The Effort to Keep Credit Card Information Away from My Shared Server while using ASP.Net Web Forms

Question

Focusing on clients who can not afford PCI compliant servers I intend to limit credit card information to a form entry that posts to the gateway via SSL. I do not store CC info on my clients shared server. My question is about the ASP.NET web form that uses server controls and if form information is in any way run through my clients shared and potentially unsecure server just by using form elements with runat=server. In this form I am using plain html input elements to collect the CC#, CVV# and expiration date but the submit element uses runat=server as I have logic in the code behind that limits the visibility of the button if a condition is not met.

Answer 1

If the form on the shared server accepts card details then that server & network must be PCI compliant, the fact that the details are not stored doesn't matter. Given that its a shared server achieving compliance will be virtually impossible.

The best way to keep card data away from the shared server is to have its page host an IFrame for a page thats hosted on a dedicated, compliant server.

Answer 2

If you never have any postbacks that should work, but if you do have any controls that support postbacks, the cc info will possibly be included (depends upon viewstate).

It sounds like you're going to have access to the cc info, as otherwise it doesn't make sense to make the button visible or not...