Reputation: 122
Do we need to be PCI complaint, if we are capturing the credit card details in a form and posting it to any payment gateway?
I am capturing the credit card details from the uses in a form and then sending these form data to payment gateways like PayPal or Braintree.
The credit card capturing form is hosted in SSL (HTTPS) and using cURL to post credit card data to payment gateways. As we are not saving credit card data to our server so do we need to be PCI complaint if we are following this scenario.
Upvotes: 0
Views: 996
Answers (6)
Reputation: 1
The answer is NO, you DO NOT have to be PCI compliant if you aren't storing credit card details and using a secure gateway. But, you DO need https which you already have.
Upvotes: 0
Reputation: 219834
If you're handling and transmitting credit card information then you have to be PCI compliant. Period.
Upvotes: 2
Reputation: 56
You shouldn`t do that! The form that handles the credit card information should always point to the payment gateway as target so your server doesn´t handle any sensitive data. A good payment gateway will send you back a shortened version of the credit card number combined with the verification status to store in your database and possibly show the user in emails or user admin areas. You could also use a javascript to get a shortened credit card number (and the number only!) from the form and send this via ajax to your server before sending the form to the gateway.
Upvotes: 4
Reputation: 7001
I agree with the two other answers that are posted ...
As you have access to the sensitive data, functioning as a man-in-the-middle, regardless if you decide to store the data or not ... you could ... and you need to be compliant.
If you pass them on to another form which isn't yours like Paypal / etc. and you never actually receive any client credit data ... that is the right way.
The Smart Approach to PCI DSS Compliance
By using our Transparent Redirect (TR) and Vault, merchants can achieve PCI Compliance in days. TR and the Vault will eliminate the handling, processing or storing credit card data so you can qualify for the Self Assessment Questionnaire A, the shortest of the four SAQs.
Upvotes: 1
Reputation: 758
The short answer is yes. There's several levels of PCI compliance, all of which are determined by your annual sales volume.
Most merchants do less than 20K transactions annually and that affords some liberty to do a self-assessment to confirm that you are compliant with the regulations. This article, although Magento specific, is a really good summary of the landscape.
The key takeaway here is that you should have this as part of your core business workflow.
Upvotes: 0
Reputation: 1791
Probably, you are still handling the sensitive data. If someone hacks your server they could easily intercept your communication and get hold of this data, i.e. it still needs to be properly secured.
You will probably find the correct answer on the PCI Website
Upvotes: 0
Related Questions
- Braintree PCI compliance issue
- I am using sagePay system, do my website needs to be pci compliance
- SagePay's Direct Integration Or CyberSource's SOAP API Method!! Should I be PCI complaint?
- Do I need to be PCI compliant if my form contains credit card number field
- Handling Data for Credit Card Transaction with Payment Form Hosted on Website
- Making a VPS PCI Compliance
- Capturing credit card information for later without transmitting it to the webserver?
- Does a server that serves a form requesting a user's credit card information need to be PCI compliant
- Paypal payments pro and pci compliance
- E-commerce compliance when card details are processed by a third party