[Silhouette]

I understand that the payment services are PCI compliant. But on a literal reading of the actual PCI DSS 3 documentation, specifically who is covered by the new A-EP case, that doesn't appear to help unless the entire "shopping" part of the site is also hosted by a merchant or third party service that is PCI compliant.

Otherwise, the merchant still appears to come into scope, because at some point they must redirect their customer to the externally hosted payment pages or load the externally hosted checkout system from the merchant's site, one way or another.

So basically, it looks like anyone who has any sort of shopping site they run themselves (as opposed to hosting entirely on a third party marketplace site) but who uses Stripe, PayPal, a hosted card payment page offered by their bank, or literally any other third party card payment system, will fall into scope and be required to operate and audit the entire relevant part of their web site according to the PCI DSS 3 rules. But that is obviously far beyond the reasonable capabilities of most merchants who might find themselves in that position, either technically or commercially.

Edit: In short, when you wrote:

Sites remotely hosting js are definitely an attack vector that PCI hasn't yet decided to put in scope.

I haven't yet found anything that says why such a site doesn't fall into scope now just like everyone else. Indeed, the new rules seem to be clearly aimed at such sites as I read them.

[grandalf]

You are correct, however if you read over the requirements, they are not all that crazy. If you have an e-commerce website that has all ports open stores credit cards in clear text, etc., then you will fail, but it's actually pretty easy for a shop with its own servers and network team (in-house or outsourced) to come up with a network diagram that satisfies the PCI DSS 3.0 SAQ requirements.

The issue is that Heroku, because of its lack of transparency about what is actually going on in its routing mesh, is not necessarily secure, and it's not possible to just download a list of relevant firewall rules, etc. (the way you could if you set up a site on Amazon VPC).

SAQ A has always required the merchant using his/her own servers to provide some documentation and do some security scanning, the new thing with SAQ A-EP is that it no longer allows for the loophole of using a PAAS and claiming that simply b/c it is not managed by the e-commerce shop that it is out of scope.

[Silhouette]

it's actually pretty easy for a shop with its own servers and network team (in-house or outsourced) to come up with a network diagram that satisfies the PCI DSS 3.0 SAQ requirements.

I think you are dramatically underestimating how many very small businesses, private individuals, bootstrapped start-ups, etc. would be caught by this.

For one perspective, consider that in the current EU VAT mess, some estimates have suggested that over 250,000 microbusinesses are selling on-line in the UK alone right now (or at least were until the end of last year). Many of them are side businesses, either earning a little bit of extra money for selling anything from music to knitting patterns, or second businesses run by folks who already have full-time jobs. Of course some of them are entirely built on marketplace sites, but plenty aren't, they just know enough web design to set up a basic site and slap something like a PayPal or Stripe Checkout button on the page.

To a first approximation, none of those businesses is going to comply with the new rules, despite operating their own site and taking money on-line via credit card. They wouldn't even know what the long words meant. Even the outliers who do, either because they're in an IT field or maybe if they're a bit larger and have slightly more resources, probably don't have the time and money available to comply.

These are ma and pa shops, family businesses, side businesses run in people's spare time, start-ups trying to gain traction, and so on. They don't have their own networking team. They don't even have a dedicated IT guy. And they surely can't afford to double the number of servers they use just to avoid the redirect issue, to pay specialist consultants to figure out all the details of their almost certainly outsourced IT infrastructure, whether or not the infrastructure provider makes available the necessary data in some form, and to spend hours if not days figuring out how to self-certify under the new PCI-DSS rules.

Avoiding that kind of nonsense is, after all, why these organisations use services like PayPal or Stripe or the hosted pages from their bank in the first place.

[grandalf]

it's actually pretty easy for a shop with its own servers and network team (in-house or outsourced) to come up with a network diagram that satisfies the PCI DSS 3.0 SAQ requirements.

> I think you are dramatically underestimating how many very small businesses, private individuals, bootstrapped start-ups, etc. would be caught by this.

This is not new, it has been part of SAQ A for quite some time.