Skip to main content

PCI Scope when using Arc XP for credit card transactions

Overview

You can use the Arc XP platform to process card payments in two ways. The Arc-supported scenarios are:

  1. Use of the Arc XP Sales features to process customer payments using an iframe to a third-party payment processor

  2. Custom code (for example, in your Fusion Bundle) using an iframe or redirect to a third-party payment processor

Each of these supported scenarios use an iframe or redirect to a third-party payment processor. At no point does Arc XP process or store PAN data, as this functionality is always performed by the third-party payment processor. Arc XP is a Security Impacting System for your PCI compliance scope.

If you choose to use Arc XP Sales features, elements of transaction data are retained in the system, including transaction ID, first six, last four, expiration date, and associated customer order information.

If you choose to process credit card data through an iframe or redirect from your custom code to a third-party payment processor without using Arc XP Sales features, then Arc XP will not retain any transaction data.

We do not support payment processing on the Arc XP platform outside of these scenarios. Arc XP is designed with the assumption that full PAN data will never be processed, stored, or transmitted by the platform. If you choose to process credit card data in your code hosted on Arc XP without the use of an iframe or redirect, then you are at risk of failing your next PCI audit. Similarly, if you store credit card data in your implementation, including in the use of custom fields or logging, then you are at risk of failing your next PCI audit.

Shared Responsibility Model

As an Arc XP customer, you build and configure digital experience on the platform. We are in partnership with you, and we share responsibility for the security of your site, end users, and sensitive data.

The easiest way to conceptualize how this works is this: You are responsible for the security of your site, while we are responsible for the security of the platform.

In the context of PCI, Arc XP is a PCI DSS service provider offering platform services to customers that can impact the security of their cardholder data. As such, both Arc XP and its customers share in the responsibility for PCI DSS compliance.

There are two distinct offerings where responsibilities are shared:

  1. Arc XP Checkout Solution Integrated with Arc XP supported Payment Providers

    • Arc XP: Acts as a service provider for the platform and integration with the supported payment providers through iframe. This scenario invokes the PCI DSS SAQ-D service provider related controls as well as the SAQ-A-EP controls since Arc XP delivers some elements of the payment page for those supported payment providers.

    • Customer: With all Cardholder Data functions fully outsourced to a PCI DSS compliant service provider (Arc XP), the customer qualifies for an SAQ-A in this scenario.

  2. Arc XP Checkout Solution leveraging the IFX platform with Customer supported Payment Providers

    • Arc XP: Acts as a service provider for the platform and integration with the customers through the IFX platform. Arc XP also has control over customer code migration into the environment and access to the code itself. This scenario invokes the PCI DSS SAQ-D service provider related controls as well as the SAQ-A-EP controls since Arc XP can impact the security of those payment pages for these customers.

    • Customer: With not all Cardholder Data functions fully outsourced to a PCI DSS compliant service provider (Arc XP), the customer responsibility increases to cover their ability to deliver some elements of the payment pages for the payment providers they elect to integrate with. In this scenario the customer qualifies for an SAQ-A-EP assessment.

In this section: