Geek Answers Handbook

Using Payment Gateway and PCI Compliance

I am considering using eWay as a payment gateway. They offer two options. One of them is to allow users to enter credit card information on a website hosted on eWay, and the other is to use my own form and send credit card data through my server to eWays. The second option ( their details page ) seems to me more suitable for me, since the user will never leave my site and the branding will be saved. Now I spoke to support, and they said that my site will be PCI compatible if I use SSL. So basically, I can allow users to provide CC numbers on my site and send them to eWays via XML. While I do not store confidential data, but I transmit only this normally. Until now, I thought that as long as CC data gets to my server, my site should be PCI compatible, but now I'm not sure. If someone could explain to me how this is really so, then it will be highly appreciated.

+6
pci-dss payment-gateway
source share
4 answers

If your system processes the card data, then it is included in the PCI capacity and must comply with PCI requirements.

Q: Who does PCI apply to?
A: PCI applies to all organizations or merchants, regardless of the size or number of transactions that accepts , transfers, or stores cardholder data. On the other hand, if there is a customer of this organization ever pays the merchant directly using a credit card or debit card, then PCI DSS Requirements apply

http://www.pcicomplianceguide.org/pcifaqs.php

Change "eWays" because your gateway provider is Tier 1 and its belholden is for them to actually provide your PCI-compatible, so its a little dodgy so you can use SSL over SSL.

+7
source share

You seem to have received many conflicting answers. I work for a payment company and have been audited by a Level 1 service provider, and deal with traders and their PCI requirements every day, so I think I can help you figure it out.

The reality is that you need to be PCI compatible if you accept credit cards, even if you transfer all the functions of a cardholder’s data. The trick is that the standard you need to meet is much less restrictive than the standard that a payment gateway must comply with - but that does not mean that "PCI is not applied." You do not need to understand the really stringent requirements for network security, but there are aspects of PCI DSS that you must comply with and you need to conduct a self-assessment audit every year. `

For more information on which part of DSS you should deal with, go to https://www.pcisecuritystandards.org/saq/instructions_dss.shtml and click on the link for SAQ Validation Type 1 (Questionnaire A). This will tell you which parts of PCI DSS you should implement as a trader with all the cardholder functions outsourced.

Hope this helps you figure it out!

+7
source share

In short, if you accept payments (even if you completely outsource them), you need to be PCI compatible. The biggest factor in determining how many security controls you need to implement is the type of payment gateway you use.

I helped the author with white paper for the Drupal community , but the concepts apply in all directions. I highly recommend reading it. And if you have feedback, report a bug in the queue for github release.

+2
source share

We recently made credit card transactions for an e-commerce site using a different payment gateway provider. This is what we learned about PCI DSS compliance.

  • If your business requirement is to store customer information with their credit card information, your server and the network around it must meet PCI requirements.
  • However, if storing customer information with credit card information is not a critical requirement, then your use of ssl is a payment gateway provider. They should provide the means to customize the form so that you can label it to reflect your company.

For detailed PCI DSS requirements, go here . PCI Data Security Standards

+1
source share

More articles:


All Articles