Our current setup.
We fully outsource our card processing service to a PCI compliant vendor. The way customers enter their card information is from a web page iframe delivered directly to their browser from the 3rd party vendor.
Our understanding this gives us the green light to use Checklist A because we do not control the page and card data never touches our company network.
My question:
We also have a billing application (on our network) that also has an embedded browser to which a credit card entry page is loaded from the 3rd party (iframe). We use this in case a customer calls us to update their card info.
Our accounting department types the updated card number into the web page (delivered from the 3rd party) and posts the update.
Does this process now exclude us from using checklist A?
Many thanks for responses. Regards, Bryan
When your agents key in a customers details they are classified as using a Virtual Terminal:
A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser.
SAQ A is likely not applicable, there is a specialised SAQ that covers this: SAQ C-VT which is for:
Merchants with Web-Based Virtual Payment Terminals—No Electronic Cardholder Data Storage
This is something you should ask your service provider or a QSA to clarify/help with.