tags:

views:

91

answers:

2
+1  Q: 

How tomake my site PCI compliant

Assuming I decide to use payment gateway and not to use their hosted page, but rather provide my own credit card details form, and then send data to their backend via xml as explained on this page. Then:

  1. do I need to worry about PCI compliance? If so what steps (PCI website) should be sorted out by me, my hosting company or payment gateway people
  2. I was told as long as my form is on SSL my site would be automatically compliant. Is that right?

Thanks for any help

A: 

1) If you're handling credit card information at any time you need to be PCI compliant. You need to sort out coding issues, your host needs to deal with any hardware and software issues with the server, and the payment gateway company has a lot of issues to handle (which is a list too long to list here but you don't need to worry about anyway).

2) No. SSL will help you be PCI compliant but there is more to PCI compliance then how the data is transmitted from the user to the server. What you do with that data and how you do it also come into play. For example, if you are storing credit card information you'll need to be using encryption and not storing values barred from storage by PCI (i.e. CVV numbers). Putting this information in a session counts as storage.

John Conde  2010-07-08 13:31:27
A: 
inlokesh  2010-07-09 07:47:18
So if I transfer data only (I dont store) via my application its still ok?
spirytus  2010-07-29 00:04:16
I should correct myself, the second sentence in the **Answer to question 2** is incorrect. John is right in saying that session counts as storage. With your current business requirements it may be a good idea to use the payment gateway's hosted ssl page
inlokesh  2010-07-29 14:12:03

related questions

Mcafee PCI Compliance failing on Session ID cookie?
Secure Delete PCI-DSS Windows Environment
Credit Card storage solution
How is 'processing credit card data' defined (PCI)?
Online Credit Card Storage?
SQL Server 2008 + PCI Compliance? Pertains to PCI, as well as Symmetric keys!
Software and Security - do you follow specific guidelines?
E-commerce compliance when card details are processed by a third party
PCI Compliance + Magento + PHP version
Vulnerability reports from PCI-DSS scan
Minimizing PCI compliance when my checkout flow has a confirmation page
storing credit card info
PABP 1.4 versus PA-DSS - Do we need to upgrade?
Preventing executables with invalid Authenticode signatures from running
How to properly do private key management
Checking patch integrity
Taking credit card information online without processing -- how best to do so?
Credit Card - Card on file services?
PCI/DSS: Data at Rest
How much time does a developer spend reviewing logs?
Old data stored in database file
How can I check for SSL vulnerabilities on my web server?
How can I display my SSN id in the ASP web page with PCI standards
Is there any way instead of a JS hack where I can post from an iframe to another page outside the iframe?
Payment Processors - What do I need to know if I want to accept credit cards on my website?