokens:
- CloudBlue Commerce redirects customers to a payment processing system's website to make a payment
- CloudBlue Commerce uses tokens for automatic charges
In this case, when a customer clicks "pay" on the CloudBlue Commerce checkout page, the browser redirects them to a payment system's website, where the customer enters their payment details. For new payment methods, after verifying the payment method, the payment system returns a payment token to CloudBlue Commerce for subsequent automatic payments. In this process, CloudBlue Commerce does not have access to and does not handle customer payment method data, which simplifies the PCI DSS certification.
Supported control panels: UX1.
The process is illustrated by the interaction diagrams below. It is clear from the diagrams that for this integration type CloudBlue Commerce does not have access to customer payment card data. As a result, applicants for PCI DSS certification can answer SAQ questions related to having access to payment card data in a simpler way.
2. Modal window and tokens:
- A payment processing system's modal window opens for customers to make a payment
- CloudBlue Commerce uses tokens for automatic charges
In this case, when a customer clicks "pay" on the CloudBlue Commerce checkout page, a payment system pop-up window opens in the browser for the customer to enter their payment details. For new payment methods, after verifying the payment method, the payment system returns a payment token to CloudBlue Commerce for subsequent automatic payments. In this process, CloudBlue Commerce does not have access to and does not handle customer payment method data, which simplifies the PCI DSS certification.
Supported control panels: UX1.
The process is illustrated in the interaction diagram below. The diagram shows that CloudBlue Commerce does not have access to customer payment card data for this integration type. As a result, applicants for PCI DSS certification can answer SAQ questions related to having access to payment card data in a simpler way.
