views:

145

answers:

3

I'm considering using eWay as payment gateway. They offer two options. One is to to allow users to type in credit card data on eWay hosted website, the other to use my own form and send credit card data via my server to eWays backend. The second option (their page with details) seem more appropriate for me as user would never leave my site and branding would be maintained. Now, I spoke to support and they said that my site will be PCI compliant as long as I use SSL. So basically I can allow users to provide CC numbers on my site and send it to eWays backend via XML. As long as I don't store sensitive data, but transfer only it is ok. Until now I thought as long as CC data hits my server my site needs to be PCI compliant but now I'm not sure. If someone could explain to me how it really is that would be much appreciated.

+6  A: 

If your system handles card data then its in scope of PCI and must be PCI compliant.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply

http://www.pcicomplianceguide.org/pcifaqs.php

Edit; "eWays" as your gateway provider are Tier 1, and its belholden to them to actually ensure your PCI compliant, so its a bit dodgy of them to palm you of with the SSL spiel.

Alex K.
+1  A: 

We recently implemented credit card transactions for an ecommerce site using another payment gateway provider. This is what we learnt about PCI DSS compliance.

  1. If your business requirement is storage of customer information with their Credit card information then your server and network around it should be PCI compliant
  2. However if storing customer information with Credit card data is not a critical requirement, then your use the ssl form the payment gateway provider. They should provide means to customize the form so that you can brand it to reflect your company.

Detailed PCI DSS requirements are found at this link PCI Data Security Standards

inlokesh
Now thats what gets me confused.. till now I was fairly confident that even if I don't store CC information, but transfer only still have to make my site PCI compliant. Thats quite opposite what you saying though, so what is the truth? :)
spirytus
If credit card data never physically hits your server (including RAM due to a form post) then PCI-DSS does not apply.PCI data standards covers your network security, operating system patches and so on. Because they want to ensure sensitive card data is secured from any misuse, during network transmission (covered by using SSL), or storage (covered by encryption). In your case you need to make sure if the card data is securely transmitted to the payment gateway after the transaction (SSL) use your payment gateway's default ssl form.
inlokesh
+3  A: 

It seems like you have received a lot of conflicting answers. I work in a payments company and have undergone a Level 1 Service Provider audit, and I deal with merchants and their PCI requirements daily, so I think I can help clear this up for you.

The reality is that you do have to be PCI compliant if you accept credit cards, even if you outsource ALL of the cardholder data functions. The trick is that the standard you have to meet is far less restrictive than the standard the payment gateway has to meet--but this does not mean "PCI does not apply". You don't have to deal with the really tough network security requirements, but there are aspects of the PCI DSS that you have to comply with, and you are required to do a self assessment audit annually. `

For details on what part of the DSS you must deal with, goto https://www.pcisecuritystandards.org/saq/instructions_dss.shtml and click on the link for SAQ Validation Type 1 (Questionnaire A). This will tell you exactly what parts of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.

Hope this helps clear things up for you!

MikeH
Thanks Mike :) Isnt that true that I need to got thru SAQ Validation Type 1 (Qeust. A) only if I retain paper reports or receipts with cardholder data? If I don't have that, nor transmit/store any of this data I don't need to bother with PCI compliance in any form right?
spirytus
You would still have to do a self-assessment using Questionnaire A, but the first part of it will mostly be marked as N/A for you. The parts under "Information Security Policy" still apply. Even if you never have to show the self-assessment to anyone, I would still recommend doing it and making sure that the IS security policy requirements are met--that way you never have to worry if your processor has a security breach because you satisfied your PCI-DSS requirements and can avoid any fines that might be assessed by Visa. IMHO, it's just a "better safe than sorry" kind of thing.
MikeH