I'm in charge of ensuring PCI compliance for 14 sites. Rather than having each of them process credit cards individually we have one site -- payments.mycompany.com for example. A credit card entry form is hosted on that site. Most of the others do not actually touch credit cards but rather embed that hosted form in a page on their site.
I'm considering scanning just the specific pages that have the embedded form on those other sites instead of the entire sites. As long as the code isn't monkeyed with those sites do not ever receive cc info. Protecting against the site being monkeyed with could be handled with verifying hashes to monitor for change.
Thoughts? I reached out to our ASV but that's a wee bit less than helpful.
This is a similar approach to using a hosted payment page provided by your Payment Service Provider presented in an iframe. In using that approach we get the PSP to provide the AoC as required by req 12.8 of DSS. We run monthly scans of our website anyway, which satisfy the ASV req.
----------------------------------------------------------- Steve Wilme CISSP-ISSAP, ISSMP MCIIS
@Michael_Maguire@Steve-Wilme I would think that would be sufficient, presumably you would run the obligatory Ethical Hack or Penetration test once per annum as per normal and the include the sites with the embedded links as part of the Quarterly Vulnerability Management scans. But this really depends on the QSA assigned unless you are under the threshold and only have to submit a annual verification.
The additional areas are to reduce the likelihood of data leakage by any means possible; Gateway verification that the policies/rules match up; and the encryption methods used comply with the compliance requirements.
As long as you have adequate controls in place on the other sites so that your form can't be replaced by something else that should be sufficient for PCI-DSS. However you may find the everything under scope for PCI-SSF so be prepared.