I'm considering using eWay as payment gateway. They offer two options. One is to to allow users to type in credit card data on eWay hosted website, the other to use my own form and send credit card data via my server to eWays backend. The second option (their page with details) seem more appropriate for me as user would never leave my site and branding would be maintained. Now, I spoke to support and they said that my site will be PCI compliant as long as I use SSL. So basically I can allow users to provide CC numbers on my site and send it to eWays backend via XML. As long as I don't store sensitive data, but transfer only it is ok. Until now I thought as long as CC data hits my server my site needs to be PCI compliant but now I'm not sure. If someone could explain to me how it really is that would be much appreciated.
If your system handles card data then its in scope of PCI and must be PCI compliant.
Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply
http://www.pcicomplianceguide.org/pcifaqs.php
Edit; "eWays" as your gateway provider are Tier 1, and its belholden to them to actually ensure your PCI compliant, so its a bit dodgy of them to palm you of with the SSL spiel.
We recently implemented credit card transactions for an ecommerce site using another payment gateway provider. This is what we learnt about PCI DSS compliance.
- If your business requirement is storage of customer information with their Credit card information then your server and network around it should be PCI compliant
- However if storing customer information with Credit card data is not a critical requirement, then your use the ssl form the payment gateway provider. They should provide means to customize the form so that you can brand it to reflect your company.
Detailed PCI DSS requirements are found at this link PCI Data Security Standards
It seems like you have received a lot of conflicting answers. I work in a payments company and have undergone a Level 1 Service Provider audit, and I deal with merchants and their PCI requirements daily, so I think I can help clear this up for you.
The reality is that you do have to be PCI compliant if you accept credit cards, even if you outsource ALL of the cardholder data functions. The trick is that the standard you have to meet is far less restrictive than the standard the payment gateway has to meet--but this does not mean "PCI does not apply". You don't have to deal with the really tough network security requirements, but there are aspects of the PCI DSS that you have to comply with, and you are required to do a self assessment audit annually. `
For details on what part of the DSS you must deal with, goto https://www.pcisecuritystandards.org/saq/instructions_dss.shtml and click on the link for SAQ Validation Type 1 (Questionnaire A). This will tell you exactly what parts of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.
Hope this helps clear things up for you!