To reduce the scope of a PCI Self-Assessment Questionnaire (SAQ), a merchant must minimize or eliminate the handling of cardholder data on their own systems. Utilizing the payment provider's frontend iframe system achieves this by ensuring that the customer's sensitive payment information is entered directly into the provider's secure environment. The merchant's server never receives, processes, or transmits the raw cardholder data. This outsourcing of data handling significantly reduces the merchant's PCI DSS compliance burden, often making them eligible for the simplest questionnaire, SAQ A.

A. Utilize a VPN connection to the payment provider: A VPN encrypts the transmission channel, but the merchant's server still processes and transmits the cardholder data, keeping the server fully in scope for PCI DSS.

B. Store credentials encrypted in the database: This refers to API credentials, not cardholder data. While a good security practice, it does not change how cardholder data is handled and therefore does not reduce SAQ scope.

C. Use the HTTPS protocol to connect to the payment provider: HTTPS encrypts data in transit, which is a PCI requirement. However, the merchant's server is still handling the data, so this does not reduce the compliance scope.

1. PCI Security Standards Council

"Self-Assessment Questionnaire A and Attestation of Compliance" for PCI DSS v4.0

Page 3

Section "Eligibility Criteria". The document states that to be eligible for SAQ A

"Your e-commerce website has a payment acceptance page that is an iframe or URL redirect to a PCI DSS compliant third-party payment processor/gateway." This directly confirms that using an iframe is the method for achieving the lowest scope SAQ.

2. Adobe Commerce User Guide

"PCI Compliance". The guide explains: "Some payment method integrations

such as PayPal Express Checkout

redirect customers from your store to the payment processor’s site to enter payment information... Other integrations display a form for the credit card information within your store’s checkout

but the data is sent directly to the payment processor. For these types of integrations

the PCI compliance burden is greatly reduced." This describes the principle behind using iframes or hosted fields to reduce compliance scope.

3. PCI Security Standards Council

"Understanding the SAQs for PCI DSS v4.0"

Page 5

"SAQ A". This document clarifies that SAQ A is for merchants that have "fully outsourced all cardholder data functions to a PCI DSS compliant third-party." Using a provider's iframe is a primary example of such outsourcing for e-commerce.